filtering on multi-valued attributes
Christopher Bongaarts
cab at umn.edu
Tue Sep 27 16:41:23 BST 2011
James Bardin wrote:
> On Tue, Sep 27, 2011 at 10:51 AM, Chad La Joie <lajoie at itumi.biz> wrote:
>> Okay, so that will allow the values 'staff', 'student', and 'faculty' of the attribute with the id 'scopedMemberAffiliation' to be released (assume no other rules denies them). So, nothing there is going to release, or deny the release of, a value of 'member'.
>
> Yes, that makes sense. I'm not certain how I got to this point now :/
>
> OK, so ignoring the nonsensical pieces of this thread, how should I go
> about doing this?
> I moved the logic up into the PolicyRequirementRule, but I just can't
> seem to get a match within multiple values.
We implemented something similar to what I think you want. We use a
ScriptedAttributeDefinition in the attribute resolver that takes in our
raw "person type" values from LDAP, adds them as ePSA values, then
selectively adds "member" (and a couple others) if their person types
(or other attributes) warrant it.
Then we use the attribute filter to selectively release values of ePSA
to the SPs that need them.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list