Previous Topic: Member, Admin, and Owner RulesNext Topic: Common Guidelines about Rules


Scope Rules

You combine member and admin rules with scope rules. Scope rules limit objects on which the role can be used.

The objects include the primary object of the task and any secondary objects. For example, a Create User task that includes a group tab has a primary object of user and a secondary object of group.

For most object types, you can specify the types of scope rules in the following table.

Rule Condition

Example

Rule Syntax

All

Role members can manage all objects

All

The object must match one or more attribute values.

Users where title starts with senior

where <filter>

When you select the filter option, CA IdentityMinder displays two types of filters:

<attribute> <comparator><value>

An attribute in the object’s profile must match a specific value.

<attribute> <comparator> admin's <user-attribute>

An attribute in the object’s profile must match an attribute on the administrator's profile. For example: Users where manager = admin’s UserID.

Additional options, which are described in the following tables, are available for user, group, and organization objects.

Note: The following user scope rules are examples. You can create other rules to handle different relationships between the administrator and the users that the administrator can manage.

Rule Condition

Example

Rule Syntax

The user must match one attribute value.

 

Users where member of group sales or cell phone does not equal null

where <user-filter>

The user must match multiple attribute values.

Users where title=manager and locality=USA

where <user-filter>

The user must belong to named organizations.

Users in organization Australia or New Zealand

Note: Organization scope rule apply to suborganizations of the organization that meets the rule. For example, if the organization rule is "in Organization1", the scope rule applies to Organization1.1 and Organization1.2, but does not apply to Organization1.

in <org-rule>

The user must belong to organizations that meet a condition specified by attributes on the organization.

Users in organizations where Business Type=gold or platinum

in organizations where <org-filter>

 

The user must belong to specific organizations and match specific user attributes.

Users where title=manager and locality=east and who are in organization sales or organization marketing

where <user-filter> and who are in <org-rule>

The attribute on a user’s profile must match an attribute on the administrator’s profile.

Users where manager = admin’s UserID

where <user-attribute> <comparator> admin’s <user-attribute>

Note: Do use the Not Equal To comparator with a multi-valued attribute.

The user is in the same organization as the administrator.

Users in the organization where Jeff (the administrator) is a member

admin’s organization

The user is in an organization which is listed on the administrator’s attribute.

Users in sales or marketing

organization that is a value in admin’s <admin-attr>

Note: The following group scope rules are only examples. You can create other rules to handle different relationships between the administrator and the groups that the administrator can manage.

Rule Condition

Example

Rule Syntax

The group must match one attribute value.

Group name where Group name = 401K

where <group-filter>

The groups must belong to named organizations.

 

Groups in organization accounting and lower

in <org-rule>

The group must match one attribute value and belong to named organizations.

Groups where BusinessType = finance and who are in organization sales and lower

where <group-filter> and who are in <org-rule>

The group must be listed in an attribute of the administrator.

Groups where Description = Engineering

where <group-attribute> <comparator> admin’s <user-attribute>

Note: Do use the Not Equal To comparator with a multi-valued attribute.

Note: The following organization scope rules are only examples. You can create other rules to handle different relationships between the administrator and the organizations that the administrator can manage.

Rule Condition

Example

Rule Syntax

The organization must match one attribute value.

organizations where org Name=finance

where <org-filter>

The organization must belong to named organization.

organizations in finance and lower

in <org-rule>

The organization must match one attribute value and must belong to named organization.

organizations where org Name=finance and are in finance and lower

where <org-filter> and are in <org-filter>

More information:

Common Guidelines about Rules