filtering on multi-valued attributes

James Bardin jbardin at
Tue Sep 27 16:55:36 BST 2011

On Tue, Sep 27, 2011 at 11:39 AM, Cantor, Scott <cantor.2 at> wrote:
> Personally, I would move script logic for generating the desired set of
> values over to the resolver and not try and limit release of specific
> values, but if you really wanted to release member iff some condition, I
> think you would need a Permit rule that did an AND between "value is
> member" and "value of attribute Foo is XXX" in some combination.

Thanks Scott. I'll give that a try - I just though I could add it
regardless, and filter it after the fact.

On Tue, Sep 27, 2011 at 11:41 AM, Christopher Bongaarts <cab at> wrote:
> We implemented something similar to what I think you want.  We use a
> ScriptedAttributeDefinition in the attribute resolver that takes in our
> raw "person type" values from LDAP, adds them as ePSA values, then
> selectively adds "member" (and a couple others) if their person types
> (or other attributes) warrant it.

Thanks, I'll give this a try. There's some similar examples in the
ResolverScriptAttributeDefinitionExamples wiki page.


More information about the users mailing list