Example: ADI from resource manager
This example relies mostly on ADI that is passed in to the access decision call. The example also requires an ADI container called printQuota to be stored in the requesting user credential or passed in as application context. The access decision logic defined by this rule is to permit access only when one of the following conditions is true:
- The user is in the printUsers group.
- The user requests a print operation (p).
- The user requests to queue a print job for printing later (q) and the print quota is less than 20.
<xsl:if test='azn_cred_groups = "cn=printUsers,o=ibm,c=us" and (contains(azn_engine_requested_actions,"p") or contains(azn_engine_requested_actions,"q")) and printQuota <20'> !TRUE! </xsl:if>
The test condition for the group name returns an appropriate result regardless of the number of groups the requesting user is in. The condition is an XSL node test that compares each value within the XML element azn_cred_groups with the DN string. To determine the opposite case (for example, the requesting user is not in the printUsers group), the syntax requires a slightly different expression. See Example: ADI from entitlement data for an example of how to test for Whether a set of values like the azn_cred_group_names attribute does not contain a certain member.
Parent topic: Examples of authorization rules