filtering on multi-valued attributes

James Bardin jbardin at
Tue Sep 27 15:38:40 BST 2011

On Tue, Sep 27, 2011 at 10:26 AM, Chad La Joie <lajoie at> wrote:
> On Sep 27, 2011, at 10:20 AM, James Bardin wrote:
>> Hello,
>> Is it possible to release an attribute based on matching a single
>> value from within multi-valued attribute?
> Yes
>> For example, I want to add "member" to eduPersonScopedAffiliation, but
>> that's only valid if:
> Filters never add anything so you can't do that.

Sorry, I meant I wanted to release it *if* one of the other values matches.

>> - First of all, the filter bails on the first unmatched value, and
>> doesn't get to evaluate further. This my main issue, as I'm unsure how
>> to iterate over all the values in one logical block.
> What filter?

My first inclination was to use something like this:

<AttributeRule attributeID="scopedMemberAffiliation">
    <PermitValueRule xsi:type="basic:OR">
        <basic:Rule xsi:type="basic:AttributeValueString"
attributeID="eduPersonAffiliation" value="staff"/>
        <basic:Rule xsi:type="basic:AttributeValueString"
attributeID="eduPersonAffiliation" value="student"/>
        <basic:Rule xsi:type="basic:AttributeValueString"
attributeID="eduPersonAffiliation" value="faculty"/>

> The filter engine knows nothing about the encoded form of the attribute.  If it's seeing the value "member" it's because it is in a value in the attribute you've specified.

Yeah, the cold meds are messing with my head, it isn't because of the
encoded form. I still don't understand though, why my permit-rule to
match eduPersonAffiliation, is failing with the value that's in


More information about the users mailing list