Account validation
logic provides information about a collection
of validation rules that affect a joined set of parameter values after
the policy join rules are applied.
- Allow and deny parameter unions
- An allowing set of parameter values is a union of the following
elements:
- Mandatory constant parameter values (except null)
- Optional constant parameter values (except null)
- Non-negated
regular expressions with optional enforcement
- Excluded null
value
- A denying set of parameter values is
a union of the following
elements:
- Non-negated regular expressions with excluded enforcement
- Excluded constant values (except null)
- Null value with
optional, mandatory, or default enforcement
Note: Negated
regular expressions, for example: Match
everything except a given word, can be difficult to create
manually. Optional and excluded parameters complement each other;
use these types of parameters whenever possible.
- Null parameter values
- A null mandatory
parameter value means that all values on the
corresponding attribute of a new or existing account are disallowed
except those values that any other valid values permit. When any attribute
values on an existing account are denied by a null mandatory parameter,
such values are automatically removed.
- A null default or optional
parameter value means that all values
on the corresponding attribute of a new or existing account are disallowed,
except those values that any other allowing values permit. Currently
set values are not removed.
- A null excluded parameter means
that all attribute values are
allowed on the corresponding attribute of a new or existing account
except those values denied by any other denying parameter value.
- Effects of governing parameter values on
a single-valued attribute
- Parameter values for a single-valued
attribute can be qualified
with mandatory or default enforcement only.
- A mandatory parameter
value means that the attribute must always
have only the indicated value. Any change to the governing mandatory
parameter value is automatically reflected on the attribute of the
affected account. Removal of a mandatory parameter value from a governing
entitlement can cause a value to be automatically changed on a corresponding
attribute if no other mandatory parameter governs the same attribute.
- A default parameter value is used in provisioning of new accounts.
Attribute values governed by a default parameter can be changed at
any time to any other value from the allowing parameter set. Removal
of a default parameter value from a governing parameter does not cause
a value to be removed from a corresponding attribute unless a parameter
join rule is used, through another mandatory parameter now governs
the same attribute.
- Effects of governing
parameter values on a multivalued attribute
- Parameter
values for a multivalued attribute can be qualified
with mandatory, default, optional, and excluded enforcement types.
- A mandatory parameter value means that the corresponding attribute
must always have this value. The addition of any new mandatory value
(except null) causes this value to be added automatically to all existing
accounts. The removal of an existing mandatory parameter value (except
null) automatically causes removal of this value from the attribute
unless another allowing parameter exists for the same value. Any change
to a mandatory parameter value is equivalent to one remove and one
add operation.
- A non-null, default parameter value is effective
only in provisioning
of new accounts. Corresponding attribute values can be changed later
to any other value from the allowing set. The addition of any new
default parameter value (except null) has no effect on otherwise compliant
attribute. The removal of a default parameter (except null) value
does not cause removal of the value from the corresponding attribute
unless another allowing (non-default) parameter for the same value
exists.
- Optional parameter values
- Optional parameter values can be defined as a constant or
a regular
expression.
- The addition of any new optional constant parameter
value (except
null) does not affect an otherwise compliant attribute. The removal
of an optional constant parameter value (except null) can cause removal
of the value from the corresponding attribute unless another allowing
parameter permits the same value. Any change to an optional constant
parameter value is equivalent to one remove and one add operation.
- The addition of any new optional regular expression has no effect
on an otherwise compliant attribute. The removal or change of an optional
regular expression can cause the removal of attribute values on an
otherwise compliant attribute unless another allowing parameter for
the same value exists.
- Excluded parameter
values
- Excluded parameter values can be defined as a constant
or a regular
expression. Parameter values with excluded enforcement are enforced
only in the context of an implicit wildcard entitlement.
- The
addition of any new excluded constant parameter value can
cause removal of the value from the corresponding attribute unless
another allowing parameter exists for the same value. The removal
of an excluded constant parameter value (except null) has no effect
on an otherwise compliant attribute. Any change to an excluded constant
parameter value is equivalent to one remove and one add operation.
- The addition of any new excluded regular expression can cause
the removal of attribute values on an otherwise compliant attribute
unless another allowing parameter for the same value exists. Any removal
or change of an excluded regular expression has no effect on an otherwise
compliant attribute.
- Allowed over denied
precedence rule
- If an attribute value is allowed and denied
at the same time by
the presence of conflicting parameter values, the allowing parameter
value takes precedence over the denying parameter value.
- Implicit wildcard attribute entitlement
- To help you create default grant-all policies easily, an implicit
wildcard attribute entitlement is used. An implicit wildcard for
an attribute exists if no single allowing parameter value defined
on the attribute exists, and therefore all values are allowed minus
any excluded (denying) parameter values. Removal of the last parameter
for a given attribute reinstates the implicit wildcard.