Named Expressions

Policy Server Guides › Policy Server Configuration Guide › User Directories › Named Expressions

Named Expressions

User directories store user attributes such as organizational information, user and group attributes, and individual credentials. SiteMinder can read some user attribute values directly from the user directory, while other values must be calculated each time that they are needed. These calculations are stored as expressions that can be named or unnamed.

Named expressions are policy store objects that you reference by name and reuse in security policies defined in application objects. Unnamed expressions are stored in domain objects like responses and rules for use in traditional security policies.

Note: Named expressions can only be used in application objects. Named expressions cannot be used in traditional security policies defined using domain objects like responses and rules.

SiteMinder evaluates all expressions, both named and unnamed, to determine the values of calculated user attributes.

To create named expressions, an administrator must have the appropriate privileges.

Note: Active expressions and named expressions are not the same. While both types of expressions are evaluated at run-time, they differ in the following ways:

While active expressions are Boolean expressions, named expressions can return a string, number, or Boolean value.
While active expressions are referenced as is and must be reentered each time that they are used, named expressions are referenced by name and can be referenced from anywhere and reused.

More information:

User Attribute Mapping

Benefits of Named Expressions

Named expressions:

Apply to multiple user directories
Named expressions are stored in the policy store as objects that can be referenced by name and reused. SiteMinder evaluates named expressions to determine the values of calculated user attributes.
Facilitate ease of reuse
System administrators create each named expression once. Domain administrators reference the expression name, not the underlying expression, to obtain user information. Administrators do not have to reenter the entire expression each time that the user information is required.
Reduce data entry errors
System administrators create and manage named expressions in one place. If an expression must be changed, the administrator only makes the change once.
Ease maintenance tasks
If business logic requires a change to an expression, system administrators only make the change once. Domain administrators can continue to reference the expression name without regard for the underlying change.
Enforce security
Only administrators who have the appropriate privileges can create named expressions. Named expressions can call privileged built-in functions and any named expression, including those that are marked as private.

For example, a named expression can call a private expression that adds the current user to a group, while an unnamed expression cannot. This restriction prevents a domain administrator from bypassing security, such as adding the current user to an administrative group.

Define Named Expressions

Named expressions are policy store objects that can be referenced by name and reused in security policies defined in application objects.

Note: Named expressions can only be used in application objects. Named expressions cannot be used in traditional security policies defined using domain objects like responses and rules.

SiteMinder evaluates named expressions to determine the values of calculated user attributes.

There are two types of named expressions:

Virtual User Attributes

A virtual user attribute lets you define a re-usable expression to calculate user information. You use this type of expression when the user attribute is not uniquely referenced by the user directory. Rather, the user attribute must be calculated using attributes and other criteria that is established by business logic.

Virtual user attributes name expressions that result in values having one of the following data types:

string
number
Boolean

Virtual user attributes are prefixed by the "pound" sign (#). The "pound" sign prevents name clashes with user attribute names and mappings and is a visual reminder that the user attribute value is calculated.

As an expression, a virtual user attribute can include:

User attributes, either directory-specific or mapped
References to other named expressions
SiteMinder built-in functions and expression syntax

Note: Named expressions can only be used in application objects. Named expressions cannot be used in traditional security policies defined using domain objects like responses and rules.

More information:

Expression Syntax Overview

Virtual User Attribute Use Case

This use case represents a basic scenario in which two LDAP user directories identify the last and first names of users with different underlying schema.

The following illustration shows how the virtual user attribute #SortName (LastName,FirstName) can be calculated for users in different user directories through user attribute mapping. User attribute mapping lets you map one common name to different user attribute names in different user directories.

Graphic showing how the virtual user attribute #SortName can be calculated for users in different user directories

Two user directories identify the last and first names of users differently. To create a common view of this information, you can create user attribute mappings:
- FirstName maps to the underlying directory schema that identify the first names of users in Directory A and Directory B.
- LastName maps to the underlying directory schema that identify the last names of users in Directory A and Directory B.
#SortName is a virtual user attribute that can calculate the sort name of users in both directories with the following expression:
```
(LastName + "," + FirstName)
```
Instead of entering the expression (LastName + "," + FirstName) repeatedly, you can create a virtual user attribute named #SortName that is defined as: (FirstName + "," + LastName). Then, you can enter #SortName each time that the expression is needed.