Account validation logic

Account validation logic provides information about a collection of validation rules that affect a joined set of parameter values after the policy join rules are applied.

Allow and deny parameter unions

An allowing set of parameter values is a union of the following elements:

• Mandatory constant parameter values (except null)

• Optional constant parameter values (except null)
• Non-negated regular expressions with optional enforcement
• Excluded null value

A denying set of parameter values is a union of the following elements:

• Non-negated regular expressions with excluded enforcement
• Excluded constant values (except null)
• Null value with optional, mandatory, or default enforcement

Negated regular expressions, for example: Match everything except a given word, can be difficult to create manually. Optional and excluded parameters complement each other; use these types of parameters whenever possible.

Null parameter values

A null mandatory parameter value means that all values on the corresponding attribute of a new or existing account are disallowed except those values that any other valid values permit. When any attribute values on an existing account are denied by a null mandatory parameter, such values are automatically removed.

A null default or optional parameter value means that all values on the corresponding attribute of a new or existing account are disallowed, except those values that any other allowing values permit. Currently set values are not removed.

A null excluded parameter means that all attribute values are allowed on the corresponding attribute of a new or existing account except those values denied by any other denying parameter value.

Effects of governing parameter values on a single-valued attribute

Parameter values for a single-valued attribute can be qualified with mandatory or default enforcement only.

A mandatory parameter value means that the attribute must always have only the indicated value. Any change to the governing mandatory parameter value is automatically reflected on the attribute of the affected account. Removal of a mandatory parameter value from a governing entitlement can cause a value to be automatically changed on a corresponding attribute if no other mandatory parameter governs the same attribute.

A default parameter value is used in provisioning of new accounts. Attribute values governed by a default parameter can be changed at any time to any other value from the allowing parameter set. Removal of a default parameter value from a governing parameter does not cause a value to be removed from a corresponding attribute unless a parameter join rule is used, through another mandatory parameter now governs the same attribute.

Effects of governing parameter values on a multivalued attribute

Parameter values for a multivalued attribute can be qualified with mandatory, default, optional, and excluded enforcement types.

A mandatory parameter value means that the corresponding attribute must always have this value. The addition of any new mandatory value (except null) causes this value to be added automatically to all existing accounts. The removal of an existing mandatory parameter value (except null) automatically causes removal of this value from the attribute unless another allowing parameter exists for the same value. Any change to a mandatory parameter value is equivalent to one remove and one add operation.

A non-null, default parameter value is effective only in provisioning of new accounts. Corresponding attribute values can be changed later to any other value from the allowing set. The addition of any new default parameter value (except null) has no effect on otherwise compliant attribute. The removal of a default parameter (except null) value does not cause removal of the value from the corresponding attribute unless another allowing (non-default) parameter for the same value exists.

Optional parameter values

Optional parameter values can be defined as a constant or a regular expression.

The addition of any new optional constant parameter value (except null) does not affect an otherwise compliant attribute. The removal of an optional constant parameter value (except null) can cause removal of the value from the corresponding attribute unless another allowing parameter permits the same value. Any change to an optional constant parameter value is equivalent to one remove and one add operation.

The addition of any new optional regular expression has no effect on an otherwise compliant attribute. The removal or change of an optional regular expression can cause the removal of attribute values on an otherwise compliant attribute unless another allowing parameter for the same value exists.

Excluded parameter values

Excluded parameter values can be defined as a constant or a regular expression. Parameter values with excluded enforcement are enforced only in the context of an implicit wildcard entitlement.

The addition of any new excluded constant parameter value can cause removal of the value from the corresponding attribute unless another allowing parameter exists for the same value. The removal of an excluded constant parameter value (except null) has no effect on an otherwise compliant attribute. Any change to an excluded constant parameter value is equivalent to one remove and one add operation.

The addition of any new excluded regular expression can cause the removal of attribute values on an otherwise compliant attribute unless another allowing parameter for the same value exists. Any removal or change of an excluded regular expression has no effect on an otherwise compliant attribute.

Allowed over denied precedence rule

If an attribute value is allowed and denied at the same time by the presence of conflicting parameter values, the allowing parameter value takes precedence over the denying parameter value.

Implicit wildcard attribute entitlement

To help we create default grant-all policies easily, an implicit wildcard attribute entitlement is used. An implicit wildcard for an attribute exists if no single allowing parameter value defined on the attribute exists, and therefore all values are allowed minus any excluded (denying) parameter values. Removal of the last parameter for a given attribute reinstates the implicit wildcard.

Parent topic: Policy join directives configuration