LDSTechForumProjects

6.x Condition Syntax

This page outlines the syntax for <condition> elements in the v6.x+ version of the WAMulator. For previous versions see SSO Simulator Condition Syntax. Attribute specific syntax elements have been removed to provide a uniform means of defining conditions based upon evaluation of user attributes regardless of what attributes are leveraged by developers of a given application. This approach also nicely maps to LDAP filters which backs OAM conditions known as authorization rules.


The Syntax

The syntax is a String of well-formed XML text. This XML text requires a single top level element (TLE). All elements in the v6.0+ syntax can act as TLEs. The <AND>, <OR>, and <NOT> elements are logical operation elements (LOEs) that provide logical combination of operations on nested elements. The <Attribute> element is a user attribute evaluator (UAE) that evaluate attributes of a user for answering policy questions. All element names are case sensitive and all elements ignore any number of additional attributes. XML comments and character data between elements is also ignored so white space has no effect on processing. Therefore there is ample provision for documentation to be nested within the syntax if needed. In the examples below attribute names and values are completely hypothetical. Consult the WAM team for available attributes for your application.

  • TLE = top level element: the element can be a standalone or top level element in the syntax for the condition.
  • UAE = user attribute evaluator: used to evaluate some attribute for a user.
  • LOE = logical operation element: used only to perform logical combination of nested elements.


<AND>

Element Type Description and Use
TLE, LOE Attributes: none

Use: Supports an unlimited number of nested elements and evaluates to true if all nested elements evaluate to true. Must contain at least one nested UAE at some depth.

Example: Require a user to be a bishop and have an account id of 1234567.

<AND>
 <Attribute name='position' operation='EQUALS' value='p4/*' desc='bishop'/>
 <Attribute name='accntid' operation='EQUALS' value='1234567' desc='bishop'/>
</AND>

<OR>

Element Type Description and Use
TLE, LOE Attributes: none

Use: Supports an unlimited number of nested elements and evaluates to true if any nested elements evaluate to true. Must contain at least one nested UAE at some depth.

Example: Require a user to be a bishop OR have an account id of 1234567.

<OR>
 <Attribute name='position' operation='EQUALS' value='p4/*' desc='bishop'/>
 <Attribute name='accntid' operation='EQUALS' value='1234567' desc='bishop'/>
</OR>

<NOT>

Element Type Description and Use
TLE, LOE Attributes: none

Use: Supports a single nested element and evaluates to true if the single nested element evaluate to false. Must contain at least one nested element.

Example: Require a user NOT be an employee of the church.

<NOT>
 <Attribute name='employee' operation='EQUALS' value='A'/>
</NOT>


<Attribute>

Element Type Description and Use
TLE, UAE Evaluates a single user attribute providing ldap simple-filter functionality. Does not support complex filter syntax with parens. Used to enable more straightforward migration to policies in the real WAM SSO environment where policy conditions are based upon attributes beyond those for which custom condition syntax directives exist. Only evaluates user attributes as injected by a <user-source> including attributes with more than one value.

Attributes:

name = Required. The user attribute being evaluated including objectclass.

operation = Required. One of exists or equals. For exists the value attribute is ignored effectively mapping to a simple ldap filter of "(attribute=*)". For equals uses case insensitive comparison of strings and, where wildcarding is used, for substrings. See examples.

value = Required only for an operation of equals. Ignored for an operation of exists. Specifies the evaluation criteria and includes the wildcard character, '*'. To include special characters as actual characters to be searched, use the escaping mechanism of "\code" where code is a two digit hexadecimal value for the character. Only "*" and "\" must be escaped. Since this directive represents a simple LDAP filter without parens, the parens '(' and ')', exclamation mark (!), ampersand (&), and pipe (|) used in complex LDAP filters do NOT need to be escaped. They will be treated as regular characters.

Use: Supports no nested elements. For exists answers true if the user has an attribute with the specified name. For equals with no wildcard answers true if the attribute value matches the specified value ignoring case. For equals with one or more wildcards answers true if the attribute value contains the corresponding non-wildcard characters in the same order evaluated case insensitively but with zero or more characters where each wildcard character is located. False otherwise.

Example: answers true of a user has an attribute with a name of 'test' and a value of either 'AAA' or 'BBB'.

<OR>
 <Attribute name='test' operation='equals' value='AAA'/>
 <Attribute name='test' operation='equals' value='BBB'/>
</OR>
This page was last modified on 15 March 2012, at 23:27.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.