Summary:
In this guide we will discuss how to check if a user is a member of a certain group using expression.
This can be used during policy evaluation or while sending a response.
Environment:
- Policy Server : R12.52+,
- OS : ANY
- User Directory : ANY
Instructions:
For an illustration purpose, we will configure a response to return true or false depending upon whether the user is a member of group 'HR' or not.
The expression that needs to be used is :
IsHR=<$expr="%SM_USERGROUPS ~CONTAINS 'CN=HR,CN=Users,DC=ad12,DC=lab'"$>
Where,
%SM_USERGROUPS returns a list of all the group which the user belongs to separated by character ^
and ~CONTAINS performs a case insensitive search
The full list of various other operations that are available are detailed here :
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators
Testing Result :
