Policy Server Guides › Policy Server Configuration Guide › User Directories › Named Expressions › Define Named Expressions › Apply Named Expressions
Apply Named Expressions
This use case represents a scenario in which a retail clothing company wants to define a role that prevents customers from making Web-based credit purchases if they have met or exceeded their credit limit. The company policy dictates that customers have a $1,000 credit limit, while company employees have a $2,000 credit limit.
In this use case, the SiteMinder environment contains two user directories:
- Directory A stores employees. Employees can also be customers. Therefore, Directory A identifies customers as those employees who are members of the group: cn=Customers,ou=Groups,o=acme.com.
- Directory B only stores customers. Because every user is a customer, Directory B does not have a user attribute that identifies customers.
The following details how you can use attribute mapping, virtual user attributes, and user classes to satisfy the company's credit policy.
- Create user attribute mappings and a universal schema or common name that identifies customers for each user directory:
- Create a group name attribute mapping for Directory A (employees):
- Name the mapping IsCustomer.
- Define IsCustomer as cn=Customers,ou=Groups,o=acme.com.
- Create a constant attribute mapping for Directory B (customers):
- Name the mapping IsCustomer.
- Define IsCustomer as TRUE.
Note: IsCustomer is a common name that maps to the same user information in Directories A and B. To access this information, you can use IsCustomer in an expression.
- Create constant attribute mappings and a universal schema or common name that identifies the company's credit limit for each user directory:
- Create a constant attribute mapping for Directory A (employees):
- Name the mapping CreditLimit.
- Define CreditLimit as 2000.
- Create a constant attribute mapping for Directory B (customers):
- Name the mapping CreditLimit.
- Define CreditLimit as 1000.
Note: CreditLimit is a common name that maps to the same user information in Directories A and B. To access this information, you can use CreditLimit in an expression.
- Assume that #CreditBalance is a virtual user attribute that retrieves the user's credit balance from the accounting database.
- Create a user class that returns a TRUE value if a customer's credit balance is under the credit limit:
- Create an EPM Role that lets customers make Web-based purchases if their credit balance is less than their credit limit:
- Name the Role PurchaseWithCredit
- Define the Role as @IsUnderCreditLimit
Note: For more information about EPM Roles, see Enterprise Policy Management.