Previous Topic: Allow Nested Groups in PoliciesNext Topic: Specify AND/OR Relationships between Users/Groups


AND Users/Groups Check Box

The AND Users/Groups check box lets you restrict authorization to users who are members of more than one user group or to a particular user who is a member of one or more user groups. When adding individual users and user groups in a user directory to a policy, you can specify AND relationships between them by selecting the check box. Alternately, you can specify OR relationships between them by clearing the check box.

When you specify AND relationships and apply the resulting policy to a user, the user must meet the following requirements to be authorized:

Note: A user who is excluded from the policy or is a member of a group that is excluded from the policy cannot be authorized.

Example: Assume that User1, Group1, and Group2 are all bound to a policy and that AND relationships are specified. In this case, test_user must be User1 and a member of Group1 and Group2 to be authorized.

Example: Assume that User1, User2, and Group1 are all bound to a policy and that AND relationships are specified. In this case, test_user cannot be both User1 and User2. Therefore, test_user cannot be authorized.

Important! Do not add two or more individual users to a policy and specify AND relationships. Because no single user can be more than one individual, the policy always fails.

To specify both AND and OR relationships, choose one of the following configurations: