Specify AND/OR Relationships between Users/Groups

Policy Server Guides › Policy Design Guide › Policies › Configure a Policy › Specify AND/OR Relationships between Users/Groups

Specify AND/OR Relationships between Users/Groups

The AND Users/Groups check box lets you restrict authorization to users who are members of more than one user group or to a particular user who is a member of one or more user groups. When adding individual users and user groups in a user directory to a policy, you can specify AND relationships between them by selecting the check box. Alternately, you can specify OR relationships by clearing the check box.

When you specify AND relationships and apply the resulting policy to a user, the user must meet the following requirements to be authorized:

The user must be a member of each user group that is bound to the policy.
If an individual user is bound to the policy, the user must be that individual.

Important! Do not add two or more individual users to a policy and specify AND relationships. Because no single user can be more than one individual, the policy always fails.

To specify AND relationships between a user and one or more user groups or between multiple user groups in one user directory

If the policy contains more than one user directory, select the tab corresponding to the user directory that you want on the Policy Properties pane.
Select the AND Users/Groups check box on the user directory's tab.
Click Apply.
The icons next to the individual users and user groups in the selected user directory are updated to show AND relationships.

Note: When you clear the check box and click Apply, the icons are updated to show OR relationships between the individual users and user groups in the selected user directory.

Email CA Technologies about this topic