How to set deny user use application roles

Document ID : KB000125656
Last Modified Date : 01/02/2019
Show Technical Document Details
Introduction:
Want to deny access if attribute value does not include RoleXXX and RoleYYY.
Is it possible to realize by role setting?
Environment:
Single Sign On r12.8 (SSO)
Instructions:
Method:
1.Create [Applications]

2.Create [Resource] which you want to deny access by setting roles
User-added image
3.Create Roles which define the role with NOT ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY"))
 3-1.Create role with ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY"))
User-added image

 3-2. Add "NOT" before the ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY")) at [User Expression]

User-added image

4. Setting the role to resource at Policies tab
User-added image
※Access Resource[Allow Access] : /app/* [Access Role :  All Users]
    Deny Resource[Deny Access] : /app/appsub/* [Deny Role : NOT ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY")) ]


Result:
If RoleXXX or RoleYYY is included in the comment of the user (including both RoleXXX and RoleYYY), allow access and reject others (neither RoleXXX nor RoleYYY).
 
Additional Information:
[Application] create method:
https://docops.ca.com/ca-single-sign-on/12-8/en/using/administrative-ui/applications-dialog-reference