Example: ADI from entitlement data

Example: ADI from entitlement data

This example shows how a rule works on data that is in the authorization credential. It evaluates the following attributes:

azn_cred_principal_name
azn_cred_groups
azn_cred_registry_id
Each of the xsl:when statements are evaluated. The first statement with conditions that are all true returns a result. Each condition tested has a comment that explains its action.
 <xsl:choose>  <xsl:when test="azn_cred_principal_name = 'myuser0'"> !TRUE! </xsl:when>  <xsl:when test="azn_cred_principal_name = 'myuser1'"> !FALSE! </xsl:when>   <xsl:when test="azn_cred_registry_id = 'cn=myuser3,secAuthority=Default'"> !TRUE! </xsl:when>   <xsl:when test="azn_cred_groups = 'mygroup1' and not (azn_cred_groups = 'mygroup2')"> !TRUE! </xsl:when> <xsl:otherwise> !FALSE! <xsl:otherwise> </xsl:choose>
The fourth xsl:when statement uses the not() function to negate the Boolean result of the following test:
azn_cred_groups = 'mygroup2'
The not() function is used instead of the valid authorization rule operator != operator because, in this case, the azn_cred_groups attribute is a multi-valued attribute. Multi-valued attributes like azn_cred_groups return a set of values, referred to as a node-set in XSL, to be tested by the condition. Each node value in the set is tested against the condition individually and !TRUE! is returned if any of the conditions evaluate to true. In any case, where the user is in more than one group, other than mygroup2, the result of the node test is always !TRUE!. To test the nonexistence of something in a node-set, use the not() function instead of the != operator. For example, we can test the condition group is mygroup2 is not true.
Parent topic: Examples of authorization rules