|
|
|
Action rules are similar to entry rules in structure, but differ in functionality. Instead of having to match one entry rule, several action rules may be matched. The single action rule with the highest priority (1 being the highest) is the only one used.
Action rules also contain one or more actions, and the actions are divided into Add Actions and Remove Actions.
The following fields define an action rule:
Defines the meaning of the action rule. This name must be unique.
Defines which action rule executes, in the case of several action rules matching. This field is useful for defining default actions. For example, if you have multiple rules, each for a department name. It is possible to set a default by adding an additional rule with no conditions but a lower priority (such as 10 if all others are 5). If none of the department rules are matched then the default is used.
Specifies the criteria to match.
Defines a list of actions taken when the rule is matched. For example, if the user's department matches the one configured in the condition, add a specific Active Directory group. Action rules behave differently when the policy is set to run once or not. If the policy is set to run once, then after the first time the rule is matched and performs its actions, it will not run again while still matching. In the example above, the Active Directory group is added to the user only once. If run once is not set, then the actions run again as long as the rule is matched. This field is important for enforcing values.
Defines a list of actions to perform when the rule matched in a previous run, but no longer matches. Remove actions are useful to balance add actions. For example, the previous example added an Active Directory group to the user, based on the department. If the department changed, then the remove action removes the Active Directory group.