Scope Rules

Screens and Tabs › Tabs › Role Management Tabs › Members Tab › Scope Rules

Scope Rules

You combine member and admin rules with scope rules. Scope rules limit objects on which the role can be used.

For a role member, scope rules control which objects can be managed with the role.
For a role administrator, scope rules control which users can become role members and administrators.

Scope applies to the primary object of the task. For example, user is the primary object of the Create User task. However, scope does not apply to the groups for that user, because group is a secondary object.

For most object types, you can specify the types of scope rules in the following table.

Rule Condition	Example	Rule Syntax
All	Role members can manage all objects	All
The object must match one or more attribute values.	Users where title starts with senior	where <filter>

When you select the filter option, CA Identity Manager displays two types of filters:

<attribute> <comparator><value>: An attribute in the object’s profile must match a specific value.
<attribute> <comparator> admin's <user-attribute>: An attribute in the object’s profile must match an attribute on the administrator's profile. For example: Users where manager = admin’s UserID.

Additional options, which are described in the following tables, are available for user, group, and organization objects.

Note: The following user scope rules are examples. You can create other rules to handle different relationships between the administrator and the users that the administrator can manage.

Rule Condition	Example	Rule Syntax
The user must match one attribute value.	Users where member of group sales or cell phone does not equal null	where <user-filter>
The user must match multiple attribute values.	Users where title=manager and locality=USA	where <user-filter>
The user must belong to named organizations.	Users in organization Australia or New Zealand Note: Organization scope rule apply to suborganizations of the organization that meets the rule. For example, if the organization rule is "in Organization1", the scope rule applies to Organization1.1 and Organization1.2, but does not apply to Organization1.	in <org-rule>
The user must belong to organizations that meet a condition specified by attributes on the organization.	Users in organizations where Business Type=gold or platinum	in organizations where <org-filter>
The user must belong to specific organizations and match specific user attributes.	Users where title=manager and locality=east and who are in organization sales or organization marketing	where <user-filter> and who are in <org-rule>
The attribute on a user’s profile must match an attribute on the administrator’s profile.	Users where manager = admin’s UserID	where <user-attribute> <comparator> admin’s <user-attribute> Note: Do use the Not Equal To comparator with a multi-valued attribute.
The user is in the same organization as the administrator.	Users in the organization where Jeff (the administrator) is a member	admin’s organization
The user is in an organization which is listed on the administrator’s attribute.	Users in sales or marketing	organization that is a value in admin’s <admin-attr>

Note: The following group scope rules are only examples. You can create other rules to handle different relationships between the administrator and the groups that the administrator can manage.

Rule Condition	Example	Rule Syntax
The group must match one attribute value.	Group name where Group name = 401K	where <group-filter>
The groups must belong to named organizations.	Groups in organization accounting and lower	in <org-rule>
The group must match one attribute value and belong to named organizations.	Groups where BusinessType = finance and who are in organization sales and lower	where <group-filter> and who are in <org-rule>
The group must be listed in an attribute of the administrator.	Groups where Description = Engineering	where <group-attribute> <comparator> admin’s <user-attribute> Note: Do use the Not Equal To comparator with a multi-valued attribute.

Note: The following organization scope rules are only examples. You can create other rules to handle different relationships between the administrator and the organizations that the administrator can manage.

Rule Condition	Example	Rule Syntax
The organization must match one attribute value.	organizations where org Name=finance	where <org-filter>
The organization must belong to named organization.	organizations in finance and lower	in <org-rule>
The organization must match one attribute value and must belong to named organization.	organizations where org Name=finance and are in finance and lower	where <org-filter> and are in <org-filter>