Exclude Roles in a Policy

CA Identity Manager Configuration Guide › CA CA SiteMinder® Integration › CA SiteMinder® Operations › How to Configure Access Roles › Access Roles in SiteMinder › Exclude Roles in a Policy

Exclude Roles in a Policy

In addition to using access roles to grant access to applications, you can also use access roles to prevent members of access roles from accessing an application. To prevent access role members from accessing an application, you exclude the roles from CA SiteMinder® policies. When a user who has been assigned the excluded access role in CA Identity Manager tries to access a protected resource, the Policy Server verifies exclusion of the CA Identity Manager role to the assigned user. Upon verification, it blocks access to the resource.

Follow these steps:

In the CA SiteMinder® Policy dialog, click the Users tab.
The Users tab contains tabs for each user directory and CA Identity Manager Environment included in the policy domain.
Click the CA Identity Manager Environment that contains the roles you want to exclude from your policy.
Click the Add/Remove button.
The CA SiteMinder® Policy CA Identity Manager Role dialog opens.
To add roles to the policy, select an entry from the Available Members list and click on the Left Arrow button, which points to the Current Members list.
The opposite procedure removes roles from the Current Members list.
In the Current Members list, select the roles to exclude, and click the Exclude button that is located under the list.
A red circle with a slash appears to the left of the excluded roles.
Click OK to save your changes and return to the CA SiteMinder® Policy dialog.