|
|
|
Lists the users and groups currently included in the policy, affiliate, or SAML Service Provider.
Lists the users and groups that are available for inclusion in the policy, affiliate, or SAML Service Provider.
Specify users or groups to be added to the policy, affiliate, or SAML Service Provider without using the Current and Available Members lists.
For LDAP directories, enter a valid DN in the Manual Entry field.
When entering a manual entry for an LDAP user directory, you can also select one of the following from the Action drop down list:
Indicates that the LDAP search specified in the Entry field is limited to matches in user entries.
Indicates that the LDAP search specified in the Entry field is limited to matches in group entries.
Indicates that the LDAP search specified in the Entry field is limited to matches in organization entries.
Indicates that the LDAP search specified in the Entry field is limited to matches in user, group, and organization entries.
For Microsoft SQL Server, Oracle and WinNT directories, enter a user name in the Manual Entry field.
For an Microsoft SQL Server or Oracle, you can enter a SQL query, instead. For example:
SELECT NAME FROM EMPLOYEE WHERE JOB =’MGR’;
The Policy Server will perform the query as the database user specified in the Username field of the Credentials and Connection tab for the user directory. When constructing the SQL statement for the Manual Entry field, you need to be familiar with the database schema for the user directory. For example, if you are using the SmSampleUsers schema and want to add specific users, you could select from the SmUser table.
If the manual entry query does not contain a WHERE statement, the WHERE statement from the Init User query field is appended. For example:
Init User: select Name from SmUser where Name = ’%s’
Manual Entry: Select Name from customers
Result: select Name from customers where Name = ’%s’
If the manual entry query contains a WHERE statement, the portion of the query following the Init User WHERE statement is appended. For example:
Init User: select Name from SmUser where Name = ’%s’
Manual Entry: Select Name from customers where balance > 1000
Result: select Name from customers where balance > 1000 and Name = ’%s’
Note: For an LDAP directory, you can enter all in the Manual Entry field to bind the policy, affiliate, or SAML Service Provider to the entire LDAP directory.
Open the Expression Editor. The Expression Editor allows you to bind an LDAP search expression to the policy, affiliate, or SAML Service Provider.
Note: The Create Expression and Edit Expression buttons are only available for LDAP directory connections. If you selected a directory connection on the Users tab associated with an LDAP directory connection, the Expression Editor group box appears to the right of the Manual Entry group box.
The following button opens a search Dialog associated with the type of user directory.
See one of the following:
When a directory contains enough users and groups to require multiple pages of information, the previous and next buttons page through the available users and groups.
Click the All button to display all users and groups in a single scrolling list.
Select users or groups in the Available Members list and click the Left Arrow to move the selected items to the Current Members list.
Select users or groups from the Current Members list and click the Right Arrow to move them to the Available Members list.
You can select multiple user and groups by holding the CTRL or SHIFT key and clicking on items in one of the Members lists. When you select multiple items and click one of the Arrow buttons, all of the selected items are moved to the other list.
Explicitly excludes selected users in the Current Members list. If you exclude users or groups, the following symbol appears to the left of the entry in the Current Members list.
For items you specify in the Manual Entry group box, click this button to add items to the Current Members list.
(Active Directory) When adding a manual entry for Active Directory, this setting requires that the entry be validated before being added to the Current Members list. If the entry does not represent a user or group in the directory, the entry is not added to the policy.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |