Symantec Access Management

 View Only
  • 1.  Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 06, 2018 07:34 AM

    Hi Team,

     

    We have a requirement in which the role name is "XYZ & ABC". Now we have configured a policy in the CA SSO domain in which we have given condition as Role=XYZ & ABC, then allow the user to proceed. But CA SSO is not recognizing the '&' symbol. As i remove the & symbol, it works. 

     

    Is there any method or escape character to allow & in the role name ?

     

    Any help/pointers is greatly appreciated. 

     

    Thanks,

    Shivam



  • 2.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 09, 2018 03:01 AM

    Experts,

    Any advise here ?



  • 3.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 09, 2018 03:41 AM

    Try escpaing it with backslash :

    XYZ \& ABC



  • 4.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 09, 2018 11:32 AM

    Hi Ujwol,

    This doesn't work. 

     

    using this \& displayed \ in the policy. I tried other possible options but it didn't work. I am sure someone must have come across this issue. Could you help us with any pointers here? 

     

    Thanks,

    Shivam



  • 5.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 09, 2018 12:40 PM

    We could try using EXPRESSION in POLICY to achieve this.

     

    When using EXPRESSION in POLICY, both the User Tab and Expression Tab results have to succeed to allow access to Policy (Rules / Responses within the Policy).

     

    We could test by adding "ALL" in the User Tab. Then in Expression Tab we write a expression to check Role=XYZ & ABC.

     

     

    Regards

    Hubert



  • 6.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 09, 2018 12:53 PM

    Yes HubertDennis. When i use & in the expression in policy the & is placed at the starting as soon as i add it. For example,

     

    Role= ABC & XYZ

     

    As i add the above expression to the policy, it becomes

     

    (&(Role = ABC XYZ)), hence it's failing to recognize the user with this role.



  • 7.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 09, 2018 01:03 PM

    I am pretty sure this will work with expression if u escape with backslash

     

    Sent from my iPhone



  • 8.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 09, 2018 01:56 PM

    I tried lot of options apart from backslash but it didn't work. Please see the snapshot for your reference.

     

    We are using CA SSO 12.6 and this must be a common scenario. Not sure if this is a bug.



  • 9.  Re: Allow '&' character in the condition of Policy in CA SSO Domain
    Best Answer

    Posted Apr 09, 2018 10:05 PM

    Hi Shivam,

     

    Tested this today with 12.6.2. It works for me with the Policy expression.

     

    See the screenshot and the relevant logs below :

     

    Created a variable :

     

    Added Policy Expression Condition :

     

     

     

    Added all users :

     

     

     

    Now , I created two users in user directory  :

    1. shruj01 : street attribute = ABC & XYZ

    2. wonsa03 : street attribute = empty 

     

    Tried login with shruj01 :

     

    [04/10/2018][07:24:39][2808][][SmJavaAPI.cpp:1238][JavaActiveExpression][][][][][][][][][][][][Active Expression evaluated for SmJavaAPI: JavaActiveExpression successfully invoked. Parameter and result follow:][1976][07:24:39.384][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][com.netegrity.scriptevaluation.scriptactiveexpression.ActiveScript (Street=="ABC & XYZ")][][][][][][][][][][]


    [04/10/2018][07:24:39][2808][s405/r8][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][shruj01@ca.com][CN=Ujwol Shrestha,CN=Users,DC=ad12,DC=lab][][][][][][<RVARS><Var name="Street" rtype="3"><![CDATA[ABC & XYZ]]></Var></RVARS>][][][IIS_shruj01-i3842][Send response attribute 147, data size is 71][1976][07:24:39.384][][][html][][][agent-shruj01-i3842][][][][][][][][][][][][][][4J9RpFZNClTDkqMEqn6zTfn2r8bS/Hb2wEitfi88pHVcmg/d6UAdKCdUtOGFThaNIF8hllWWbeSnAdu10GN4kiTO9fJNSmTVC1YpdA7XgoERHsbrGvR6jJo5FcxRKosZWvvB35CnAIGeyQ7B8ys2mj3FZUOPClZhuEkLRTY5xENQPWyZ6xPbpdSLnpdrc352vZybLmLQ5VIzboP23UB4NtcDD+H6acjIVQVjn05hhtu5Iud84YGq4ipx2lwyg2aoGptojjYN0koGVbvM1EqJ47dRFyU6A2LuCqZHlcxW8buYbEHQAAsiqhomP2m1XbzphmgDZTWC3u1Qkw+E26H/mGtqg1CbAPm7rhIN4amw/7T080HcSWlcgSrnoWUKbofIdABrUmZRQ2U/ocrfMwNlYkUS4UIskJeMs/wMR0teF45WJI/tZPmdD/b+30mptj5RLgA9VxW/1D5VOd4tcqBeyw==][][][][][][][][][][][][][AuthorizeEx][3c 52 56 41 52 53 3e 3c 56 61 72 20 6e 61 6d 65 3d 22 53 74 72 65 65 74 22 20 72 74 79 70 65 3d 22 33 22 3e 3c 21 5b 43 44 41 54 41 5b 41 42 43 20 26 20 58 59 5a 5d 5d 3e 3c 2f 56 61 72 3e 3c 2f 52 56 41 52 53 3e ][][][][][][][][][][][][]


    [04/10/2018][07:24:39][2808][s405/r8][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][shruj01@ca.com][CN=Ujwol Shrestha,CN=Users,DC=ad12,DC=lab][][][][][][][][][IIS_shruj01-i3842][** Status: Authorized. ][1976][07:24:39.384][][][html][][][agent-shruj01-i3842][][][][][][][][][][][][][][4J9RpFZNClTDkqMEqn6zTfn2r8bS/Hb2wEitfi88pHVcmg/d6UAdKCdUtOGFThaNIF8hllWWbeSnAdu10GN4kiTO9fJNSmTVC1YpdA7XgoERHsbrGvR6jJo5FcxRKosZWvvB35CnAIGeyQ7B8ys2mj3FZUOPClZhuEkLRTY5xENQPWyZ6xPbpdSLnpdrc352vZybLmLQ5VIzboP23UB4NtcDD+H6acjIVQVjn05hhtu5Iud84YGq4ipx2lwyg2aoGptojjYN0koGVbvM1EqJ47dRFyU6A2LuCqZHlcxW8buYbEHQAAsiqhomP2m1XbzphmgDZTWC3u1Qkw+E26H/mGtqg1CbAPm7rhIN4amw/7T080HcSWlcgSrnoWUKbofIdABrUmZRQ2U/ocrfMwNlYkUS4UIskJeMs/wMR0teF45WJI/tZPmdD/b+30mptj5RLgA9VxW/1D5VOd4tcqBeyw==][][][][][][][][][][][][][][][][][][][][][][][][][][]

     

    Tried login with wonsa03 :

     

    [04/10/2018][07:28:45][2800][][SmJavaAPI.cpp:1238][JavaActiveExpression][][][][][][][][][][][][Active Expression evaluated for SmJavaAPI: JavaActiveExpression successfully invoked. Parameter and result follow:][1976][07:28:45.119][false][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][com.netegrity.scriptevaluation.scriptactiveexpression.ActiveScript (Street=="ABC & XYZ")][][][][][][][][][][]
    [04/10/2018][07:28:45][2800][s405/r12][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][wonsa03@ca.com][CN=Kelly Wong,CN=Users,DC=ad12,DC=lab][][][][][][<RVARS><Var name="Street" rtype="3"><![CDATA[]]></Var></RVARS>][][][IIS_shruj01-i3842][Send response attribute 147, data size is 62][1976][07:28:45.119][][][html][][][agent-shruj01-i3842][][][][][][][][][][][][][][jeUwVM7c+hwe22ClQnCpH9rV0wBKSGU3lesWej1g6EmTCbQa9I9ScvBRmGdo5zT2hhQ4SwfnftrG3YpzTN3+fkJLT32DBGL+ZJoYXRYzQzvmbNYucaJjFnp7LByNGB4O69o7U8DVtYXsqjJx6u1hRXd4AMF1uqvPTgLjUT+VdykswJ9Rs7xVYS28HNEorB6QgXfozTpc9cwZqib/gsGjzqD2jp7v0h9kDQwOEOBfrSEODr/MUqdriuGiJZ+WT7ZkQT95wQr5qq4Xk2CBenHhFRtcrIRM0r6YIdn8UYmyhvy0k6+q376ma3gsICmmcihVG/***9E91qpLuntrwdhTk53agznA3DD/weaIFQwmZhUBtPIQU7DaIsSWiemjmrzdrpS4JCFTjtbqiwzQnxYXKOax01+UIejH1NHqVe9CoRVpuvJErNwbdPL7Lx136WMRda8hZnYYnoKT+vIpK7zAqg==][][][][][][][][][][][][][AuthorizeEx][3c 52 56 41 52 53 3e 3c 56 61 72 20 6e 61 6d 65 3d 22 53 74 72 65 65 74 22 20 72 74 79 70 65 3d 22 33 22 3e 3c 21 5b 43 44 41 54 41 5b 5d 5d 3e 3c 2f 56 61 72 3e 3c 2f 52 56 41 52 53 3e ][][][][][][][][][][][][]
    [04/10/2018][07:28:45][2800][s405/r12][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][wonsa03@ca.com][CN=Kelly Wong,CN=Users,DC=ad12,DC=lab][][][][][][][][][IIS_shruj01-i3842][** Status: Not Authorized. ][1976][07:28:45.119][][][html][][][agent-shruj01-i3842][][][][][][][][][][][][][][jeUwVM7c+hwe22ClQnCpH9rV0wBKSGU3lesWej1g6EmTCbQa9I9ScvBRmGdo5zT2hhQ4SwfnftrG3YpzTN3+fkJLT32DBGL+ZJoYXRYzQzvmbNYucaJjFnp7LByNGB4O69o7U8DVtYXsqjJx6u1hRXd4AMF1uqvPTgLjUT+VdykswJ9Rs7xVYS28HNEorB6QgXfozTpc9cwZqib/gsGjzqD2jp7v0h9kDQwOEOBfrSEODr/MUqdriuGiJZ+WT7ZkQT95wQr5qq4Xk2CBenHhFRtcrIRM0r6YIdn8UYmyhvy0k6+q376ma3gsICmmcihVG/***9E91qpLuntrwdhTk53agznA3DD/weaIFQwmZhUBtPIQU7DaIsSWiemjmrzdrpS4JCFTjtbqiwzQnxYXKOax01+UIejH1NHqVe9CoRVpuvJErNwbdPL7Lx136WMRda8hZnYYnoKT+vIpK7zAqg==][][][][][][][][][][][][][][][][][][][][][][][][][][]



  • 10.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 10, 2018 04:27 AM

    It worked. Thank you Ujwol. Kudos to you



  • 11.  Re: Allow '&' character in the condition of Policy in CA SSO Domain

    Posted Apr 10, 2018 05:21 AM

    Glad to know