Rules Enforced by the Referential Integrity User Exit

These are the constraints (consistency rules) enforced by the Referential Integrity User Exit.

The constraints listed here are the default behavior of the exit module. The user exit configuration can relax some constraints or add others. See Configuration options for the Referential Integrity User Exit.

User Operations

  • Add user
    • Deny request if the user already exists
  • Delete user
    • Deny request if the user does not exist
    • Automatically remove the user from all groups
    • Automatically remove all resource Access Control Entries (ACEs) that refer to the user
      Note: ACEs with wildcard actors, such as allow:U*:read, are not automatically removed.

Group Operations

  • Add group
    • Deny request if the group already exists
  • Delete group
    • Deny request if the group does not exist
    • Deny request if any users still belong to the group
    • Automatically remove all resource ACEs that refer to the group
      Note: ACEs with wildcard actors are not automatically removed.
  • Add user to group
    • Deny request if the user or group does not exist
    • Deny request if the user already belongs to the group
  • Remove user from group
    • Deny request if the user or group does not exist
    • Deny request if the user is not a member of the group

Resource Access Rule Operations

  • Delete resource class
    • Deny request if the class contains any resource access rules
  • Add resource rule
    • Deny request if the rule already exists in the given class
  • Delete resource rule
    • Deny request if the rule does not exist
    • Deny request if the rule contains any ACEs
  • Add ACE to resource rule
    • Deny request if the rule or actor (user or group) does not exist
    • Deny request if the rule already contains an ACE for the given actor
  • Delete ACE from resource rule
    • Deny request if the rule or actor does not exist
    • Deny request if the ACE does not exist in the specified rule