Blog Viewer

Tech Tip - CA Single Sign-On:Policy Server:: How to check if user is a member of a group

By Ujwol posted 04-03-2017 02:24 AM

  

Summary:

In this guide we will discuss how to check if a user is a member of a certain group using expression.

This can be used during policy evaluation or while sending a response.

Environment:

  • Policy Server : R12.52+,
  • OS : ANY
  • User Directory : ANY

Instructions:

 

For an illustration purpose, we will configure a response to return true or false depending upon whether the user is a member of group 'HR' or not.

 

The expression that needs to be used is : 

IsHR=<$expr="%SM_USERGROUPS ~CONTAINS 'CN=HR,CN=Users,DC=ad12,DC=lab'"$>

 

Where, 

%SM_USERGROUPS returns a list of all the group which the user belongs to separated by character ^

and ~CONTAINS performs a case insensitive search

 

The full list of various other operations that are available are detailed here :

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators

 

 

Testing Result :

 

 

 

 

 

 

 

 

1 comment
0 views