The AND Users/Groups check box lets you restrict authorization to users who are members of more than one user group or to a particular user who is a member of one or more user groups. When adding individual users and user groups in a user directory to a policy, you can specify AND relationships between them by selecting the check box. Alternately, you can specify OR relationships between them by clearing the check box.
When you specify AND relationships and apply the resulting policy to a user, the user must meet the following requirements to be authorized:
Note: A user who is excluded from the policy or is a member of a group that is excluded from the policy cannot be authorized.
Example: Assume that User1, Group1, and Group2 are all bound to a policy and that AND relationships are specified. In this case, test_user must be User1 and a member of Group1 and Group2 to be authorized.
Example: Assume that User1, User2, and Group1 are all bound to a policy and that AND relationships are specified. In this case, test_user cannot be both User1 and User2. Therefore, test_user cannot be authorized.
Important! Do not add two or more individual users to a policy and specify AND relationships. Because no single user can be more than one individual, the policy always fails.
To specify both AND and OR relationships, choose one of the following configurations:
In this configuration, two or more user directories are available to a single policy. The relationship between individual users and user groups in a single directory can be AND or OR. The relationship between individual users and user groups in different directories is always OR.
Example: There are two user directories and a single policy. In each directory, there are two user groups, and an AND relationship is specified. Assume that Directory1 contains Group1 and Group2 and that Directory2 contains Group3 and Group4. In this case, test_user must be a member of Group1 and Group2 or a member of Group3 and Group4 to be authorized.
This can be expressed logically as follows:
Directory1(Group1 AND Group2) OR Directory2(Group3 and Group4)
Use Case: There are two user directories and a single policy. Directory1 contains the user groups Facilities and Human_Resources, and an AND relationship is specified. Directory2 contains the user groups Marketing and Sales, and an OR relationship is specified. In this case, the user must be a member of Facilities and Human_Resources or a member of Marketing or a member of Sales to be authorized. This can be expressed logically as follows:
Directory1(Facilities AND Human_Resources) OR Directory2(Marketing OR Sales)
In this configuration, two or more policies in a shared domain have access to a single user directory. The relationship between individual users and user groups in the user directory can be AND in one policy and OR in another policy. The relationship between different policies in a shared domain is always OR.
Example: There are two policies and one user directory. The user directory contains four user groups. Assume that Group1 and Group2 are bound to Policy1 and that Group3 and Group4 are bound to Policy2. AND relationships are specified between the user groups in both policies. In this case, test_user can be authorized by the application of Policy1 or Policy2. This can be expressed logically as follows:
Policy1(Group1 AND Group2) OR Policy2(Group3 AND Group4)
Use Case: There are two policies and one user directory. The user groups Human_Resources, Marketing, and Sales are bound to Policy1, and an OR relationship is specified. The user groups Facilities and Human_Resources are bound to Policy2, and an AND relationship is specified. In this case, the user must be a member of Human_Resources, Marketing, or Sales or a member of Facilities and Human_Resources to be authorized. The second policy only authorizes members of Facilities who are also members of Human_Resources.
This can be expressed logically as follows:
Policy1(Human_Resources OR Marketing OR Sales) OR Policy2(Facilities AND Human_Resources)
Copyright © 2013 CA.
All rights reserved.
|
|