Novell Doc: Novell Access Manager 3.0 SP4 Administration Guide

28.7 Using Multiple Conditions

The Condition structure option controls how conditions within a condition group interact with each other and how condition groups interact with each other. Select one of the following:

AND Conditions, OR groups: If the conditions are ANDed, the user must meet all the conditions in a condition group to match the profile. If the condition groups are ORed, the user must meet all of the conditions of one group to match the profile. This option allows you to set up two or more profiles into which a user could fit and be considered a match. For example, you could create the following Permit rule:

The first condition group could contain the following conditions:
1. The user’s department must be Engineering.
2. The request must come on a weekday.
The second condition group could contain the following conditions:
1. The user’s department must be Information Services and Technology (IS&T).
2. The request must come on a weekend.
With this rule, the engineers who match the first condition group have access to the resource during the week, and the IS&T users who match the second condition group have access to the resource on the weekend.
OR Conditions, AND groups: If the conditions are ORed, the user must meet at least one condition in the condition group to match the profile. If the conditions groups are ANDed, the user must meet at least one condition in each condition group to match the profile. For example, suppose you created the following allow rule:

The first condition group could contain the following conditions:
1. The user’s department is Engineering.
2. The user’s department is Sales.
The second condition group could contain the following conditions:
1. The user has been assigned the Party Planning role.
2. The user has been assigned the Vice President role.
With this rule, the Vice Presidents of both the Engineering and Sales departments can access the resource, and the users from the Engineering and Sales department who have been assigned to the Party Planning role can access the resource.

At the top of each condition group, there is an option that allows you to control whether the user must match the conditions to match the profile or whether the user matches the profile if the user doesn’t match any of the conditions. Depending upon your selection for the Condition structure, you can select from the following:

If/If Not
Or/Or Not
And/And Not

Conditions also have similar Not options, so that a user can match a condition by not matching the specified value.

The check box by each condition allows you to enable the condition or disable it. You usually disable a condition when testing a new rule, and if you decide the condition is not needed, you can then use the Delete button to delete the condition from the rule. Use the Move buttons by the Delete button to move a condition up or down within its group.