Implicitly ANDed
A set of attribute conditions is implicitly ANDed. This means that a set of attribute conditions evaluates to true if, and only if, every attribute condition in the set evaluates to true. Conversely, a set of attribute conditions evaluates to false as soon as any attribute condition in the set evaluates to false.
Identity Manager attribute conditions expose operators that are generally useful. Typically, you can express a set of selection criteria using Identity Manager attribute conditions. A few criteria cannot be expressed, but even these are often better addressed by adding (or changing the representation of) a queryable attribute.
Example Scenario: Populating Organizations with User Member Rules
You can use the following attributes to determine the set of users in a given organization:
-
External (to Identity Manager) resource account attributes. In this case, you need both the resource account ID and the resource name (for example, acctid:resname) to find the matching Identity Manager user because more than one Identity Manager user might have the same acctid but on different resources.
-
Identity Manager user account attributes (for example, name, location, manager).
To get the “or’ed” effect, do not use multiple attribute conditions. Instead, use the “is one of” operator with a list of operands, as follows:
<list>
<new class=’com.waveset.object.AttributeCondition’>
<s>firstname</s>
<s>is one of</s>
<list>
<s>Nicola</s>
<s>Paolo</s>
</list>
</new>
</list>
|
Example Scenario: Including All Users Without Administrative Roles
You need a rule to include all users except those with specified administrative roles.
Because attribute conditions are implicitly ANDed together, you can use two attribute conditions:
-
Condition that selects users with at least one admin role (which in effect excludes non-administrative users). This condition specifies that a matching user has at least one value for the adminRoles attribute.
<AttributeCondition> <s>adminRoles</s> <s>exists</s> </AttributeCondition>
-
Condition that excludes users with any of a set of specific admin roles. This condition specifies that no value of the adminRoles attribute is ar1 or ar2.
<AttributeCondition> <s>adminRoles</s> <s>is not</s> <list> <s>ar1</s> <s>ar2</s> </list> </AttributeCondition>
Taken together, these conditions specify that the user must have an admin role that is not in the specified list.
- © 2010, Oracle Corporation and/or its affiliates