A set of attribute conditions is implicitly ANDed. This means that a set of attribute conditions evaluates to true if, and only if, every attribute condition in the set evaluates to true. Conversely, a set of attribute conditions evaluates to false as soon as any attribute condition in the set evaluates to false.
Waveset attribute conditions expose operators that are generally useful. Typically, you can express a set of selection criteria using Waveset attribute conditions. A few criteria cannot be expressed, but even these are often better addressed by adding (or changing the representation of) a queryable attribute.
You can use the following attributes to determine the set of users in a given organization:
External (to Waveset) resource account attributes. In this case, you need both the resource account ID and the resource name (for example, acctid:resname) to find the matching Waveset user because more than one Waveset user might have the same acctid but on different resources.
Waveset user account attributes (for example, name, location, manager).
To get the “or’ed” effect, do not use multiple attribute conditions. Instead, use the “is one of” operator with a list of operands, as follows:
<list> <new class=’com.waveset.object.AttributeCondition’> <s>firstname</s> <s>is one of</s> <list> <s>Nicola</s> <s>Paolo</s> </list> </new> </list> |
You need a rule to include all users except those with specified administrative roles.
Because attribute conditions are implicitly ANDed together, you can use two attribute conditions:
Condition that selects users with at least one admin role (which in effect excludes non-administrative users). This condition specifies that a matching user has at least one value for the adminRoles attribute.
<AttributeCondition> <s>adminRoles</s> <s>exists</s> </AttributeCondition> |
Condition that excludes users with any of a set of specific admin roles. This condition specifies that no value of the adminRoles attribute is ar1 or ar2.
<AttributeCondition> <s>adminRoles</s> <s>is not</s> <list> <s>ar1</s> <s>ar2</s> </list> </AttributeCondition> |
Taken together, these conditions specify that the user must have an admin role that is not in the specified list.