Previous Topic: Add Roles to a SiteMinder PolicyNext Topic: Configure the LogOff URI

Configuration GuideCA SiteMinder IntegrationSiteMinder OperationsHow to Configure Access RolesAccess Roles in SiteMinderExclude Roles in a Policy

Exclude Roles in a Policy

In addition to using access roles to grant access to applications, you can also use access roles to prevent members of access roles from accessing an application. To prevent access role members from accessing an application, you exclude the roles from SiteMinder policies. When a user who has been assigned the excluded access role in CA IdentityMinder tries to access a protected resource, the Policy Server verifies exclusion of the CA IdentityMinder role to the assigned user. Upon verification, it blocks access to the resource.

Follow these steps:

  1. In the SiteMinder Policy dialog, click the Users tab.

    The Users tab contains tabs for each user directory and CA IdentityMinder Environment included in the policy domain.

  2. Click the CA IdentityMinder Environment that contains the roles you want to exclude from your policy.
  3. Click the Add/Remove button.

    The SiteMinder Policy CA IdentityMinder Role dialog opens.

  4. To add roles to the policy, select an entry from the Available Members list and click on the Left Arrow button, which points to the Current Members list.

    The opposite procedure removes roles from the Current Members list.

  5. In the Current Members list, select the roles to exclude, and click the Exclude button that is located under the list.

    A red circle with a slash appears to the left of the excluded roles.

  6. Click OK to save your changes and return to the SiteMinder Policy dialog.