Configuration Guides › Policy Server Configuration Guide › Policies › Expressions in Policies

Expressions in Policies

eTelligent Rules makes available a set of variables for use in policy expressions.

Expressions extend policies to include dynamic information evaluated at runtime. Variable objects may be used in expressions to create a boolean set of conditions that determines entitlements for the resources protected by the policy.

To use variable objects in an active policy expression, you must configure a policy object and build the appropriate boolean expression using the Expression dialog. The interface is similar to the LDAP Search Expression editor described in Add LDAP Expressions to Policies.

Note: Expressions may be added to other data supported by policy objects as shown in the following figure.

Note: Active expressions and named expressions are not the same. While both types of expressions are evaluated at run-time, they differ in the following ways:

• While active expressions are Boolean expressions, named expressions can return a string, number, or Boolean value.
• While active expressions are referenced as is and must be reentered each time that they are used, named expressions are referenced by name and can be referenced from anywhere and reused.

More information:

Variables

SOA Policy Expressions

SOA Security Manager provides the following predefined variable objects that can be used in policy expressions to dynamically extend your policies to include the following information about an incoming web service request:

• Transport over which the message was sent (HTTP or HTTPS).
• SOAP message envelope (including WS‑Security headers).
• Message payload (the body of the message, which represents the details of the transaction).
• SAML Session Ticket assertions.