filtering on multi-valued attributes

Christopher Bongaarts cab at
Tue Sep 27 16:41:23 BST 2011

James Bardin wrote:
> On Tue, Sep 27, 2011 at 10:51 AM, Chad La Joie <lajoie at> wrote:
>> Okay, so that will allow the values 'staff', 'student', and 'faculty' of the attribute with the id  'scopedMemberAffiliation' to be released (assume no other rules denies them).  So, nothing there is going to release, or deny the release of, a value of 'member'.
> Yes, that makes sense. I'm not certain how I got to this point now :/
> OK, so ignoring the nonsensical pieces of this thread, how should I go
> about doing this?
> I moved the logic up into the PolicyRequirementRule, but I just can't
> seem to get a match within multiple values.

We implemented something similar to what I think you want.  We use a 
ScriptedAttributeDefinition in the attribute resolver that takes in our 
raw "person type" values from LDAP, adds them as ePSA values, then 
selectively adds "member" (and a couple others) if their person types 
(or other attributes) warrant it.

Then we use the attribute filter to selectively release values of ePSA 
to the SPs that need them.

%%  Christopher A. Bongaarts   %%  cab at          %%
%%  OIT - Identity Management  %%  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list