How to check if user is a member of a group - Policy Server - Siteminder
search cancel

How to check if user is a member of a group - Policy Server - Siteminder

book

Article ID: 376108

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

we will discuss how to check if a user is a member of a certain group using expression.

This can be used during policy evaluation or while sending a response.

Environment

  • Policy Server : R12.8+,
  • OS : ANY
  • User Directory: ANY

Resolution

Instructions:

 

For illustration purposes, we will configure a response to return true or false depending on whether the user is a member of the 'HR' group.

 

The expression that needs to be used is : 

IsHR=<$expr="%SM_USERGROUPS ~CONTAINS 'CN=HR,CN=Users,DC=ad12,DC=lab'"$>

 

Where, 

%SM_USERGROUPS returns a list of all the groups to which the user belongs separated by character ^

and ~CONTAINS performs a case-insensitive search

 

The full list of various other operations that are available is detailed here :

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/attributes-and-expressions-reference.html

 

Testing Result :