Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010 Manual page 83

A Deny Rule with a Redirect URL
Figure 3-9
With an If Not condition, the condition evaluates to True when the user does not match the
condition. With such a rule, you want the Result on Condition Error to also evaluate to True. If there
is an error obtaining role information for the user, you don't want the rule to assume that the user
had the Master role. You want the rule to assume that the user had no roles, or in other words, you
want the error condition to evaluate to True.
Because the condition evaluated to True, the Action is applied to the user. The value specified in the
Redirect to URL text box should specify the page that contains the information on how to request
access.
This redirect rule could be the only rule in the Authorization policy, because the users who are
assigned to the Master role do not match the rule and are thus allowed access. Having the first rule
that grants access because they have the Master role just makes the logic of the policy clearer.
If you create the first rule that grants users with the Master role access, you can use a general Deny
rule for the second rule. It should look similar to the following.
A General Deny Rule
Figure 3-10
Creating Authorization Policies 83