Bracketed Boolean Logic In Roles
Article ID: 93047
CA Virtual Privilege Manager
CA Privileged Identity Management Endpoint (PIM)
CA Privileged Access Manager (PAM)
Under "Users and groups" -> roles -> privileged access roles -> modify roles. then I click members tab and create a member policy. example below:
where (logon name = "userA")
privileged Account where (account name = "accA" or account name = "accB" and endpoint type <> disconnected)
My question: Is this setting it seems that userA can access (accA or accB) and endpoint type <> disconnect. As I cannot add bracket to policy, what is behaviour of using "and" in member rule?
The scoping in the example would allow access to the accounts "accA" and "accB" only if they were not disconnected accounts.
So if accA was disconnected but accB was not disconnected, the role would only give access to accB.
You are correct that there is no bracketed boolean logic. If you need this you need to use multiple roles.
For instance if you wanted unconditional access to accA and access to accB only if it is not disconnected, i.e.
Account Name = accA or (Account Name = accB and endpoint type <> disconnected)
You would need two roles, one with:
Account Name = accA
The other with:
Account Name = accB and endpoint type <> disconnected