Operators for Using LDAP Attributes in Access PoliciesOperators for Using LDAP Attributes in Access Policies
When adding an access policy that uses LDAP attributes to select the user population, operators are used to filter the attributes. You identify the user population by entering an expression consisting of the user attribute, an operator, and a value, as shown in the following dialog box:
To view this dialog box in the Cloud Administration Console, click Access > Policies > Add a Policy > Rule Sets. Under Target Population, click Add. For more information, see Access Policies and Add, Clone, or Delete an Access Policy.
The following table describes how to use the operators in the policy expression. Different operators are available for different LDAP attributes.
| Operation | Use |
|---|---|
| Contains |
Selects users when the LDAP attribute value contains the same value as the policy expression. For example, the following configuration selects all users with givenNames containing the uppercase letter A, such as Albert or Anne. User Attribute: givenName Operation: Contains Value in policy expression: A This operator is case-sensitive and applies only for single-valued attributes of String type. |
| Does not contain |
Selects users when the LDAP attribute value does not contain the value in the policy expression. For example, a user named Joseph is not selected in this configuration: User Attribute: givenName Operation: Does not contain Value in policy expression: J This operator is case-sensitive and applies only for single-valued attributes of String type. |
| Matches |
Selects users when the LDAP attribute value matches the value in the policy expression. For example, this configuration selects users whose email begins with “da” and ends with “rsa.com”: User Attribute: mail Operation: Matches Value in policy expression: ^da.*rsa\.com$ This operator is case-sensitive, supports regular expressions, and applies only for single-valued attributes of String type. |
| Does not match |
Selects users when the LDAP attribute value does not match the value in the policy expression. For example, this configuration selects users whose surname does not contain any vowel. User Attribute: sn Operation: Does not match Value in policy expression: [aeiou]+ This operator is case-sensitive, supports regular expressions, and applies only for single-valued attributes of String type. |
| Starts with |
Selects users when the LDAP attribute value starts with the value in the policy expression. For example, this configuration selects users named Stephanie or Steven: User Attribute: givenName Operator: Starts with Value in policy expression: S This operator is case-sensitive and applies only for single-valued attributes of String type. |
| Ends with |
Selects users when the LDAP attribute value ends with the value in the policy expression. For example, this configuration selects a user with the email Emilio.Rodriguez@abc.com: User Attribute: email Operator: Ends with Value in policy expression: abc.com This operator is case-sensitive and applies only for single-valued attributes of String type. |
| Equals |
Selects users when the LDAP attribute equals the value in the policy expression. For example, this configuration selects a user whose account expires on November 5, 2023 at 11:00 pm: User Attribute: accountExpires Operator: Equals Value in policy expression: 5 November 2023 23:00 |
| Does not equal |
Selects users when the LDAP attribute does not equal the specified value in the policy expression. For example, this configuration selects a user whose account expires on November 5, 2023 at 11:00 pm: User Attribute: accountExpires Operator: Does not equal Value in policy expression: 10 November 2023 23:00 |
| Greater than |
Selects users when the LDAP attribute value is greater than the value in the policy expression. For example, this configuration selects a user whose userAccountControl value is 500 in the LDAP directory: User Attribute: userAccountControl Operator: Greater than Value in policy expression: 200 This operator applies only for single-valued attributes of Date or Long type. |
| Greater than or equal |
Selects users when the LDAP attribute value is greater than or equal to the value in the policy expression. For example, this configuration selects a user whose userAccountControl value is 500 in the LDAP directory: User Attribute: userAccountControl Operator: Greater than
This operator applies only for single-valued attributes of Date or Long type. |
| Less than |
Selects users when the LDAP attribute value is greater than or equal to the value in the policy expression. For example, this configuration selects a user whose userAccountControl value is 500 in the LDAP directory: User Attribute: userAccountControl Operator: Greater than Value in policy expression: 600 This operator applies only for single-valued attributes of Date or Long type. |
| Less than or equal |
Selects users when the LDAP attribute value is greater than or equal to the value in the policy expression. For example, this configuration selects a user whose userAccountControl value is 500 in the LDAP directory: User Attribute: userAccountControl Operator: Greater than Value in policy expression: 500 This operator applies only for single-valued attributes of Date or Long type. |
| Is empty |
The user is selected when the value of the LDAP attribute is blank. For example, a custom attribute might be blank. This operator applies only for single-valued attributes of String type. |
| Is not empty |
Selects users when the LDAP attribute value s not blank. For example, all users with middle names are selected when the policy expression is configured as follows: User Attribute: middleName Operator: Is not empty This operator applies only for single-valued attributes of String type. |
| Is null |
Selects users when the attribute value is undefined in the directory server. For example, the following configuration selects all users whose middle names are undefined: User Attribute: middleName Operator: Is null |
| Is not null |
The user is selected when the value of the attribute is defined in the LDAP directory server. For example, the following configuration selects all users whose middle names are defined: User Attribute: middleName Operator: Is not null |
| Set contains any |
This operator is used for multivalue attributes, such as memberOf, which might list multiple groups to which the user belongs. Use this attribute to select users who belong to at least one group in the set. For example, this configuration selects users who belong to engineering, marketing, or sales: User Attribute: virtualGroups Operator: Set contains any Value in policy expression: engineering, marketing, sales This operation is case-sensitive if the attribute is a multivalued String type. |
| Set does not contain any |
This operator is used for multivalue attributes, such as memberOf, which might list multiple groups to which the user belongs. Use this attribute to select users who do not belong to at least one group in the set. For example, this configuration selects users who do not belong to at least one group in the set: User Attribute: virtualGroups Operator: Set contains any Value in policy expression: engineering, marketing, sales This operation is case-sensitive if the attribute is a multivalued String type. |
| Set contains all |
This operator is used for multivalue attributes, such as memberOf, which might list multiple groups to which the user belongs. Use this attribute to select users who belong to all groups in the set. For example, this configuration selects users who belong to engineering, marketing, and sales: User Attribute: virtualGroups Operator: Set contains all Value in policy expression: engineering, marketing, sales |
| Set does not contain all |
This operator is used for multivalue attributes, such as memberOf, which might list multiple groups to which the user belongs. Use this attribute to select users who do not belong to any groups in the set. For example, this configuration selects users who do not belong to engineering, marketing, and sales: User Attribute: virtualGroups Operator: Set contains all Value in policy expression: engineering, marketing, sales This operation is case-sensitive if the attribute is a multivalued String type. |
