ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to set deny user use application roles


Article ID: 125656


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Want to deny access if attribute value does not include RoleXXX and RoleYYY.
Is it possible to realize by role setting?


Single Sign On r12.8 (CA SSO)


1.Create [Applications]

2.Create [Resource] which you want to deny access by setting roles

<Please see attached file for image>

User-added image
3.Create Roles which define the role with NOT ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY"))
 3-1.Create role with ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY"))

<Please see attached file for image>

User-added image

 3-2. Add "NOT" before the ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY")) at [User Expression]

<Please see attached file for image>

User-added image

4. Setting the role to resource at Policies tab

<Please see attached file for image>

User-added image
※Access Resource[Allow Access] : /app/* [Access Role :  All Users]
    Deny Resource[Deny Access] : /app/appsub/* [Deny Role : NOT ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY")) ]

If RoleXXX or RoleYYY is included in the comment of the user (including both RoleXXX and RoleYYY), allow access and reject others (neither RoleXXX nor RoleYYY).

Additional Information

[Application] create method:


1558688618736000125656_sktwi1f5rjvs16fny.png get_app
1558688616963000125656_sktwi1f5rjvs16fnx.png get_app
1558688615187000125656_sktwi1f5rjvs16fnw.png get_app
1558688612270000125656_sktwi1f5rjvs16fnv.png get_app