User Directory Search Expression Editor
The User Directory Search Expression Editor is where you use search expressions to locate users that you want to add to a policy. Search expressions can bind users to a policy based on attributes that appear in user, group, and organization profiles.
casso127
HID_user-directory-search-expression-editor
The User Directory Search Expression Editor is where you use search expressions to locate users that you want to add to a policy. Search expressions can bind users to a policy based on attributes that appear in user, group, and organization profiles.
The dialog contents change depending on the directory type.
- Active Directory User DirectoriesFor Active Directory (AD) user directories, the User Directory Search Expression Editor panel contains the following settings:
- Manual Entry FieldSpecifies a search filter for the Active Directory user directory.
- Validate Entry Check BoxSpecifies whether the search filter is validated before the entry is added to the Active Directory user directory.Note:If validation of the Active Directory search filter fails, clear this check box.Default:Selected
- LDAP User DirectoriesFor LDAP User directories, the User Directory Search Expression Editor panel contains the following settings:
- Expression Editor OptionSpecifies options to build the search expression. The following options are available:Manual EntrySpecifies that you can manually enter the search expression in the Manual Entry box.Expression BuilderSpecifies that you can build the LDAP search expression using the condition options.
If you select Manual Entry in the Expression Editor Option, the following settings are displayed:
- Where to SearchSpecifies the type of attribute for the search. The following options are available:Validate DNVerifies the DN of the user. Enter a complete DN for the LDAP user directory and click OK. Any valid DN entry is then added to the list of users in the User Directory dialog.Search UsersIndicates that the search is limited to matches in user entries.Search GroupsIndicates that the search is limited to matches in group entries.Search OrganizationsIndicates that the search is limited to matches in organization entries (organizations and organizational units).Search Any EntryIndicates that the search includes all entries in the directory.
- Manual EntryAllows you to enter the search expression.
If you select Expression Builder in the Expression Editor Option, the following settings help you to build the expression:
- Where to SearchSpecifies the type of attribute for the search. The following options are available:Search UsersIndicates that the search is limited to matches in user entries.Search GroupsIndicates that the search is limited to matches in group entries.Search OrganizationsIndicates that the search is limited to matches in organization entries (organizations and organizational units).Search Any EntryIndicates that the search includes all entries in the directory.
- ConditionSpecifies the LDAP or AD attributes that are included in the search criteria. In thePlease Selectdrop-down list, select the attribute. In the next drop-down list, select the operator (contains, approx, greaterOrEqual, equals, lessOrEqual). In the third field, enter the value for the condition.Example condition:uid equals Tuser1AddAdds the search condition to the Manual Entry, Infix Notation, and LDAP Notation group boxes.
- Infix NotationLists all the conditions that you defined using the Where to Search and Condition group boxes.You can edit the conditions in an expression using the And/Or, Modify, Not, Remove buttons. To edit a condition, select the condition string in the Infix Notation field then click a button to modify it.By default, the second and all subsequent conditions are added to the Infix Notation group box with an "and" operator.The buttons operate as follows:And/OrWith the second or subsequent condition that is selected, places an And/Or operator between two strings. You must have two conditions that are already defined to use the And/Or operator. Select one condition string and click And/Or lets you toggle between adding two conditions. The two conditions must be satisfied during a search or specifying that only one or the two conditions must be satisfied.ModifyOpens the Edit dialog, which allows you to reenter the condition statement.NotPlaces the word "not" in front of a condition string. The Not operator enables you to negate a condition.RemoveDeletes the condition string.Add()With two or more strings that are selected, add parentheses to the selected conditions.Remove()With two or more strings that are selected, remove the parentheses from the selected conditions.
- LDAP NotationDisplays the complete search expression that you have constructed.
- ODBC and WinNT DirectoriesFor ODBC and WinNT user directories, the User Directory Search Expression Editor panel contains the following settings:
- Manual Entry Group BoxSpecifies a manually entered search expression. For Microsoft SQL Server and Oracle, enter a user name or an SQL query. For WinNT, enter a user name.Example SQL query for ODBC DatabasesSELECT NAME FROM EMPLOYEE WHERE JOB =’MGR’;The Policy Server performs the query as the database user specified in the Username field of the Credentials and Connection tab for the user directory. Before you construct the SQL query, become familiar with the database schema for the user directory. For example, if you are using the SmSampleUsers schema to add specific users, you could select from the SmUser table.Note the following criteria:
- If the manual entry query does not contain a WHERE statement, the WHERE statement from the Init User query field is appended. For example:Init User:Select Name from SmUser where Name = ’%s’Manual Entry:Select Name from customersResult:Select Name from customers where Name = ’%s’
- If the manual entry query contains a WHERE statement, the portion of the query following the Init User WHERE statement is appended. For example:Init User:Select Name from SmUser where Name = ’%s’Manual Entry: Select Name from customers where balance > 1000Result:Select Name from customers where balance > 1000 and Name = ’%s’