Appendix Custom Expressions and System Variables Reference
Using Custom Expressions in Rule Configuration
This topic describes custom expressions. It is intended for advanced users.
Custom Expressions
Many system rules, such as role mapping rules or resource policy rules, support custom expressions. A custom expression is a combination of variables that the system evaluates as a Boolean object. The expression returns true, false, or error.
You can write custom expressions in the following formats. Note that elements of these formats are described in greater detail in the table that follows:
- variable comparisonOperator variable
- variable comparisonOperator simpleValue
- variable comparisonOperator (simpleValue)
- variable comparisonOperator (OR Values)
- variable comparisonOperator (AND Values)
- variable comparisonOperator (time TO time)
- variable comparisonOperator (day TO day)
- isEmtpy (variable)
- isUnknown (variable)
- (customExpr)
- NOT customExpr
- ! customExpr
- customExpr OR customExpr
- customExpr || customExpr
- customExpr AND customExpr
- customExpr && customExpr
Custom Expression Elements
|
Element |
|
|---|---|
|
variable |
Represents a system variable. A variable name is a dot-separated string, and each component can contain characters from the set [a-z A-Z 0-9_ ] but cannot start with a digit [0-9]. Variable names are case-insensitive. For system variables that you may use in role mapping rules and resource policies. When writing a custom expression in a log query field, you need to use system log variables. These variables are described in the Filter Variables Dictionary on the Filter page (System > Log/Monitoring > Events | User Access | Admin Access > Filters > Select Filter tab). Quoting syntax for variables: The system supports a quoting syntax for custom expression variables that allows you to use any character except '.' (period) in a user attribute name. To escape characters in an attribute name, quote some or all of the variable name using { } (curly-braces). For example, these expressions are equivalent:userAttr.{Login-Name} = 'xyz' userAttr.Login{-}Name = 'xyz' {userAttr.Login-Name} = 'xyz' userA{ttr.L}{ogin-}Name = 'xyz' Escape characters supported within quotes:
Examples: userAttr.{Tree Frog} = 'kermit' userAttr.{Tree\20Frog} = 'kermit'
- There is no limit to the number of quotes you can use in a variable name. |
|
comparisonOperator |
One of the following:
|
|
simpleValue |
One of the following:
Notes about strings: A string may contain all characters except <nl> (newline) and <cr> (carriage return). Strings can be any length. String comparisons are case-insensitive. Strings can be quoted with single- or double-quotes. A quoted string may contain wildcards, including star(*), question mark (?), and square brackets ([ ]). variable comparisonOperator variable comparisons are evaluated without wildcard matching. Use a backslash to escape these characters:
Note about day: Day and time comparisons are evaluated in the system’s time zone. Day range (day TO day) calculations start with the first day and step forward until the second day is reached. In time range (time TO time) calculations, the first value must be earlier than the second value. Only time variables can be compared to day and time values. The time variables are: time.* and log inTime.*. |
|
time |
Time of day in one of the following formats: HH:MM — 24-hour HH:MMam — 12-hour HH:MMpm — 12-hour H:MM — 24-hour H:MMam — 12-hour H:MMpm — 12-hour Day and time comparisons are evaluated in the system’s time zone. Day range (day TO day) calculations start with the first day and step forward until the second day is reached. In time range (time TO time) calculations, the first value must be earlier than the second value. Only time variables can be compared to day and time values. The time variables are: time.* and log inTime.*. |
|
OR Value |
String containing one or more OR comparisons: Examples: variable comparisonOperator (number OR number ...) variable comparisonOperator (string OR string ...) |
|
AND Value |
String containing one or more AND comparisons. Examples: variable comparisonOperator (number AND number ...) variable comparisonOperator (string AND string ...) |
|
isEmpty |
Function that takes a single variable name (variable) argument and returns a boolean value. isEmpty() is true if the variable is unknown or has a zero-length value, zero-length strings, and empty lists. Example: isEmpty(userAttr.terminationDate) |
|
isUnknown |
Function that takes a single variable name (variable) argument and returns a boolean value. isUnknown() is true if the variable is not defined. User attributes (userAttr.* variables) are unknown if the attribute is not defined in LDAP or if the attribute lookup failed (such as if the LDAP server is down). Example: isUnknown(userAttr.bonusProgram) |
|
NOT, ! |
Logical negation comparisonOperator. The negated expression evaluates to true if the customExpr is false and evaluates to false if the customExpr is true. The operators NOT, AND, and OR are evaluated from highest to lowest precedence in this order: NOT (from right), AND (from left), OR (from left). |
|
OR, || |
Logical operator OR ||, which are equivalent. The operators NOT, AND, and OR are evaluated from highest to lowest precedence in this order: NOT (from right), AND (from left), OR (from left). |
|
AND, && |
Logical AND or &&, which are equivalent. The operators NOT, AND, and OR are evaluated from highest to lowest precedence in this order: NOT (from right), AND (from left), OR (from left). |
|
customExpr |
Expression written in the Custom Expression Syntax (see above). |
Wildcard Matching
In a quoted string, supported wildcards include:
- star (*)—A star matches any sequence of zero or more characters.
- question mark (?)—A question mark matches any single character.
- square brackets ([ ])—Square brackets match one character from a range of possible characters specified between the brackets. Two characters separated by a dash (-) match the two characters in the specified range and the lexically intervening characters. For example, ‘dept[0-9]’ matches strings "dept0", "dept1", and up to "dept9".
To escape wildcard characters, place them inside square brackets. For example, the expression ' userAttr.x = " value [*]" ' evaluates to true if attribute x is exactly "value*".
Using Multivalued Attributes
Multivalued attributes—attributes that contain two or more values—provide you with a convenient method for defining resources that expand into multiple individual bookmarks on the users’ bookmarks page.
For example, assume that the user’s LDAP directory contains the multivalued attribute HomeShares: \\Srv1\Sales;\\Srv2\Marketing. When you configure the Windows File share resource definition using the HomeShares multivalued attribute, \\<userAttr.HomeShares>, the user sees two bookmarks:
- \\Srv1\Sales
- \\Srv2\Marketing
Now let’s assume the user’s LDAP directory contains a second multivalued attribute defined as HomeFolders: Folder1;Folder2;Folder3. When you configure the Windows File share resource using both of the multivalued attributes, \\<userAttr.HomeShares>\<userAttr.HomeFolders>, the user sees the following six bookmarks:
- \\Srv1\Sales\Folder1
- \\Srv1\Sales\Folder2
- \\Srv1\Sales\Folder3
- \\Srv2\Marketing\Folder1
- \\Srv2\Marketing\Folder2
- \\Srv2\Marketing\Folder3
The only exception to this functionality is when the variable includes an explicit separator string. In this case, only one bookmark containing multiple resources displays on the users’ bookmark page.
You specify the separator string in the variable definition using the syntax sep=’string’ where string equals the separator you want to use. For example, to specify a semi-colon as the separator, use the syntax <variable.Attr sep=';'>.
Use the following syntax for multivalued attributes handling. Note that <variable> refers to a session variable such as <userAttr.name> or <CertAttr.name>:
·<variable[Index]>—You specify indexes in a variety of ways. If, for example, the total number of values for a given index is 5, and you want to specify the entire range of values you use <variable[ALL]>. If you want to specify only the fourth value, you use <variable[4]>.
- <variable> is the same as <variable[ALL]>.
- <variable> is the same as <variable[ALL]>.
- <variable sep='str'> and <variable[All] sep='str'> — These variable definitions always refer to a single string value with all the tokens expanded out with separator strings between the values.
Variable names cannot contain spaces.
Specifying Multivalued Attributes in a Bookmark Name
Another common case of using multivalued attributes occurs when you include a variable in a bookmark name and in a URL or file server/share field.
For example, again assume that the user’s LDAP directory contains the multivalued attribute HomeShares: \\Srv1\Sales;\\Srv2\Marketing. When you configure the Windows File share resource definition using the HomeShares multivalued attribute, \\<userAttr.HomeShares>, and you use the same attribute in the bookmark name field, <userAttr.HomeShares>, the system creates two bookmarks:
- Srv1\Sales bookmark pointing to \\Srv1\Sales
- Srv2\Marketing bookmark pointing to \\Srv2\Marketing
This does not create a situation in which you end up with the following set of conditions:
- Srv1\Sales bookmark pointing to \\Srv1\Sales
- Srv1\Marketing bookmark pointing to \\Srv1\Marketing (error)
- Srv2\Sales bookmark pointing to \\Srv1\Sales (error)
- Srv2\Marketing bookmark pointing to \\Srv2\Marketing
Distinguished Name Variables
You can compare a distinguished name (DN) to another DN or to a string, but the system ignores wildcards, white space, and case. Note, however, that the system takes the order of DN keys into consideration.
When the system compares an expression to a DN to a string, it converts the string to a distinguished name before evaluating the expression. If the system cannot convert the string due to bad syntax, the comparison fails. The DN variables are:
- userDN
- certDN
- certIssuerDN
The system also supports DN suffix comparisons using the matchDNSuffix function. For example:
matchDNSuffix( certDn, "dc=danastreet,dc=net")
Within the parenthesis, the first parameter is the “ full” DN and the second is the suffix DN. You can use a or string for each parameter. Note that this first parameter should have more keys than the second (suffix parameter). Otherwise, if they are equal, it is the same as <firstparam> = <secondparam>. If the second parameter has more keys, matchDNsuffix returns false.
System Variables
The below table lists and defines system variables, gives an example for each system variable, and provides a guide as to where you may use system variables.
|
Variable |
Description |
Usage |
Examples |
|---|---|---|---|
|
authMethod |
Type of authentication method used to authenticates a user. |
role mapping rules, resource policy rules |
authMethod = ‘ACE Server’ |
|
certAttr.<cert-attr> |
Attributes from a client-side certificate. Examples of certAttr attributes include:
Use this variable to check that the user’s client has a client-side certificate with the value(s) specified. |
|
certAttr.OU = 'Retail Products Group' |
|
certAttr.altName.<Alt-attr> |
Subject alternative name value from a client-side certificate where <Alt-attr> may be:
|
|
|
|
certAttr.serialNumber |
Client certificate serial number. Note that all characters other than [0-9 a-f A-F] are stripped out of a string before comparison with certAttr.SN. Wildcards are not supported. |
|
|
|
certDN |
Client certificate subject DN. Wildcards are not permitted. |
role mapping rules, resource policy rules |
|
|
certDN.<subject-attr> |
Any variable from the client certificate subject DN, where subject-attr is the name of the RDN key. Use to test the various subject DN attributes in a standard x.509 certificate. |
|
|
|
certDNText |
Client certificate user DN stored as a string. Only string comparisons to this value are allowed. |
|
|
|
certIssuerDN |
Client certificate-issuer subject DN. This variable works like a standard DN attribute such as CertDN. Wildcards are not permitted. |
|
|
|
certIssuerDN.<issuer-attr> |
Any variable from the client certificate-issuer subject DN, where issuer-attr is the name of the RDN key. |
|
|
|
certIssuerDNText |
Client certificate-issuer subject DN stored as a string. Only string comparisons to this value are allowed. |
|
|
|
defaultNTDomain |
Contains the Domain value set in the authentication server configuration when you use AD/NT authentication. |
|
defaultNTDomain=” CORP” |
|
group.<group-name> |
User’s group membership as provided by the realm authentication or directory server. |
|
Spaces are not supported, such as, group.sales managers |
|
Groups |
List of groups as provided by the realm authentication or directory server. You can enter any characters in the groupname, although wildcard characters are not supported. |
|
groups=('sales managers') |
|
hostCheckerPolicy |
Host Checker polices that the client has met. |
|
hostCheckerPolicy = ('Norton' and 'Sygate') and cacheCleanerStatus = 1hostCheckerPolicy = ('Norton' and 'Sygate') |
|
log inHost |
Hostname or IP address that the browser uses to contact the Ivanti service. |
|
log inHost = 10.10.10.10 |
|
log inTime |
The time of day at which the user submits his credentials. The time is based on system time. When using this variable in an SSO parameter field, the variable returns the UNIX string time. |
|
|
|
log inTime.day |
The day of month on which the user submits his credentials, where day is 1-31. The time is based on the system time. You cannot use the TO operator with this variable. |
•role mapping rules •resource policy rules |
log inTime.day = 3 |
|
log inTime.dayOfWeek |
The day of the week on which the user submits his credentials, where dayOfWeek is in the range [0-6] where 0 = Sunday. The system does not support the TO operator with time.dayOfWeek expressions if you use numbers instead of strings. In other words, “ log inTime.dayOfWeek = (2 TO 6)” does not work, but “ log inTime.dayOfWeek = (mon to fri)” does work. |
|
|
|
log inTime.dayOfYear |
The numeric day of the year on which the user submits his credentials, where dayOfYear can be set to [0-365]. You cannot use the TO operator with this variable. |
|
|
|
log inTime.month |
The month in which the user submits his credentials, where month can be set to [1-12] where 1 = January. You cannot use the TO operator with this variable. |
|
log inTime.month >= 4 AND log inTime.month <=9 |
|
log inTime.year |
The year in which the user submits his credentials, where year can be set to [1900-2999]. You cannot use the TO operator with this variable. |
|
log inTime.year = 2005 |
|
log inURL |
URL of the page that the user accessed to sign in. The system gets this value from the Administrator URLs|User URLs column on the Authentication > Signing In > Sign-in Policies page of the admin console. |
|
log inURL = */admin |
|
networkIf |
The network interface on which the user request is received. Possible values: internal, external |
|
sourceIp = 192.168.1.0/24 and networkIf = internal |
|
Ntdomain |
The NetBIOS NT domain used in NT4 and Active Directory authentication. |
|
ntdomain = jnpr |
|
Ntuser |
The NT username used in Active Directory authentication |
|
ntuser = jdoe password password[1] |
|
password[2] |
The password entered by the user for the primary authentication server (password and password[1]) or the secondary authentication server (password[2]). |
|
password = A1defo2z |
|
Realm |
The name of the authentication realm to which the user is signed in. |
|
Realm = ('GoldPartners' or 'SilverPartners') AND condition will always fail as a user is only allowed to sign in to a single realm in a session. |
|
Role |
List of all the user roles for the session. Role = ('Sales' AND 'Support') In SSO, if you want to send all the roles to back-end applications, use <role sep = ";"> - where sep is the separator string for multiple values. The system supports all separators except “ and >. |
|
•Role = ('sales' or 'engineering') •"Role = ('Sales' AND 'Support') |
|
radi-us.requestAttributes.<reqAttrs> |
The list of default value are as follows: •radius.requestAttributes.Calling-Station-Id = <ANY> •radius.requestAttributes.NAS-IP-Address = <ANY> •radius.requestAttributes.NAS-Identifier = <ANY> •radius.requestAttributes.NAS-Port-Type = <ANY> •radius.requestAttributes.Called-Station-Id = <ANY> •radius.requestAttributes.Aruba-Essid-Name = <ANY> •radius.requestAttributes.User-Name = <ANY> |
role mapping rules |
radius.requestAttributes.Calling-Station-Id = "00:aa:3f:*" |
|
locationGroup |
Allows the user to filter the roles based on the location group. |
role mapping rules |
locationGroup = "bangalore" |
|
eapProtocol.<protocolLayer> |
Allows the user to filter the roles based on EAP protocol. <protocolLayer> indicates whether the variable matches the inner protocol or outer protocol. •The values for the outerProtocol variable are EAP-PEAP and EAP-TTLS. •The values for the innerProtocol are PAP, CHAP, MS-CHAP, MS-CHAP-V2, EAP-MD5, EAP-TLS, EAP-MSCHAP-V2, EAP-GTC, and EAP-JUAC. |
|
eap-protocol.outerProtocol != "EAP-PEAP" |
|
sourceIP |
The IP address of the machine on which the user authenticates. You can specify the netmask using the bit number or in the netmask format: '255.255.0.0'. Note that you can evaluate the sourceIP expression against a string variable such as an LDAP attribute. |
|
is the same as:
|
|
Time |
The time of day at which the role mapping rule or resource policy rule is evaluated. The time of the day can be in 12-hour or 24-hour format. |
•role mapping rules •resource policy rules
|
Combination examples: Allow executive managers and their assistants access from Monday to Friday: userAttr.employeeType = ('*manager*' or '*assistant*') and group.executiveStaff and time = (Mon to Fri) |
|
time.dayOfWeek |
The day of the week on which the role mapping rule or resource policy rule is evaluated, where dayOfWeek is in the range [0-6] where 0 = Sunday. |
|
log inTime.dayOfWeek = (0 OR 6) log inTime.dayOfWeek = (1 to 5) log inTime.dayOfWeek = 5
|
|
time.dayOfYear |
The day of the year on which the role mapping rule or resource policy rule is evaluated. Possible values include: 1-365. |
|
time.dayOfYear = 100
|
|
time.month |
The month in which the role mapping rule or resource policy rule is evaluated. Possible values include: 1-12 |
|
time.month >= 9 and time.month <= 12 and time.year = 2004 group.employees and time.month = 9 |
|
time.year |
The year in which the role mapping rule or resource policy rule is evaluated, where year can be set to [1900-2999]. |
|
time.year = 2005
|
|
user user@primary_auth_server_name user@secondary_auth_server_name |
Ivanti username for the user’s primary authentication server (user and user@primary_auth_server_name) or secondary authentication server (user@secondary_auth_server_name). Use when authenticating against an Active Directory server, domain and username. primary_auth_server_name is the name of the primary auth server. If there are spaces or special characters in the name, it can be enclosed in curly brackets. For example user@{My Primary Auth Server} secondary_auth_server_name is the name of the secondary auth server. If there are spaces or special characters in the name, it can be enclosed in curly brackets. For example user@{My Secondary Auth Server} When including a domain as part of a username, you must include two slashes between the domain and user. For example: user=’yourcompany.net\\joeuser’. |
|
|
|
username username@primary_auth_server_name username@secondary_auth_server_ name |
System username for the user’s primary authentication server (username and username@primary_auth_server_name) or secondary authentication server (username@secondary_auth_server_name). If the user is signing in to a certificate authentication server, then the user’s Ivanti system username is the same as CertDN.cn. primary_auth_server_name is the name of the primary auth server. If there are spaces or special characters in the name, it can be enclosed in curly brackets. For example user@{My Primary Auth Server} secondary_auth_server_name is the name of the secondary auth server. If there are spaces or special characters in the name, it can be enclosed in curly brackets. For example user@{My Secondary Auth Server} |
|
|
|
userAgent |
The browser’s user agent string. |
|
The browser’s user agent string.
|
|
userAttr.<auth-attr>
|
User attributes retrieved from an LDAP or RADIUS authentication or directory server. |
•role mapping rules •resource policy rules •SSO parameter fields
|
userAttr.building = ('HQ*' or 'MtView[1-3]') userAttr.dept = ('sales' and 'eng') userAttr.dept = ('eng' or 'it' or 'custsupport') userAttr.division = 'sales' userAttr.employeeType != 'contractor' userAttr.salaryGrade > 10 userAttr.salesConfirmed >= userAttr.salesQuota Negative examples: userAttr.company != "Acme Inc" or not group.contractors not (user = 'guest' or group.demo) Combination examples: Allow executive managers and their assistants access from Monday to Friday: userAttr.employeeType = ('*manager*' or '*assistant*') and group.executiveStaff and time = (Mon to Fri) Allow all partners with active status from Monday to Friday but preferred partners Monday through Saturday: ((group.partners and time = (Mon to Fri)) or |
|
|
|
|
(group.preferredPartners and time = (Mon to Sat))) and userAttr.partnerStatus = 'active' |
|
userDN |
The user DN from an LDAP server. If the user is authenticated by the LDAP server, then this DN is from the authentication server; otherwise, the DN comes from the realm's Directory/Attribute server. Wildcards are not permitted. |
|
userDN = 'cn=John Harding,ou=eng,c=Company' userDN = certDN |
|
userDN.<user-attr> |
Any variable from the user DN, where user-attr is the name of the RDN key. |
|
Any variable from the user DN, where user-attr is the name of the RDN key. |
|
userDNText |
User DN stored as a string. Only string comparisons to this value are allowed. |
|
userDNText = 'cn=John Harding,ou=eng,c=Company' |
Custom Variables and Macros
Custom variables, like system variables, are name-value pair tags that you can use when defining role mapping rules, resource policy rules and SSO parameter fields.
Custom variables are created in the Server Catalog (for example, Authentication > Auth Server > Name > Settings) by using a predefined macro on a system variable. Available macros are:
- REGMATCH – Matches a regular expression pattern against a string text.
- APPEND – Appends a text string to another text string.
- DAYSDIFF – Calculates the difference between two dates.
These macros are located under Variable Operators in the Variables tab of the Server Catalog window.
A custom variable name is a dot-separated string. Each component can contain characters from the set [a-z A-Z 0-9 _] but cannot start with a digit [0-9]. Custom variable names are case-insensitive.
Custom variables are referenced as customVar.<variableName>. For example, if you create a custom variable with the name check-prefix, you reference this custom variable as customVar.check-prefix.
|
Syntax |
APPEND (attr, TextString) APPEND (attr, attr2) |
|
Description |
Append a text string to an attribute or append an attribute to another attribute and store the resulting string in the custom variable. |
|
Options |
attr—System variable of type string. TextString—Quoted ASCII string. attr2—System variable of type string. |
|
Output Fields |
Returns a String value. If no match is found, returns an empty string If the system variable is multivalued, the custom variable is also multivalued and uses the same order as the system variable. |
Sample Output
APPEND (userName, “@sample.net”)
In this example, the string “@sample.net” is appended to the userName value.
|
Syntax |
DAYSDIFF (attr, timeformat) |
|
Description |
Calculates the number of days between the attribute and the current time. |
|
Options |
attr—System variable of type string. |
|
timeformat—Output time format. Valid values are: UTC, TIMET, MMDDYYYY |
|
|
Output Fields |
Returns an Integer value. |
Sample Output
DAYSDIFF ( certAttr.validUpto, UTC)
In this example, calculate the difference in days between the current time and the value of certAttr.validUpto and express the time in UTC (Coordinated Universal Time).
|
Syntax |
REGMATCH (attr, regex, groupingNumber) |
|
Description |
Match the regular expression pattern against an attribute and store the result in the custom variable. attr—System variable of type string. regex—Quoted string containing the regular expression to be applied to the attr option. groupingNumber—The group value to assign to the custom variable. |
|
Additional Information |
The regular expression supports the Perl Compatible Regular Expressions (PCRE) syntax. A grouping (capture buffer) in the regex pattern can also be used to define a custom variable. |
|
Output Fields |
Returns a String value. If no match is found, returns an empty string. If the system variable is multivalued, the custom variable is also multivalued and uses the same order as the system variable. |
Sample Output
REGMATCH (mailId, “^(.*)@sample.net$”, 1)
In this example, a mailId of [email protected] creates a custom variable with value “myName”.
Specifying Fetch Attributes in a Realm
To facilitate the support for various parameterized settings in user roles and resource policies, you have the ability to specify additional fetch attributes. The system stores the fetch attributes when users log in so that you can use them in parameterized role or resource policy definitions.
The system pulls all the attributes that are currently stored in the Sever Catalog for the user's authentication or authorization LDAP server. So, make sure to add the LDAP user attributes that are used in role or resource policy definitions in the LDAP Server Catalog first.
When a user logs in, the system retrieves user attributes that are referenced in the role mapping rules plus all of the additional attributes referenced in the Server Catalog and stores all these values. Note that this should not incur a significant performance overhead because all the user attributes are retrieved in one single LDAP query.
When you substitute variables, such as in IP/Netmasks or hostnames, the values in the session are appropriately converted into the data type that is required by the particular application definition.
Specifying the homeDirectory Attribute for LDAP
You can create a bookmark that automatically maps to a user’s LDAP home directory. You can accomplish this using the LDAP attribute homeDirectory. You need to configure a realm that specifies the LDAP server instance as its auth server, and you need to configure role-mapping rules and a bookmark that points to the LDAP homeDirectory attribute.