How to set deny user use application roles

book

Article ID: 125656

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Want to deny access if attribute value does not include RoleXXX and RoleYYY.
Is it possible to realize by role setting?

Environment

Single Sign On r12.8 (CA SSO)

Resolution

Method:
1.Create [Applications]

2.Create [Resource] which you want to deny access by setting roles

<Please see attached file for image>

User-added image
3.Create Roles which define the role with NOT ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY"))
 3-1.Create role with ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY"))

<Please see attached file for image>

User-added image

 3-2. Add "NOT" before the ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY")) at [User Expression]

<Please see attached file for image>

User-added image

4. Setting the role to resource at Policies tab

<Please see attached file for image>

User-added image
※Access Resource[Allow Access] : /app/* [Access Role :  All Users]
    Deny Resource[Deny Access] : /app/appsub/* [Deny Role : NOT ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY")) ]


Result:
If RoleXXX or RoleYYY is included in the comment of the user (including both RoleXXX and RoleYYY), allow access and reject others (neither RoleXXX nor RoleYYY).
 

Additional Information

[Application] create method:
https://docops.ca.com/ca-single-sign-on/12-8/en/using/administrative-ui/applications-dialog-reference

Attachments

1558688618736000125656_sktwi1f5rjvs16fny.png get_app
1558688616963000125656_sktwi1f5rjvs16fnx.png get_app
1558688615187000125656_sktwi1f5rjvs16fnw.png get_app
1558688612270000125656_sktwi1f5rjvs16fnv.png get_app