Previous Topic: Multivalued Rule Expressions

Next Topic: Built-in Rule Functions


Explicit Global User Attribute Rules

Each user has many more attributes than are listed in the previous rule table. You will probably have no need to create rule expressions referencing any of these other attributes. However, should the need arise, you can use the following syntax to refer to a specific user attribute:

%#ldap-attribute%

For instance, if you must determine the value of the user's Suspended field, you would determine the corresponding LDAP attribute name for this field (which is eTSuspended) and create the rule expression that evaluates to 0 or 1, like eTSuspended:

%#eTSuspended%

As another example, you can obtain the user's assigned provisioning roles with the following rule expression:

%*#eTRoleDN%

These provisioning roles are full LDAP distinguished name values. Perhaps in conjunction with the built-in function RDNVALUE (see the table that follows), the values would be a little more useful. Note the multi-value indicator asterisk (*) so as to obtain all of the user's assigned provisioning roles as multiple values.

The substring syntax is also applicable to these rule expressions, so you could use %#eTTelephone:6,*% to mean the same thing as %UP:6,*. Each asks CA IdentityMinder to strip off the first five characters of the user's telephone field.