1. Using Advanced Controls
  2. Create an Access Condition Filter

Create an Access Condition Filter

Condition filters select from records of role assignments returned by access-point and entitlement filters. They therefore exclude the records they don't select. There are two types:

  • A basic condition filter specifies a value of an attribute, and so selects records involving that value while excluding records involving other values. For example, Business Unit Equals Consumer Electronics selects records involving a business unit named Consumer Electronics, and so excludes records involving other business units.

    Conversely, the filter might state, Business Unit Does not equal Consumer Electronics. It selects records involving other business units, and so excludes the Consumer Electronics unit from analysis.

  • A "within same" attribute selects records only within or only across entities such as business units. For example, Within Same Business Unit Equals Yes would select records of assignments solely within individual business units. It would exclude records of access granted across units, for example one conflicting access point granted in a business unit named Database Servers and a second granted in the Consumer Electronics unit.

    Conversely, the filter may state Within Same Business Unit Equals No. It would select records of access granted across business units, but not access granted solely within individual units.

Note: "Within same" conditions are for use in models that evaluate access risk in applications other than Human Capital Management. Don't use "within same" conditions in filters for Human Capital Management access models.

Although every access model must include at least one access-point or entitlement filter, condition filters are optional.

To create a filter that defines an access condition:

  1. In the Model Logic panel, click Add Filter. A dialog box appears. Enter a name for the filter in its Name field.

  2. In an Object field, select the condition object for a data source for which you've created one or more access-point or entitlement filters.

  3. In the Attribute field, select the attribute you want to base the condition on. To create a filter that selects records and implicitly excludes others, select an attribute that names the type of entity to be included or excluded. To create a filter that directs a model to look within or across entities, select a "within same" attribute.

  4. In the Condition field, select one in a set of predefined conditions. These are described below.

  5. In the Type field, accept the default selection, Value. In a Value field, select or enter values that complete the condition you selected.

The only condition available to a "within same" attribute is Equals, and the only values you can select for it are Yes and No. For other attributes, you can select these conditions:

  • Equals or Does not equal: Consider only records in which the attribute value does, or doesn't, match a value you select in the Value field.

    If a filter uses the Access Point attribute with either the Equals or Does not equal condition, it returns or excludes records in which a specified access point exists anywhere in a path. For example, suppose the Calculate Gross Earnings privilege exists in two role hierarchies, "Payroll Manager > Calculate Gross Earnings" and "Payroll Interface Coordinator > Calculate Gross Earnings." The filter Access Point Does not equal Calculate Gross Earnings would exclude both these role hierarchies from model analysis. (You can use path conditions to create more granular exclusions.)

  • Contains or Does not contain: Consider only records in which the attribute value includes, or doesn't include, a text string you enter in the Value field. For example, User Name Contains Super selects a generic user called Payables Super User; an individual who uses her name, Juanita_Supera, as her user name; as well as other users whose names contain the string "Super." In this example, the condition excludes users whose names don't include "Super."

    A model that uses either of these two conditions excludes all records that don't have an attribute value for the condition to evaluate. The Does not contain condition therefore excludes records you may not expect it to. For example, suppose you create the condition, Asset Book does not contain ABC. If a record has no value for the Asset Book attribute, it doesn't have an Asset Book value containing the string "ABC," so you might expect the condition to select that record. However, it would exclude that record (and all others with no Asset Book value).

    For the Contains condition, the same rule applies, but doesn't have the same effect. For example, the condition Asset Book Contains XYZ would select records with Asset Book names containing "XYZ," and so would exclude all others, among them records with no Asset Book values.

  • Matches any of or Matches none of: Consider only records in which the attribute value exactly matches one of any number of values you select in the Value field, or matches none of them. For example, User Name Matches none of BSMITH or TJONES excludes those users from analysis by selecting all others.