User Directory Search Expression Editor

The User Directory Search Expression Editor is where you use search expressions to locate users that you want to add to a policy. Search expressions can bind users to a policy based on attributes that appear in user, group, and organization profiles.
casso128
HID_user-directory-search-expression-editor
The User Directory Search Expression Editor is where you use search expressions to locate users that you want to add to a policy. Search expressions can bind users to a policy based on attributes that appear in user, group, and organization profiles.
The dialog contents change depending on the directory type.
  • Active Directory User Directories
    For Active Directory (AD) user directories, the User Directory Search Expression Editor panel contains the following settings:
    • Manual Entry Field
      Specifies a search filter for the Active Directory user directory.
    • Validate Entry Check Box
      Specifies whether the search filter is validated before the entry is added to the Active Directory user directory.
      Note:
      If validation of the Active Directory search filter fails, clear this check box.
      Default:
      Selected
  • LDAP User Directories
    For LDAP User directories, the User Directory Search Expression Editor panel contains the following settings:
    • Expression Editor Option
      Specifies options to build the search expression. The following options are available:
      Manual Entry 
      Specifies that you can manually enter the search expression in the Manual Entry box.
      Expression Builder 
      Specifies that you can build the LDAP search expression using the condition options.
If you select Manual Entry in the Expression Editor Option, the following settings are displayed:
    • Where to Search
      Specifies the type of attribute for the search. The following options are available:
      Validate DN
      Verifies the DN of the user. Enter a complete DN for the LDAP user directory and click OK. Any valid DN entry is then added to the list of users in the User Directory dialog.
      Search Users
      Indicates that the search is limited to matches in user entries.
      Search Groups
      Indicates that the search is limited to matches in group entries.
      Search Organizations
      Indicates that the search is limited to matches in organization entries (organizations and organizational units).
      Search Any Entry
      Indicates that the search includes all entries in the directory.
    • Manual Entry
      Allows you to enter the search expression. 
If you select Expression Builder in the Expression Editor Option, the following settings help you to build the expression:
    • Where to Search
      Specifies the type of attribute for the search. The following options are available:
      Search Users
      Indicates that the search is limited to matches in user entries.
      Search Groups
      Indicates that the search is limited to matches in group entries.
      Search Organizations
      Indicates that the search is limited to matches in organization entries (organizations and organizational units).
      Search Any Entry
      Indicates that the search includes all entries in the directory.
    • Condition
      Specifies the LDAP or AD attributes that are included in the search criteria. In the
      Please Select
      drop-down list, select the attribute. In the next drop-down list, select the operator (contains, approx, greaterOrEqual, equals, lessOrEqual). In the third field, enter the value for the condition.
      Example condition:
      uid equals Tuser1
      Add
      Adds the search condition to the Manual Entry, Infix Notation, and LDAP Notation group boxes.
    • Infix Notation
      Lists all the conditions that you defined using the Where to Search and Condition group boxes.
      You can edit the conditions in an expression using the And/Or, Modify, Not, Remove buttons. To edit a condition, select the condition string in the Infix Notation field then click a button to modify it.
      By default, the second and all subsequent conditions are added to the Infix Notation group box with an "and" operator.
      The buttons operate as follows:
      And/Or
      With the second or subsequent condition that is selected, places an And/Or operator between two strings. You must have two conditions that are already defined to use the And/Or operator. Select one condition string and click And/Or lets you toggle between adding two conditions. The two conditions must be satisfied during a search or specifying that only one or the two conditions must be satisfied.
      Modify
      Opens the Edit dialog, which allows you to reenter the condition statement.
      Not
      Places the word "not" in front of a condition string. The Not operator enables you to negate a condition.
      Remove
      Deletes the condition string.
      Add()
      With two or more strings that are selected, add parentheses to the selected conditions.
      Remove()
      With two or more strings that are selected, remove the parentheses from the selected conditions.
    • LDAP Notation
      Displays the complete search expression that you have constructed.
  • ODBC and WinNT Directories
    For ODBC and WinNT user directories, the User Directory Search Expression Editor panel contains the following settings:
    • Manual Entry Group Box
      Specifies a manually entered search expression. For Microsoft SQL Server and Oracle, enter a user name or an SQL query. For WinNT, enter a user name.
      Example SQL query for ODBC Databases
      SELECT NAME FROM EMPLOYEE WHERE JOB =’MGR’;
      The Policy Server performs the query as the database user specified in the Username field of the Credentials and Connection tab for the user directory. Before you construct the SQL query, become familiar with the database schema for the user directory. For example, if you are using the SmSampleUsers schema to add specific users, you could select from the SmUser table.
      Note the following criteria:
      • If the manual entry query does not contain a WHERE statement, the WHERE statement from the Init User query field is appended. For example:
        Init User:
        Select Name from SmUser where Name = ’%s’
        Manual Entry:
        Select Name from customers
        Result:
        Select Name from customers where Name = ’%s’
      • If the manual entry query contains a WHERE statement, the portion of the query following the Init User WHERE statement is appended. For example:
        Init User:
        Select Name from SmUser where Name = ’%s’
        Manual Entry
        : Select Name from customers where balance > 1000
        Result:
        Select Name from customers where balance > 1000 and Name = ’%s’