The Condition structure option controls how conditions within a condition group interact with each other and how condition groups interact with each other. Select one of the following:
AND Conditions, OR groups: If the conditions are ANDed, the user must meet all the conditions in a condition group to match the profile. If the condition groups are ORed, the user must meet all of the conditions of one group to match the profile. This option allows you to set up two or more profiles into which a user could fit and be considered a match. For example, suppose you create the following Permit rule:
The first condition group contains the following conditions:
The user’s department must be Engineering.
The request must come on a weekday.
The second condition group contains the following conditions:
The user’s department must be Information Services and Technology (IS&T).
The request must come on a weekend.
With this rule, the engineers who match the first condition group have access to the resource during the week, and the IS&T users who match the second condition group have access to the resource on the weekend.
OR Conditions, AND groups: If the conditions are ORed, the user must meet at least one condition in the condition group to match the profile. If the conditions groups are ANDed, the user must meet at least one condition in each condition group to match the profile. For example, suppose you create the following allow rule:
The first condition group contains the following conditions:
The user’s department is Engineering.
The user’s department is Sales.
The second condition group contains the following conditions:
The user has been assigned the Party Planning role.
The user has been assigned the Vice President role.
With this rule, the Vice Presidents of both the Engineering and Sales departments can access the resource, and the users from the Engineering and Sales department who have been assigned to the Party Planning role can access the resource.
At the top of each condition group, there is an option that allows you to control whether the user must match the conditions to match the profile or whether the user matches the profile if the user does not match any of the conditions. Depending upon your selection for the Condition structure, you can select from the following:
If/If Not
Or/Or Not
And/And Not
Conditions also have similar Not options, so that a user can match a condition by not matching the specified value.
To add another condition to a condition group, click New, then select a condition. To copy an existing condition, click the Copy Condition icon . New conditions are always added to the end of the condition group. Use the Move buttons to order the conditions in the condition group.
To add another condition group to the rule, click Append New Group. To copy the existing condition group, click the Copy Group icon . New condition groups are always added to the end to the Conditions section. Use the Move buttons to order the condition groups.
Condition groups and conditions within them can be disabled by clicking the Enabled check mark , which changes the icon to the Disabled icon .
You usually disable a condition or condition group when testing a new rule, and if you decide that the condition or condition group is not needed, you can then use Delete to delete the condition or condition group from the rule. Use Move next to Delete to move a condition up or down within its group. Condition groups also have Move buttons.