Policy Server Guides › Policy Server Configuration Guide › User Directories › User Attribute Mapping › Apply User Attribute Mapping › Account Status Use Case

Account Status Use Case

This use case shows how you can use a mask attribute mapping and a calculated expression attribute mapping to identify user accounts that are disabled in Directory A and Directory B.

Given:

1. Directory A identifies disabled accounts with a user attribute named AccountStatus, which is a set of flags. The second bit indicates a disabled account.
2. Directory B identifies disabled accounts with a user attribute named u_disabled. When u_disabled is equal to "y", the account is disabled. When u_disabled is equal to "n", the account is active.

Solution:

1. Create a mask attribute mapping for Directory A:
   • Name the mapping IsDisabled.
   • Define the mapping as AccountStatus:2, where:
     • The bit pattern is stored in AccountStatus.
     • The bit mask is 2 (decimal).
2. Create a calculated expression attribute mapping for Directory B:
   • Name the mapping IsDisabled.
   • Define the mapping as:

     (u_disabled = "y")
     

     where u_disabled is a Boolean expression.

Result:

You can reference IsDisabled when defining policies, expressions, or other objects that must determine the account status of users, without concern for the directory-specific schema, because the directories are operationally identical. SiteMinder checks the bit pattern to determine if a user is disabled when referencing Directory A and performs the calculation to determine if a user is disabled when referencing Directory B.