Operators for Using LDAP Attributes in Access Policies

When adding an access policy that uses LDAP attributes to select the user population, operators are used to filter the attributes. You identify the user population by entering an expression consisting of the user attribute, an operator, and a value, as shown in the following dialog box:

securid_ngx_g_access_policy_attribute_expressions.png

To view this dialog box in the Cloud Administration Console, click Access > Policies > Add a Policy > Rule Sets. Under Target Population, click Add. For more information, see Access Policies and Add, Clone, or Delete an Access Policy.

The following table describes how to use the operators in the policy expression. Different operators are available for different LDAP attributes.

Operation Use
Contains

Selects users when the LDAP attribute value contains the same value as the policy expression. For example, the following configuration selects all users with givenNames containing the uppercase letter A, such as Albert or Anne.

User Attribute: givenName

Operation: Contains

Value in policy expression: A

This operator is case-sensitive and applies only for single-valued attributes of String type.

Does not contain

Selects users when the LDAP attribute value does not contain the value in the policy expression. For example, a user named Joseph is not selected in this configuration:

User Attribute: givenName

Operation: Does not contain

Value in policy expression: J

This operator is case-sensitive and applies only for single-valued attributes of String type.

Matches

Selects users when the LDAP attribute value matches the value in the policy expression. For example, this configuration selects users whose email begins with “da” and ends with “rsa.com”:

User Attribute: mail

Operation: Matches

Value in policy expression: ^da.*rsa\.com$

This operator is case-sensitive, supports regular expressions, and applies only for single-valued attributes of String type.

Does not match

Selects users when the LDAP attribute value does not match the value in the policy expression. For example, this configuration selects users whose surname does not contain any vowel.

User Attribute: sn

Operation: Does not match

Value in policy expression: [aeiou]+

This operator is case-sensitive, supports regular expressions, and applies only for single-valued attributes of String type.

Starts with

Selects users when the LDAP attribute value starts with the value in the policy expression. For example, this configuration selects users named Stephanie or Steven:

User Attribute: givenName

Operator: Starts with

Value in policy expression: S

This operator is case-sensitive and applies only for single-valued attributes of String type.

Ends with

Selects users when the LDAP attribute value ends with the value in the policy expression. For example, this configuration selects a user with the email Emilio.Rodriguez@abc.com:

User Attribute: email

Operator: Ends with

Value in policy expression: abc.com

This operator is case-sensitive and applies only for single-valued attributes of String type.

Equals

Selects users when the LDAP attribute equals the value in the policy expression. For example, this configuration selects a user whose account expires on November 5, 2023 at 11:00 pm:

User Attribute: accountExpires

Operator: Equals

Value in policy expression: 5 November 2023 23:00

Does not equal

Selects users when the LDAP attribute does not equal the specified value in the policy expression. For example, this configuration selects a user whose account expires on November 5, 2023 at 11:00 pm:

User Attribute: accountExpires

Operator: Does not equal

Value in policy expression: 10 November 2023 23:00

Greater than

Selects users when the LDAP attribute value is greater than the value in the policy expression. For example, this configuration selects a user whose userAccountControl value is 500 in the LDAP directory:

User Attribute: userAccountControl

Operator: Greater than

Value in policy expression: 200

This operator applies only for single-valued attributes of Date or Long type.

Greater than or equal

Selects users when the LDAP attribute value is greater than or equal to the value in the policy expression. For example, this configuration selects a user whose userAccountControl value is 500 in the LDAP directory:

User Attribute: userAccountControl

Operator: Greater than
Value in policy expression: 500

This operator applies only for single-valued attributes of Date or Long type.

Less than

Selects users when the LDAP attribute value is greater than or equal to the value in the policy expression. For example, this configuration selects a user whose userAccountControl value is 500 in the LDAP directory:

User Attribute: userAccountControl

Operator: Greater than

Value in policy expression: 600

This operator applies only for single-valued attributes of Date or Long type.

Less than or equal

Selects users when the LDAP attribute value is greater than or equal to the value in the policy expression. For example, this configuration selects a user whose userAccountControl value is 500 in the LDAP directory:

User Attribute: userAccountControl

Operator: Greater than

Value in policy expression: 500

This operator applies only for single-valued attributes of Date or Long type.

Is empty

The user is selected when the value of the LDAP attribute is blank. For example, a custom attribute might be blank.

This operator applies only for single-valued attributes of String type.

Is not empty

Selects users when the LDAP attribute value s not blank. For example, all users with middle names are selected when the policy expression is configured as follows:

User Attribute: middleName

Operator: Is not empty

This operator applies only for single-valued attributes of String type.

Is null

Selects users when the attribute value is undefined in the directory server. For example, the following configuration selects all users whose middle names are undefined:

User Attribute: middleName

Operator: Is null

Is not null

The user is selected when the value of the attribute is defined in the LDAP directory server. For example, the following configuration selects all users whose middle names are defined:

User Attribute: middleName

Operator: Is not null

Set contains any

This operator is used for multivalue attributes, such as memberOf, which might list multiple groups to which the user belongs. Use this attribute to select users who belong to at least one group in the set. For example, this configuration selects users who belong to engineering, marketing, or sales:

User Attribute: virtualGroups

Operator: Set contains any

Value in policy expression: engineering, marketing, sales

This operation is case-sensitive if the attribute is a multivalued String type.

Set does not contain any

This operator is used for multivalue attributes, such as memberOf, which might list multiple groups to which the user belongs. Use this attribute to select users who do not belong to at least one group in the set. For example, this configuration selects users who do not belong to at least one group in the set:

User Attribute: virtualGroups

Operator: Set contains any

Value in policy expression: engineering, marketing, sales

This operation is case-sensitive if the attribute is a multivalued String type.

Set contains all

This operator is used for multivalue attributes, such as memberOf, which might list multiple groups to which the user belongs. Use this attribute to select users who belong to all groups in the set. For example, this configuration selects users who belong to engineering, marketing, and sales:

User Attribute: virtualGroups

Operator: Set contains all

Value in policy expression: engineering, marketing, sales

Set does not contain all

This operator is used for multivalue attributes, such as memberOf, which might list multiple groups to which the user belongs. Use this attribute to select users who do not belong to any groups in the set. For example, this configuration selects users who do not belong to engineering, marketing, and sales:

User Attribute: virtualGroups

Operator: Set contains all

Value in policy expression: engineering, marketing, sales

This operation is case-sensitive if the attribute is a multivalued String type.