Previous Topic: Account TemplatesNext Topic: Scope Rules


Member, Admin, and Owner Rules

Each role includes rules about who can be a member, administrator, or owner of that role. Therefore, a user could be a member of one role, several roles, or no roles.

Member, admin, and owner rules use the conditions in the following table:

Rule Condition

Example

Rule Syntax

The user must match one attribute value.

 

Users where title starts with senior

where <user-filter>

The user must match multiple attribute values.

Users where title=manager and locality=east

where <user-filter>

The user must belong to named organizations.

Users in organization sales and lower

in <org-rule>

The user must belong to organizations that meet a condition specified by attributes on the organization.

Users in organizations where Business Type=gold or platinum

in organizations where <org-filter>

The user must belong to specific organizations and match specific user attributes.

 

Users where title=manager and locality=east and who are in organization sales or marketing

where <user-filter> and who are in <org-rule>

 

The user must belong to a specific group.

Users who are members of 401K group

who are members of group [set the product group or family]

The user must be a member of a role.

Users who are members of the Help Desk role

who are members of <role-rule>

The user must be an administrator of a role.

Users who are administrators of the Sales Manager role

who are administrators of <role-rule>

The user must be an owner of a role.

Users who are owners of the User Manager role

who are owners of <role-rule>

The user must belong to a group which meets a condition specified by attributes on the group.

Users who are members of groups where owner=CIO

who are members of group <group-filter>

 

The user must meet a condition based on an LDAP query.

(Use an LDAP directory for situations where a query created in the CA IdentityMinder User Console is insufficient)

user returned by the query ldap_query

Some rules may involve comparing a value to a multi-valued attribute. For the rule to apply, at least one value in a multi-valued attribute must satisfy the rule. For example, if the rule is Attribute A EQUALS 1, and the value of attribute A is 1, 2, 3 for User X, then User X satisfies the criteria.

The user who creates the role may be unable to modify the role. To be able to modify the role, that user must meet the conditions in the owner rules.

Note: In large implementations, it may take significant time to evaluate member, admin, and owner rules. To reduce the evaluation time for rules that include user-attributes, you can enable the in-memory evaluation option. For more information, see the Configuration Guide.

More information:

Common Guidelines about Rules