Named expressions:
Named expressions are stored in the policy store as objects that can be referenced by name and reused. SiteMinder evaluates named expressions to determine the values of calculated user attributes.
System administrators create each named expression once. Domain administrators reference the expression name, not the underlying expression, to obtain user information. Administrators do not have to reenter the entire expression each time that the user information is required.
System administrators create and manage named expressions in one place. If an expression must be changed, the administrator only makes the change once.
If business logic requires a change to an expression, system administrators only make the change once. Domain administrators can continue to reference the expression name without regard for the underlying change.
Only administrators who have the appropriate privileges can create named expressions. Named expressions can call privileged built-in functions and any named expression, including those that are marked as private.
For example, a named expression can call a private expression that adds the current user to a group, while an unnamed expression cannot. This restriction prevents a domain administrator from bypassing security, such as adding the current user to an administrative group.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |