An attribute condition is an expression that tests the values of an attribute. Attribute conditions are commonly used to select the subset of objects that match certain criteria.
Each attribute condition expresses a single criterion and consists of:
Attribute name (of a queryable attribute)
Operator (a kind of check or comparison to be made)
Operand (a specified set of values)
AttributeCondition defines the following operators.
Table 1–1 Attribute Condition Operators
Operator |
Description |
---|---|
EQ, EQUALS |
Object has at least one value for the specified attribute that is lexically equal to (ignoring case) the operand. |
NE, NOT_EQUALS |
Object has no value for the specified attribute that is lexically equal to (ignoring case) the operand. |
GT, GREATER_THAN |
Object has at least one value for the specified attribute that is lexically greater than (ignoring case) the operand. |
GE |
Object has at least one value for the specified attribute that is lexically greater than or equal to (ignoring case) the operand. |
LE |
Object has at least one value for the specified attribute that is lexically less than or equal to (ignoring case) the operand. |
LT, LESS_THAN |
Object has at least one value for the specified attribute that is lexically less than (ignoring case) the operand. |
STARTS_WITH |
Object has at least one value for the specified attribute that is an initial substring (ignoring case) of the operand. |
ENDS_WITH |
Object has at least one value for the specified attribute that is a final substring (ignoring case) of the operand. |
CONTAINS |
Object has at least one value for the specified attribute that is a substring (ignoring case) of the operand. |
IS_PRESENT |
Object has at least one value for the specified attribute. (This operator takes no operand.) |
NOT_PRESENT |
Object has no value for the specified attribute. (This operator takes no operand.) |
IN, IS_ONE_OF |
Object has at least one value for the specified attribute that is lexically equal to (ignoring case) one of the values in the (list) operand. |
RelationalDataStore optimizes evaluation by translating each attribute condition into an appropriate predicate that becomes part of the WHERE clause for the operation. However, no special logic is required to handle multi-valued attributes. RelationalDataStore automatically generates appropriate SQL DML to handle this.
An attribute condition applies to each value of an attribute. (Specifically, operator NE is true if, and only if, an object has no value for the specified attribute that equals the specified operand. Operator EQ is true if an object has at least one value for the specified attribute that matches the specified operand.)
A set of attribute conditions is implicitly ANDed. This means that a set of attribute conditions evaluates to true if, and only if, every attribute condition in the set evaluates to true. Conversely, a set of attribute conditions evaluates to false as soon as any attribute condition in the set evaluates to false.
Identity Manager attribute conditions expose operators that are generally useful. Typically, you can express a set of selection criteria using Identity Manager attribute conditions. A few criteria cannot be expressed, but even these are often better addressed by adding (or changing the representation of) a queryable attribute.
You can use the following attributes to determine the set of users in a given organization:
External (to Identity Manager) resource account attributes. In this case, you need both the resource account ID and the resource name (for example, acctid:resname) to find the matching Identity Manager user because more than one Identity Manager user might have the same acctid but on different resources.
Identity Manager user account attributes (for example, name, location, manager).
To get the “or’ed” effect, do not use multiple attribute conditions. Instead, use the “is one of” operator with a list of operands, as follows:
<list> <new class=’com.waveset.object.AttributeCondition’> <s>firstname</s> <s>is one of</s> <list> <s>Nicola</s> <s>Paolo</s> </list> </new> </list> |
You need a rule to include all users except those with specified administrative roles.
Because attribute conditions are implicitly ANDed together, you can use two attribute conditions:
Condition that selects users with at least one admin role (which in effect excludes non-administrative users). This condition specifies that a matching user has at least one value for the adminRoles attribute.
<AttributeCondition> <s>adminRoles</s> <s>exists</s> </AttributeCondition> |
Condition that excludes users with any of a set of specific admin roles. This condition specifies that no value of the adminRoles attribute is ar1 or ar2.
<AttributeCondition> <s>adminRoles</s> <s>is not</s> <list> <s>ar1</s> <s>ar2</s> </list> </AttributeCondition> |
Taken together, these conditions specify that the user must have an admin role that is not in the specified list.