Bracketed Boolean Logic In Roles
Article ID: 93047
Updated On:
Products
CA Virtual Privilege Manager
CA Privileged Identity Management Endpoint (PIM)
CA Privileged Access Manager (PAM)
Issue/Introduction
Under "Users and groups" -> roles -> privileged access roles -> modify roles. then I click members tab and create a member policy. example below:
member rule:
where (logon name = "userA")
scope rule:
privileged Account where (account name = "accA" or account name = "accB" and endpoint type <> disconnected)
My question: Is this setting it seems that userA can access (accA or accB) and endpoint type <> disconnect. As I cannot add bracket to policy, what is behaviour of using "and" in member rule?
Environment
Release:
Component: SEOSPP
Component: SEOSPP
Resolution
The scoping in the example would allow access to the accounts "accA" and "accB" only if they were not disconnected accounts.
So if accA was disconnected but accB was not disconnected, the role would only give access to accB.
You are correct that there is no bracketed boolean logic. If you need this you need to use multiple roles.
For instance if you wanted unconditional access to accA and access to accB only if it is not disconnected, i.e.
Account Name = accA or (Account Name = accB and endpoint type <> disconnected)
You would need two roles, one with:
Account Name = accA
The other with:
Account Name = accB and endpoint type <> disconnected
So if accA was disconnected but accB was not disconnected, the role would only give access to accB.
You are correct that there is no bracketed boolean logic. If you need this you need to use multiple roles.
For instance if you wanted unconditional access to accA and access to accB only if it is not disconnected, i.e.
Account Name = accA or (Account Name = accB and endpoint type <> disconnected)
You would need two roles, one with:
Account Name = accA
The other with:
Account Name = accB and endpoint type <> disconnected
Feedback
Yes
No
Powered by
