Rules Enforced by the Referential Integrity User Exit

These are the constraints (consistency rules) enforced by the Referential Integrity User Exit.

The constraints listed here are the default behavior of the exit module. The user exit configuration can relax some constraints or add others. See Configuration options for the Referential Integrity User Exit.

User Operations

Add user
- Deny request if the user already exists
Delete user
- Deny request if the user does not exist
- Automatically remove the user from all groups
- Automatically remove all resource Access Control Entries (ACEs) that refer to the user
  Note: ACEs with wildcard actors, such as allow:U*:read, are not automatically removed.

Add group
- Deny request if the group already exists
Delete group
- Deny request if the group does not exist
- Deny request if any users still belong to the group
- Automatically remove all resource ACEs that refer to the group
  Note: ACEs with wildcard actors are not automatically removed.
Add user to group
- Deny request if the user or group does not exist
- Deny request if the user already belongs to the group
Remove user from group
- Deny request if the user or group does not exist
- Deny request if the user is not a member of the group

Delete resource class
- Deny request if the class contains any resource access rules
Add resource rule
- Deny request if the rule already exists in the given class
Delete resource rule
- Deny request if the rule does not exist
- Deny request if the rule contains any ACEs
Add ACE to resource rule
- Deny request if the rule or actor (user or group) does not exist
- Deny request if the rule already contains an ACE for the given actor
Delete ACE from resource rule
- Deny request if the rule or actor does not exist
- Deny request if the ACE does not exist in the specified rule