How to code a CEVM Policy Statement using 'Not Equal' operator to rule out specific values

Document ID : KB000117897
Last Modified Date : 19/10/2018
Show Technical Document Details
Question:
How do you code a CEVM Policy Statement using 'Not Equal' operator to rule out specific values with 'AND' or 'OR' Boolean operators?
Answer:
With a Policy statement that uses 'Not Equal' with multiple values, care should
be taken to select the appropriate Boolean Operators 'AND' and 'OR'. 

For example:

Note: '!=' is Not Equal

The goal is to create a Policy Statement to capture update access for all users
except USER01, USER02 and USER03.

Consider the following two test conditions:

Test condition 1:
ACCESS=UPDATE AND ( USERID!="USER01" OR USERID!="USER02" OR USERID!="USER03" )

Test condition 2:
ACCESS=UPDATE AND ( USERID!="USER01" AND USERID!="USER02" AND USERID!="USER03" )

With Test condition 1, when the user is "USER02", the first test USERID!=USER01 will be TRUE, the second test will be FALSE and the third test will be TRUE, so with 'OR' conditions when just one result is TRUE the entire expression will evaluate to TRUE which is not what is desired.

With Test condition 2, using 'AND's rather than the 'OR's, then the first test will be TRUE, the second test will be FALSE and the third test will be TRUE, when you 'AND' these together, the answer will be FALSE which is what's needed.