Previous Topic: The Apply Once SettingNext Topic: Actions on Apply/Remove Policies


Policy Conditions

Policy conditions are the rules that determine the set of users to which an identity policy applies.

The following table describes the available options.

Syntax

Condition

Example

(all)

The identity policy applies to all users.

 

where <user-filter>

The user must match one or more attribute values.

Users where title=manager and locality=east

in <org-rule>

The user must belong to named organizations.

Note: When you select this option, CA IdentityMinder displays a new list box where you can select the following options:

  • organization <organization> [and lower]-- Use an organization search screen to select an organization and, optionally, include the organization’s child organizations.
  • Organizations where <org-filter> [and lower]--Specify a filter that selects one or more organizations.

Users in organization sales and lower

where <user-filter> and who are in <org-rule>

The user must match specific user attributes and belong to a specific organization.

title=manager and organization=Sales*

who are members of <group-member-rule>

The user must belong to a group which meets a condition specified by attributes on the group.

Note: When you select this option, CA IdentityMinder displays a new list box where you can select the following options:

  • group <group>--Use a group search screen to select a group.
  • group where <group-filter>--Specify a filter that selects one or more groups.

Users who are members of groups where owner=CIO

who are members of <role-rule>

The user must be a member of a role. The role can be an:

  • access role
  • admin role
  • provisioning role

    Note: To use provisioning roles, CA IdentityMinder must integrate with a Provisioning Server. See the Installation Guide for more information.

Users who are members of the Help Desk role

 

who are administrators of <role-rule>

The user must an administrator for a role. The role can be an:

  • access role
  • admin role
  • provisioning role

    Note: To use provisioning roles, CA IdentityMinder must integrate with a Provisioning Server. See the Installation Guide for more information.

Users who are administrators of the Sales Manager role

who are owners of <role-rule>

The user must be an owner for a role. The role can be an:

  • access role
  • admin role
  • provisioning role

    Note: To use provisioning roles, CA IdentityMinder must integrate with a Provisioning Server. See the Installation Guide for more information.

Users who are owners of the User Manager role

 

returned by the query <LDAP-query>

The user must meet a condition based on an LDAP query.

User who meet the conditions of an LDAP query.

For example: (departmentNumber=Accounts)

in <administrative-union-constraint>

The user must meet at least one of the conditions in a list of conditions. You can include the following types of filters in an administrative union constraint:

  • Member of access/admin/provisioning role
  • Administrator of access/admin/provisioning role
  • owner of access/admin/provisioning role
  • member of a group

Users who are a member of the Certify Manager role, or who are an owner of the Certify Manager role.

 

in <administrative-intersection-constraint>

The user must all of the conditions in a list of conditions. You can include the following types of filters in an administrative union constraint:

  • Member of access/admin/provisioning role
  • Administrator of access/admin/provisioning role
  • owner of access/admin/provisioning role
  • member of a group

Users who are members of the Contract Initiator role and the Contract Approver role.