Blog Viewer

Tech Tip - CA Single Sign-On:Policy Server:: How to check if user is a member of a group

By Ujwol posted 04-03-2017 02:24 AM



In this guide we will discuss how to check if a user is a member of a certain group using expression.

This can be used during policy evaluation or while sending a response.


  • Policy Server : R12.52+,
  • OS : ANY
  • User Directory : ANY



For an illustration purpose, we will configure a response to return true or false depending upon whether the user is a member of group 'HR' or not.


The expression that needs to be used is : 

IsHR=<$expr="%SM_USERGROUPS ~CONTAINS 'CN=HR,CN=Users,DC=ad12,DC=lab'"$>



%SM_USERGROUPS returns a list of all the group which the user belongs to separated by character ^

and ~CONTAINS performs a case insensitive search


The full list of various other operations that are available are detailed here :



Testing Result :









1 comment