How to set deny user use application roles

Document ID : KB000125656
Last Modified Date : 20/03/2019
Show Technical Document Details
Want to deny access if attribute value does not include RoleXXX and RoleYYY.
Is it possible to realize by role setting?
Single Sign On r12.8 (CA SSO)
1.Create [Applications]

2.Create [Resource] which you want to deny access by setting roles
User-added image
3.Create Roles which define the role with NOT ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY"))
 3-1.Create role with ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY"))
User-added image

 3-2. Add "NOT" before the ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY")) at [User Expression]

User-added image

4. Setting the role to resource at Policies tab
User-added image
※Access Resource[Allow Access] : /app/* [Access Role :  All Users]
    Deny Resource[Deny Access] : /app/appsub/* [Deny Role : NOT ((comment CONTAINS "Role XXX") OR (comment CONTAINS "RoleYYY")) ]

If RoleXXX or RoleYYY is included in the comment of the user (including both RoleXXX and RoleYYY), allow access and reject others (neither RoleXXX nor RoleYYY).
Additional Information:
[Application] create method: