Policy Server Guides › Policy Server Configuration Guide › User Directories › Named Expressions › Configure a SQL Query Scheme › SAML Affiliate Agent and Federation Security Services Configuration › Define a Virtual User Attribute

Define a Virtual User Attribute

You define a virtual user attribute to calculate user information that is not uniquely referenced by one or more user directories.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To define a virtual user attribute

1. Click Policies, Expressions.
2. Click Named Expression, Create Named Expression.

   The Create Named Expression pane opens.

3. Verify that a new object of type Expression is selected, and click OK.

   The Create Named Expression: Name pane opens.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Select Virtual User Attribute, and type the name and a description in the fields on the General group box.
5. Type the expression in the Expression field on the Add Named Expression group box.
6. (Optional) Select the Disabled check box on the Add Named Expression group box.

   The named expression is marked as disabled, is not listed in the expression editor, and cannot be called by another expression, named or unnamed.

7. (Optional) Select the Private check box on the Add Named Expression group box.

   The named expression is marked as private and can only be called by other named expressions; it cannot be called by unnamed expressions.

8. (Optional) Click Edit on the Add Named Expression group box.

   The Expression Editor pane opens.

9. Click Submit.

   The Create Named Expression task is submitted for processing.

User Classes

A user class lets you define a re-usable expression to calculate user information. You use this type of expression when the user attribute is not uniquely referenced by the user directory. Rather, the user attribute must be calculated using attributes and other criteria that is established by business logic.

A user class names an expression that returns a TRUE value if a user is a member of a specified class or a FALSE value if not.

User classes are prefixed by the "at" symbol (@). The "at" symbol prevents name clashes with user attribute names and mappings and is a visual reminder that the user attribute value is calculated.

As an expression, a user class can include:

• User attributes, either directory-specific or mapped
• References to other named expressions
• SiteMinder built-in functions and expression syntax

Note: Named expressions can only be used in application objects. Named expressions cannot be used in traditional security policies defined using domain objects like responses and rules.

A user class is not a role. A role is a feature of Enterprise Policy Management. While roles can use user classes, they have additional information associated with them. For more information about roles, see the Enterprise Policy Management.

More information:

Expression Syntax Overview

User Class Use Case

This use case represents a basic scenario in which two LDAP user directories identify membership in the Administrator group using different underlying schema.

The following illustration details how the user class @Admin can be calculated for users in different user directories through user attribute mapping. User attribute mapping lets you map one common name to different user attribute names in different user directories.

1. Two user directories identify membership in the Administrator group differently. To create a common view of this information, you can create user attribute mappings:
   • IsAdmin maps to the underlying directory schema that identifies membership in the Administrator group in Directory A.
   • IsAdmin maps to the underlying directory schema that identifies membership in the Administrator group in Directory B.
2. @Admin is the named expression of type user class that SiteMinder evaluates to determine if users in both directories are Administrators:

   (IsAdmin)
   

3. Instead of entering the expression (IsAdmin) repeatedly, you can create a user class named @Admin that is defined as: (IsAdmin). Then, you can enter @Admin each time that the expression is needed.