You need a rule to include all users except those with specified administrative roles.
Because attribute conditions are implicitly ANDed together, you can use two attribute conditions:
Condition that selects users with at least one admin role (which in effect excludes non-administrative users). This condition specifies that a matching user has at least one value for the adminRoles attribute.
<AttributeCondition> <s>adminRoles</s> <s>exists</s> </AttributeCondition> |
Condition that excludes users with any of a set of specific admin roles. This condition specifies that no value of the adminRoles attribute is ar1 or ar2.
<AttributeCondition> <s>adminRoles</s> <s>is not</s> <list> <s>ar1</s> <s>ar2</s> </list> </AttributeCondition> |
Taken together, these conditions specify that the user must have an admin role that is not in the specified list.