Identity rules for managed users

Identity Rules are applied to an email address to determine if the email address should be accepted in a particular Managed User Realm. Each identity rule defines a suffix that is matched against a candidate email address to determine if that rule applies.

There are three types of identity rules:

Allow

Specifies which email addresses are allowed to be registered as a provisional user. Provisional users can be added in the Administration Console for Content Platform Engine. The External Share feature creates provisional users for a share recipient on behalf of the internal user that is sharing an object.

Allow Self Register

Specifies which email addresses are allowed to self-register. If Allow Self Register is specified for the realm, the privileges of Allow are included so provisional users can be pre-populated by an existing user. This identity rule is required if you want to take advantage of Automatic user registration.

Block

Specifies which email addresses are not allowed in the managed realm. The Block rule only applies to the realm where it is specified. You can specify a group of users with a specific suffix like uk.companyA.com or a single user like jon@uk.companya.com as the suffix for the blocking rule.

Note the following considerations for this function:

If you want to completely block a set of email addresses so that they cannot be registered as managed users in any realm, the block rule must be added to each realm.
Adding a block rule does not remove any users that already existed in the managed realm before the rule was created. If the Allow or Allow Self Register rules are removed or added, none of the users are removed.

The Allow and Allow Self Register identity rules form an allowlist. If there are multiple managed realms, no more than one of the realms can be without an allowlist. For more information, see Catchall realm. The allowlist rules cannot overlap with any other realm; an email address cannot be valid for more than one realm.

Note: Rules within a realm are not checked for overlap.

Note: Suffixes are not case sensitive.

Catchall realm

You have the option to create only one managed realm that does not specify Allow or Allow Self Register identity rules. This realm is referred to as the catchall realm and will allow users that are not accepted by other realms. Because self registration requires an identity rule, by definition the catchall realm only allows provisional users that are created by an existing user.

A catchall realm is not required, and is typically reserved for use with external share users. If a catchall realm exists and a block rule was added to another managed realm, the email addresses so blocked will be allowed by the catchall realm unless the same block rule is also added to the catchall realm.