Application Roles Dialog

The dialog contains the following settings:
casso1283
HID_application-roles-dialog
The Roles dialog is where you create a role and specify the criteria for membership to this role.
The dialog contains the following settings:
  • General
    • Name
      Defines the name of the role.
    • Description
      Defines the unique characteristics of the role you are creating.
    • Role applies to
      Specifies whether the role applies to all or specific users in the configured user directories.
      • All Users
        Indicates that the role applies to all users in the configured user directories.
      • Selected Users
        (default)
        Indicates that the role applies to users selected from the configured user directories. When selected, the Users Setup and Advanced group boxes appear, allowing you to select users by group membership, organization membership, user attributes, or user expression.
  • Users Setup
    Specifies groups, organizations, and user attribute expressions that define the members of the role. If no user attributes are specified, role membership is assigned to users that are members of any defined group or organization.
    If user attributes are specified, the Must/May match these attributes control determines role membership behavior.
    • Member Groups
      Defines groups that contain users that belong to the role.
      • Filter
        Filters the list of groups that is displayed in the Member Groups table. Enter a search string and click Go. For ODBC, enter any string such as a single letter or group of letters. For Active Directory or LDAP, the filter must be a valid RDN.
        Example
        : cn=
        search string
         or ou=
        search string
      • Select
        Specifies whether a group contains members of the roles.
      • Group Details
        Shows details of the group.
      • User Directory
        Shows the name of the user directory in which the group is defined.
    • Member Organizations
      Defines organizations that contain users that belong to the role.
      • Filter
        Filters the list of organizations that is displayed in the Member Organizations table. Enter any string, such as a single letter or group of letters and click Go to sort the list of organizations that is displayed.
      • Select
        Specifies whether the organization contains members of the roles.
      • Organizational Details
        Shows details of the organization.
      • User Directory
        Shows the name of the user directory in which the group is defined.
    • Must Match/May Match These Attributes
      Determines whether members of specified groups and organizations must also match the expressions defined in the Member Attributes section to be assigned role membership.
      If the Must match these attributes setting is specified, role membership is only assigned to members of defined groups or organizations that
      also
      match the defined user attribute expressions. If the May match these attributes setting is specified, role membership is assigned to the users that are members of all defined groups and organizations
      or
      users that match the defined user attribute expressions.
    • Member Attributes
      Specifies user attribute expressions that define users that are members of the role.
      • Match Attributes for
        Specifies whether users must have all (default) or any of the defined attributes to be members to the role.
      • Add
        Adds an attribute expression entry to the table.
      • Validate
        Validates defined user attribute expressions.
      • Attribute
        Specifies the name of the user attribute of the expression.
      • Operation
        Specifies the operation with which to compare the Attribute and the Attribute Value. Specify one of the following comparative operators:
        Equality (= and ~=)
        Inequality (!= and ~!=)
        Greater-than (> and ~>)
        Less-than (< and ~<)
        Greater-than or Equal-to (>= and ~>=)
        Less-than or Equal-to (<= and ~<=)
        (BEGINS_WITH and ~BEGINS_WITH)
        (ENDS_WITH and ~ENDS_WITH)
        (CONTAINS and ~CONTAINS)
        (IN and ~IN)
        (LIKE)
        The last five options are case insensitive.
      • Attribute Value
        Specifies the target user attribute value of the expression.
      Example expressions:
      departmentName = HR
      employeeType != temp
      NUMBER(zipcode) = 90210
      NUMBER(employeeNumber) ~>= 1000
  • Advanced
    • User Expression
      Specifies a named or unnamed expression that the Policy Server evaluates at run time to determine which users are part of the role. The expression can be defined in the following ways:
      • Automatically generated by
        SiteMinder
        from group, organization, and user attribute settings defined in the Users Setup section.
        Note
        : You can manually edit a generated expression, using it as a basis for further refinement. In this case, the Users Setup section disappears and the user expression becomes the sole means by which role membership can be further defined.
      • Entered manually from scratch. In most cases, a database administrator creates this expression and provides it to you.
      Example:
      inGroup("Employees")
      This expression means that all users included in the group named Employees are included in this role.