Sun Identity Manager Deployment Guide

Using Attribute Conditions

An attribute condition is an expression that tests the values of an attribute. Attribute conditions are commonly used to select the subset of objects that match certain criteria.

Each attribute condition expresses a single criterion and consists of:

Attribute Condition Operators

AttributeCondition defines the following operators.

Table 1–1 Attribute Condition Operators

Operator 

Description 

EQ, EQUALS

Object has at least one value for the specified attribute that is lexically equal to (ignoring case) the operand. 

NE, NOT_EQUALS

Object has no value for the specified attribute that is lexically equal to (ignoring case) the operand. 

GT, GREATER_THAN

Object has at least one value for the specified attribute that is lexically greater than (ignoring case) the operand. 

GE

Object has at least one value for the specified attribute that is lexically greater than or equal to (ignoring case) the operand. 

LE

Object has at least one value for the specified attribute that is lexically less than or equal to (ignoring case) the operand. 

LT, LESS_THAN

Object has at least one value for the specified attribute that is lexically less than (ignoring case) the operand. 

STARTS_WITH

Object has at least one value for the specified attribute that is an initial substring (ignoring case) of the operand. 

ENDS_WITH

Object has at least one value for the specified attribute that is a final substring (ignoring case) of the operand. 

CONTAINS

Object has at least one value for the specified attribute that is a substring (ignoring case) of the operand. 

IS_PRESENT

Object has at least one value for the specified attribute. (This operator takes no operand.) 

NOT_PRESENT

Object has no value for the specified attribute. (This operator takes no operand.) 

IN, IS_ONE_OF

Object has at least one value for the specified attribute that is lexically equal to (ignoring case) one of the values in the (list) operand. 


Note –

RelationalDataStore optimizes evaluation by translating each attribute condition into an appropriate predicate that becomes part of the WHERE clause for the operation. However, no special logic is required to handle multi-valued attributes. RelationalDataStore automatically generates appropriate SQL DML to handle this.


An attribute condition applies to each value of an attribute. (Specifically, operator NE is true if, and only if, an object has no value for the specified attribute that equals the specified operand. Operator EQ is true if an object has at least one value for the specified attribute that matches the specified operand.)

Implicitly ANDed

A set of attribute conditions is implicitly ANDed. This means that a set of attribute conditions evaluates to true if, and only if, every attribute condition in the set evaluates to true. Conversely, a set of attribute conditions evaluates to false as soon as any attribute condition in the set evaluates to false.

Identity Manager attribute conditions expose operators that are generally useful. Typically, you can express a set of selection criteria using Identity Manager attribute conditions. A few criteria cannot be expressed, but even these are often better addressed by adding (or changing the representation of) a queryable attribute.

Example Scenario: Populating Organizations with User Member Rules

You can use the following attributes to determine the set of users in a given organization:

To get the “or’ed” effect, do not use multiple attribute conditions. Instead, use the “is one of” operator with a list of operands, as follows:


<list>
  <new class=’com.waveset.object.AttributeCondition’>
    <s>firstname</s>
    <s>is one of</s>
    <list>
      <s>Nicola</s>
      <s>Paolo</s>
    </list>
  </new>
</list>

Example Scenario: Including All Users Without Administrative Roles

You need a rule to include all users except those with specified administrative roles.

Because attribute conditions are implicitly ANDed together, you can use two attribute conditions:

Taken together, these conditions specify that the user must have an admin role that is not in the specified list.