Bracketed Boolean Logic In Roles
search cancel

Bracketed Boolean Logic In Roles


Article ID: 93047


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


Under "Users and groups" -> roles -> privileged access roles -> modify roles. then I click members tab and create a member policy. example below: 

member rule: 
where (logon name = "userA") 

scope rule: 
privileged Account where (account name = "accA" or account name = "accB" and endpoint type <> disconnected) 

My question: Is this setting it seems that userA can access (accA or accB) and endpoint type <> disconnect. As I cannot add bracket to policy, what is behaviour of using "and" in member rule?


Component: SEOSPP


The scoping in the example would allow access to the accounts "accA" and "accB" only if they were not disconnected accounts. 

So if accA was disconnected but accB was not disconnected, the role would only give access to accB. 

You are correct that there is no bracketed boolean logic. If you need this you need to use multiple roles. 

For instance if you wanted unconditional access to accA and access to accB only if it is not disconnected, i.e. 

Account Name = accA or (Account Name = accB and endpoint type <> disconnected) 

You would need two roles, one with: 

Account Name = accA 

The other with: 

Account Name = accB and endpoint type <> disconnected