You combine member and admin rules with scope rules. Scope rules limit objects on which the role can be used.
The objects include the primary object of the task and any secondary objects. For example, a Create User task that includes a group tab has a primary object of user and a secondary object of group.
For most object types, you can specify the types of scope rules in the following table.
Rule Condition |
Example |
Rule Syntax |
---|---|---|
All |
Role members can manage all objects |
All |
The object must match one or more attribute values. |
Users where title starts with senior |
where <filter> |
When you select the filter option, CA IdentityMinder displays two types of filters:
An attribute in the object’s profile must match a specific value.
An attribute in the object’s profile must match an attribute on the administrator's profile. For example: Users where manager = admin’s UserID.
Additional options, which are described in the following tables, are available for user, group, and organization objects.
Note: The following user scope rules are examples. You can create other rules to handle different relationships between the administrator and the users that the administrator can manage.
Rule Condition |
Example |
Rule Syntax |
---|---|---|
The user must match one attribute value.
|
Users where member of group sales or cell phone does not equal null |
where <user-filter> |
The user must match multiple attribute values. |
Users where title=manager and locality=USA |
where <user-filter> |
The user must belong to named organizations. |
Users in organization Australia or New Zealand Note: Organization scope rule apply to suborganizations of the organization that meets the rule. For example, if the organization rule is "in Organization1", the scope rule applies to Organization1.1 and Organization1.2, but does not apply to Organization1. |
in <org-rule> |
The user must belong to organizations that meet a condition specified by attributes on the organization. |
Users in organizations where Business Type=gold or platinum |
in organizations where <org-filter>
|
The user must belong to specific organizations and match specific user attributes. |
Users where title=manager and locality=east and who are in organization sales or organization marketing |
where <user-filter> and who are in <org-rule> |
The attribute on a user’s profile must match an attribute on the administrator’s profile. |
Users where manager = admin’s UserID |
where <user-attribute> <comparator> admin’s <user-attribute> Note: Do use the Not Equal To comparator with a multi-valued attribute. |
The user is in the same organization as the administrator. |
Users in the organization where Jeff (the administrator) is a member |
admin’s organization |
The user is in an organization which is listed on the administrator’s attribute. |
Users in sales or marketing |
organization that is a value in admin’s <admin-attr> |
Note: The following group scope rules are only examples. You can create other rules to handle different relationships between the administrator and the groups that the administrator can manage.
Rule Condition |
Example |
Rule Syntax |
---|---|---|
The group must match one attribute value. |
Group name where Group name = 401K |
where <group-filter> |
The groups must belong to named organizations.
|
Groups in organization accounting and lower |
in <org-rule> |
The group must match one attribute value and belong to named organizations. |
Groups where BusinessType = finance and who are in organization sales and lower |
where <group-filter> and who are in <org-rule> |
The group must be listed in an attribute of the administrator. |
Groups where Description = Engineering |
where <group-attribute> <comparator> admin’s <user-attribute> Note: Do use the Not Equal To comparator with a multi-valued attribute. |
Note: The following organization scope rules are only examples. You can create other rules to handle different relationships between the administrator and the organizations that the administrator can manage.
Rule Condition |
Example |
Rule Syntax |
---|---|---|
The organization must match one attribute value. |
organizations where org Name=finance |
where <org-filter> |
The organization must belong to named organization. |
organizations in finance and lower |
in <org-rule> |
The organization must match one attribute value and must belong to named organization. |
organizations where org Name=finance and are in finance and lower |
where <org-filter> and are in <org-filter> |
Copyright © 2013 CA.
All rights reserved.
|
|