Custom expressions

You can use the Custom expression field to define a user class based on the values of any SecureTransport user attributes and LDAP attributes include custom attributes.

The following LDAP user attributes are supported:

  • fdxUid – User ID (UNIX-based systems only)
  • fdxGid – Group ID
  • fdxHomeDir – Home folder
  • fdxUserType – User type
  • fdxShell – User shell (UNIX-based systems only)
  • fdxSysUser – Name of a local or domain user of the Windows server whose credentials SecureTransport uses to access the Windows files in the session (Windows only)
  • Any custom SecureTransport user attribute defined in the LDAP domain. See Define attribute mappings for a domain.

The following variables that represent values from the SecureTransport LDAP domain that are supported:

  • LDAP_DOMAIN_ID – Internal ID
  • LDAP_DOMAIN_NAME – Value of the Domain Name field
  • LDAP_DN – Value of the Base DN field
  • LDAP_AUTH_BY_EMAIL – Value of the Login by Email field, 0 for Disabled, 1 for Enabled

The following variables that represent SSO values for SecureTransport that are supported:

  • SSO.idpId – Identity provider Identification
  • – SSO user email
  • SSO.uid – UID of the SSO user
  • SSO.gid – GID of the SSO user
  • SSO.tenant – SSO tenant
  • SSO.homeDir – Home directory of the SSO user
  • SSO.userName – SSO user username
Note UID, GID, Email and homeDir SSO attributes should be mapped to SecureTransport as fdxUid, fdxGid, fdxEmail, fdxHomeDir attributes respectively.

The following variables that represent values from an already authenticated user in SecureTransport are supported:

  • DXAGENT_USERGID - GID of the user
  • DXAGENT_USERUID - UID of the user
  • DXAGENT_USEREMAIL - user email

SecureTransport allows you to map an user based on their login type.

  • To map a real user, use DXAGENT_USERLOGINTYPE="REAL".
  • To map a virtual user, use DXAGENT_USERLOGINTYPE="VIRTUAL".
  • To map a Siteminder user, use DXAGENT_USERLOGINTYPE="SITEMINDER".
  • To map the a SSO user, you can use DXAGENT_USERLOGINTYPE="SSO".
  • If you want to map the a LDAP user, you can use DXAGENT_USERLOGINTYPE="LDAP".

The following constants are supported:

  • Numeric constants: -5, 100, .5, 1.05, 3.14159D, 6.0221415e23, 214748364, 0xFFECDE5E
  • Character constants: 'a', '\u0061', '\t', '\u0009', '\n', '\b', '\r', '\f', '\\', '\"' 
  • String constants: "Finance", "US", "^.*@finance\.example\.com$"
  • Logical constants: true, false
  • Null constant: null (represents no value, so fdxShell = null is true if that fdxShell is not defined)

The following functions are supported:

  • isSet("A") – true if there is a session variable named A
  • memberOf(A, B$collection) – true if A is a member of the multivalued session variable B
  • toInt(A) – converts A to an integer
  • toString(A) – converts A to an string

SecureTransport evaluates the expression based on the following operator precedence from highest to lowest:

  • Logical unary not
  • Arithmetic unary + and -
  • Arithmetic binary *, /, and % (integer remainder)
  • Arithmetic binary + and -
  • String concatenation +
  • Numeric, date and string comparison >, >=, <, <=, and like
  • Logical, numeric, date, and string comparison = and <>
  • Logical and
  • Logical or
  • Conditional expression A ? B : C (which has the value B if A is true or C if A is not true)

Use parentheses to group expressions and override the operator precedence.

SecureTransport dynamically converts numeric expressions to long integers, single-precision real numbers, or double-precision real numbers when it is necessary to evaluate an operator. When an operator requires a logical value, SecureTransport converts any value of a type other than logical to false.

The like operator matches its string left operand against a string right operand that is a Java regular expression. The result is true if the regular expression matches all of the left operand. The backslash (\) is the escape character Java regular expressions, so, in a regular expression, use two backslashes (\\) to match a backslash. See the examples.

The following expression checks for virtual users who are in one of three groups:

fdxUserType = "virtual" and (fdxGid = 1200 or fxdGid = 1400 or fdxGid = 1500)

The following expression tests the prefix of the user home directory on a Windows system:

fdxHomeDir like "C:\\home\\users\\finance\\.*"

The following two expressions return the same result, checking the email address against different regular expressions depending on the UID:

fdxUid > 100 and fdxUid <= 200 and fdxEmail like ".*@finance\.example\.com" or fdxEmail like ".*@hr\.example\.com"

fdxEmail like (fdxUid > 100 and fdxUid <= 200 ? ".*@finance\.example\.com" : ".*@hr\.example\.com")

Related topics:

Related Links