Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010 Manual page 82

This rule grants the user the Master role if the user belongs to the cn=Master,o=novell LDAP group.
If the user doesn't belong to this group or if an error occurs trying to get the data, the user is not
assigned the role. This occurs because both the condition and the Result on Condition Error evaluate
to False, which prevents the Action from being applied.
After creating the Role policy, apply the changes and enable the Role for the Identity Server.
You can then use this role to create an Authorization policy that contains two rules. The first rule
grants access to the users who have the Master role (and are therefore members of the Master
group). This rule should look similar to the following:
A Permit Rule with a Role Condition
Figure 3-8
This rule permits users who are assigned the Master role to have access to the resource. If the user
does not match the condition or if an error occurs accessing the user's role information, the user is
sent to the next rule because both the condition and the Result on Condition Error evaluate to False.
The second rule in the policy should deny access to those who are not assigned the Master role and
should redirect them to the page where they can request access. You can do this with a rule that
checks to see if they are assigned the Master role. In this type of rule, the condition needs to be an If
Not condition.
82 Novell Access Manager 3.1 SP2 Policy Guide