Rule Restrictions

CA Identity Governance Administration Guide › Business Policy Compliance › Create a Business Policy › Create Business Policy Rules › Rule Restrictions

Rule Restrictions

Most rules describe a relationship between two groups of entities. You specify the members of these groups when you create a rule. These groups are identified as Left and Right in BPR editing screens. The following table lists the rule types and the restrictions available for each rule type.

Role – Role (by Users)

Only <L> May Have <R>: Only users that have roles on the left may have roles on the right side.
<L> Must Have <R>: Users that have roles on the left must have roles on the right.
<L> Forbidden to Have <R>: Users that have roles on the left must not have roles on the right.
<L> Only Allowed to Have <R>: Users that have roles on the left can only have roles on the right, and no others.

Role – Role (by Roles)

Only <L> May Have <R>: Only roles that have child roles on the left may have roles on the right as children
<L> Must Have <R>: Roles that have child roles on the left must have roles on the right as children.
<L> Forbidden to Have <R>: Roles that have child roles on the left must not have roles on the right as children.
<L> Only Allowed to Have <R>: Roles that have child roles on the left can only have roles on the right as children, and no others.

Role – Resource (by Users)

Only <L> May Have <R>: Only users that have roles on the left may access resources on the right.
<L> Must Have <R>: Users that have roles on the left must access resources on the right.
<L> Forbidden to Have <R>: Users that have roles on the left are must not access resources on the right.
<L> Only Allowed to Have <R>: Users that have roles on the left can only access resources on the right, and no others.

Role – Resource (by Roles)

Only <L> May Have <R>: Only roles that are parents of roles on the left may access resources on the right.
<L> Must Have <R>: Roles that are parents of roles on the left must access resources on the right.
<L> Forbidden to Have <R>: Roles that are parents of roles on the left must not access resources on the right.
<L> Only Allowed to Have <R>: Roles that are parents of roles on the left can access only resources on the right, and no others.

Resource – Resource (by Users)

Only <L> May Have <R>: Only users that can access resources on the left may access resources on the right.
<L> Must Have <R>: Users that can access resources on the left must access resources on the right.
<L> Forbidden to Have <R>: Users that can access resources on the left must not access resources on the right.
<L> Only Allowed to Have <R>: Users that can access resources on the left can access only resources on the right, and no others.

Resource – Resource (by Roles)

Only <L> May have <R>: Only roles that include resources on the left may include resources on the right.
<L> Must have <R>: Roles that include resources on the left must include resources on the right.
<L> Forbidden to have <R>: Roles that include resources on the left must not include resources on the right.
<L> Only allowed to have <R>: Roles that include resources on the left can include only resources on the right, and no others.

User Attribute - Role

Only <L> May have <R>: Only users with user attributes on the left may have roles on the right.
<L> Must have <R>: Users with user attributes on the left must have roles on the right.
<L> Forbidden to have <R>: Users with user attributes on the left are forbidden to have roles on the right.
<L> Only allowed to have <R>: Users with user attributes on the left can have only roles on the right, and no others.

User Attribute - Role Attribute

Only <L> May have <R>: Only users with attributes on the left may have roles with attributes on the right.
<L> Must have <R>: Users with attributes on the left must have roles with attributes on the right.
<L> Forbidden to have <R>: Users with attributes on the left are forbidden to have roles with attributes on the right.
<L> Only allowed to have <R>: Users with attributes on the left can have only roles with attributes on the right, and no others.

User Attribute - Resource

Only <L> May have <R>: Only users with user attributes on the left may access resources on the right.
<L> Must have <R>: Users with user attributes on the left must access resources on the right.
<L> Forbidden to have <R>: Users with user attributes on the left are forbidden to access resources on the right.
<L> Only allowed to have <R>: Users with attributes on the left can access only resources on the right, and no others.

Segregation of Duty Roles

Should have no more than <R> of <L>: Users should have no more than number (on right) of the roles on the left.
Should have at least <R> of <L>: Users should have at least number (on right) of the roles on the left.
Should have exactly <R> of <L>: Users must have exactly number (on right) of the roles on the left.

Segregation of Duty Resources

Should have no more than <R> of <L>: Users should have no more than number (on right) of the resources on the left.
Should have at least <R> of <L>: Users should have at least number (on right) of the resources on the left.
Should have exactly <R> of <L>: Users must have exactly number (on right) of the resources on the left.

User Counter of Roles

Should have no more than <R> Users: Roles on the left should have no more than number (on right) users.
Should have at least <R> Users: Roles on the left should have at least number (on right) users.
Should have exactly <R> Users: Roles on the left must have exactly number (on right) users.

User Counter of Resources

Should have no more than <R> Users: Resources on the left should have no more than number (on right) users.
Should have at least <R> Users: Resources on the left should have at least number (on right) users.
Should have exactly <R> Users: Resources on the left must have exactly number (on right) users.

User Attribute Value

Number <L> must be greater than <R>: The numeric value of the user attribute on the left must have a greater value than the numeric value on the right.
Number <L> must be less than <R>: The numeric value of the user attribute on the left must be less than the numeric value on the right.
Number <L> must be equal to <R>: The numeric value of the user attribute on the left must be equal to the numeric value on the right.
Date <L> must be earlier than <R>: The date for the user attribute on the left must be earlier than the date on the right.
Date <L> must be later than <R>: The date for the user attribute on the left must be later than the date listed on the right.
<L> Must match regular expression <R>: The value for the user attribute on the left must match the value defined by the regular expression on the right.
<L> Must not match regular expression <R>: The value for the user attribute on the left must not match the value defined by the regular expression on the right.
<L> Should be empty: The value for the user attribute on the left should be empty.
<L> Should not be empty: The value for the user attribute selected on the left should not be empty.