How do you code a CEVM Policy Statement using 'Not Equal' operator to rule out specific values with 'AND' or 'OR' Boolean operators?
With a Policy statement that uses 'Not Equal' with multiple values, care should
be taken to select the appropriate Boolean Operators 'AND' and 'OR'.
Note: '!=' is Not Equal
The goal is to create a Policy Statement to capture update access for all users
except USER01, USER02 and USER03.
Consider the following two test conditions:
Test condition 1:
ACCESS=UPDATE AND ( USERID!="USER01" OR USERID!="USER02" OR USERID!="USER03" )
Test condition 2:
ACCESS=UPDATE AND ( USERID!="USER01" AND USERID!="USER02" AND USERID!="USER03" )
With Test condition 1, when the user is "USER02", the first test USERID!=USER01 will be TRUE, the second test will be FALSE and the third test will be TRUE, so with 'OR' conditions when just one result is TRUE the entire expression will evaluate to TRUE which is not what is desired.
With Test condition 2, using 'AND's rather than the 'OR's, then the first test will be TRUE, the second test will be FALSE and the third test will be TRUE, when you 'AND' these together, the answer will be FALSE which is what's needed.