Bracketed Boolean Logic In Roles

Document ID : KB000093047
Last Modified Date : 26/04/2018
Show Technical Document Details
Question:
Under "Users and groups" -> roles -> privileged access roles -> modify roles. then I click members tab and create a member policy. example below: 

member rule: 
where (logon name = "userA") 

scope rule: 
privileged Account where (account name = "accA" or account name = "accB" and endpoint type <> disconnected) 

My question: Is this setting it seems that userA can access (accA or accB) and endpoint type <> disconnect. As I cannot add bracket to policy, what is behaviour of using "and" in member rule?
Answer:
The scoping in the example would allow access to the accounts "accA" and "accB" only if they were not disconnected accounts. 

So if accA was disconnected but accB was not disconnected, the role would only give access to accB. 

You are correct that there is no bracketed boolean logic. If you need this you need to use multiple roles. 

For instance if you wanted unconditional access to accA and access to accB only if it is not disconnected, i.e. 

Account Name = accA or (Account Name = accB and endpoint type <> disconnected) 

You would need two roles, one with: 

Account Name = accA 

The other with: 

Account Name = accB and endpoint type <> disconnected