Previous Topic: Conditions

Next Topic: Actions

Action Rules

Action rules are similar to entry rules in structure, but differ in functionality. Action rules define when action should be taken. For example, if you want a policy to perform an action when a user's department has changed to Sales, create an action rule that defines when 'Department = Sales'.

Also, instead of having to match one entry rule, several action rules may be matched. The single action rule with the highest priority (0 being the highest) is the only one used.

Action rules also contain one or more actions, and the actions are divided into Add Actions and Remove Actions.

The following fields define an action rule:


Provides a friendly name for the action rule. This name must be unique.


Defines the meaning of the action rule.


Specifies the criteria to match.


Defines which action rule executes, in the case of several action rules matching. This field is useful for defining default actions. For example, if you have multiple rules, each for a department name, it is possible to set a default by adding an additional rule with no conditions but a lower priority (such as 10 if all others are 5). If none of the department rules are matched, then the default is used.

Add Actions

Defines a list of actions taken when the rule is matched. For example, you can configure a rule that states if the user's department matches the one configured in the condition, add a specific Active Directory group. Action rules behave differently, based on the Run Once setting. If the policy is set to run once, the associated actions are performed the first time the rule matches. The actions are not performed again for each subsequent rule match. In the example above, the Active Directory group is added to the user only once. If Run Once is not set, then the actions run again as long as the rule is matched. This field is important for enforcing values.

Remove Actions

Defines a list of actions to perform when the rule no longer matches. For example, the previous example added an Active Directory group to the user, based on the department. If the department changes, then the remove action removes the Active Directory group.

More Information: