|Applies To||RSA ClearTrust 4.7.1|
RSA ClearTrust 4.7
RSA ClearTrust 5.0.1
|Issue||Are multivalued attributes supported for SmartRules?|
Using multivalued attributes to define roles of every person
Multivalued attributes for SmartRules
|Resolution||The following is summarized from pages 94, 95, and 96 of the "RSA ClearTrust 4.7.1 - Overview Guide":|
In previous releases of RSA ClearTrust (e.g. 4.6.x), SmartRules regarded each User Property as containing one and only one value. For example, if a user had a property for Department_Name, a SmartRule could read only one value from the Department_Name attribute. If the user belonged to multiple departments (for example Sales, Marketing and Management), the SmartRule read only the first value (here, Sales) and ignored the rest.
In 4.7.x/ 5.0.1, the SmartRule can read all the values in the user property. SmartRules are analyzed by the RSA ClearTrust Authorization Server at runtime to determine if a particular user can access a resource.
RSA ClearTrust 4.7.x/5.0.1 allows you to create User Property Definitions in the Entitlements Manager, which map to multivalued LDAP attributes that reside in your user data store. This allows you to create SmartRules based on these multivalued attributes.
Note that the current version of the Entitlements Manager and the RSA ClearTrust Administrative API cannot save or edit multivalued attributes. If you edit a user account through the Entitlements Manager, and that user has entries with more than one value, only the first value will be saved. If you originally saved your users and groups with a non-RSA ClearTrust tool, or if you are saving/editing multivalued attributes, RSA Security recommends that you continue use your existing user/group administration tool to manage this data.
|Legacy Article ID||a12336|