|
|
|
Most rules describe a relationship between two groups of entities. You specify the members of these groups when you create or edit a rule. These groups are identified as A and B or Left and Right in BPR editing screens. The following table describes the various rule types available and the logical operator that each rule implements.
|
Rule Type |
Restriction |
Description |
|---|---|---|
|
Role – Role |
If a configuration includes role sets A, B then the following is true: |
|
|
Only <L> May have Reason: |
Only users that have role in A (left) may have access to role in B (right). |
|
|
<L>Must have Reason: |
Users in that have role A (left) must have access to role in B (right). |
|
|
<L> Forbidden to have Reason: |
Users that have role in A (left) are forbidden to have access to role in B (right). |
|
|
<L> Only allowed to have Reason: |
Users that have role in A (left) are only allowed to have access to role in B (right) and no other roles. |
|
|
Role – Resource |
If a configuration includes role set A and resource set B then the following is true: |
|
|
Only <L> May have Reason: |
Only users that have role in A (left) may have access to resource in B (right). |
|
|
<L> Must have Reason: |
Users that have role in A (left) must have access to resource in B (right). |
|
|
<L> Forbidden to have Reason: |
Users that have role in A (left) are forbidden to have access to resource in B (right). |
|
|
<L>Only allowed to have Reason: |
Users that have role in A (left) are only allowed to have access to resource in B (right) and no other resource. |
|
|
Resource – Resource |
If a configuration includes resource sets A, B then the following is true: |
|
|
Only <L> May have Reason: |
Only users that have access to resource in A (left) may have access to resource in B (right). |
|
|
<L> Must have Reason: |
Users that have access to resource in A (left) must have access to resource in B (right). |
|
|
<L> Forbidden to have Reason: |
Users that have access to resource in A (left) are forbidden to have access to resource in B (right). |
|
|
<L> Only allowed to have Reason: |
Users that have access to resource in A (left) are only allowed to have access to resource in B (right) and no other resource. |
|
|
Resource – Resource (by Roles) |
If a configuration includes resource sets A, B then the following is true: |
|
|
Only <L> May have Reason: |
Only users with roles that have access to resources in A (left) may have access to resources in B (right). |
|
|
<L> Must have Reason: |
Users with roles that have access to resources in A (left) must have access to resources in B (right). |
|
|
<L> Forbidden to have Reason: |
Users with roles that have access to resources in A (left) are forbidden to have access to resources in B (right). |
|
|
<L> Only allowed to have Reason: |
Users with roles that have access to resources in A (left) are only allowed to have access to resources in B (right) and no other resource. |
|
|
User Attribute - Role |
If a configuration includes User Attribute sets A, and Role B then the following is true: |
|
|
Only <L> May have Reason: |
Only users with user attributes in A (left) may have access to roles in B (right). |
|
|
<L> Must have Reason: |
Users with user attributes in A (left) must have access to roles in B (right). |
|
|
<L> Forbidden to have Reason: |
Users with user attributes in A (left) are forbidden to have access to roles in B (right). |
|
|
<L> Only allowed to have Reason: |
Users with user attributes in A (left) are only allowed to have access to roles in B (right) and not other role. |
|
|
User Attribute - Resource |
If a configuration includes User Attribute sets A, and Resource B then the following is true: |
|
|
Only <L> May have Reason: |
Only users with user attributes in A (left) may have access to resources in B (right). |
|
|
<L> Must have Reason: |
Users with user attributes in A (left) must have access to resources in B (right). |
|
|
<L> Forbidden to have Reason: |
Users with user attributes in A (left) are forbidden to have access to resources in B (right). |
|
|
<L> Only allowed to have Reason: |
Users with user attributes in A (left) are only allowed to have access to resources in B (right) and not other resource. |
|
|
User Attributes Constraints |
If a configuration includes User Attributes Constraints then the following is true: |
|
|
Only <L> May have Reason: |
Only users with user attribute constraint in A (left) may have access to user attribute constraint in B (right). |
|
|
<L> Must have Reason: |
Users with user attributes constraint in A (left) must have access to user attributes constraint in B (right). |
|
|
<L> Forbidden to have Reason: |
Users with user attributes constraint in A (left) are forbidden to have access to user attributes constraint in B (right). |
|
|
<L> Only allowed to have Reason: |
Users with user attributes constraint in A (left) are only allowed to have access to user attributes constraint in B (right) and no other. |
|
|
Segregation of Duty Roles |
Should have no more than |
The right entity must be a numeric value (N), e.g., 5. Users should have no more than N of the roles in A. |
|
Should have at least |
The right entity must be a numeric value (N), e.g., 5. Users should have at least N of the roles in A. |
|
|
Should have exactly |
The right entity must be a numeric value (N), e.g., 5. Users should have N of the roles in A. |
|
|
Segregation of Duty Resources |
Should have no more than |
The right entity must be a numeric value (N), e.g., 5. Users should have no more than N of the resources in A. |
|
Should have at least |
The right entity must be a numeric value (N), e.g., 5. Users should have at least N of the resources in A. |
|
|
Should have exactly |
The right entity must be a numeric value (N), e.g., 5. Users should have exactly N of the resources in A. |
|
|
User Counter of Roles |
Should have no more than |
The right entity must be a numeric value (N), e.g., 5. Roles in A should have no more than N users. |
|
Should have at least |
The right entity must be a numeric value (N), e.g., 5. Roles in A should have at least N users. |
|
|
Should have exactly |
The right entity must be a numeric value (N), e.g., 5. Roles in A should have exactly N users. |
|
|
User Counter of Resources |
Should have no more than |
The right entity must be a numeric value (N), e.g., 5. Resources in A should have no more than N users. |
|
Should have at least |
The right entity must be a numeric value (N), e.g., 5. Resources in A should have at least N users. |
|
|
Should have exactly |
The right entity must be a numeric value (N), e.g., 5. Resources in A should have exactly N users. |
|
|
User Attribute Value |
Number <L> must be greater than Reason: |
The numeric value of the User Attribute for the Left Entity must be greater than the numeric value listed in the Right Entity. |
|
|
Number <L> must be less than Reason: |
The numeric value of the User Attribute for the Left Entity must be less than the numeric value listed in the Right Entity. |
|
|
Number <L> must be equal to Reason: |
The numeric value of the User Attribute for the Left Entity must be equal to the numeric value listed in the Right Entity. |
|
|
Date <L> must be earlier than Reason: |
The date for the User Attribute selected in the Left Entity must be earlier than the date listed in the Right Entity. |
|
|
Date <L> must be later than Reason: |
The date for the User Attribute selected in the Left Entity must be later than the date listed in the Right Entity. |
|
|
<L> Must match regular expression Reason: |
The value for the User Attribute selected in the Left Entity must match the value defined by the regular expression listed in the Right Entity. |
|
|
<L> Must not match regular expression Reason: |
The value for the User Attribute selected in the Left Entity must not match the value defined by the regular expression listed in the Right Entity. |
|
|
<L> Should be empty |
The value for the User Attribute selected in the Left Entity should be empty. |
|
|
<L> Should not be empty |
The value for the User Attribute selected in the Left Entity should not be empty. |
| Copyright © 2010 CA. All rights reserved. | Email CA Technologies about this topic |