Selection expressions
- Basis selection expressions
-
- Include only one attribute
- user_attribute_type=value For example, to include one named user logon ID, and exclude all other users:
logon=jsmith1
- Exclude one attribute
- ~user_attribute_type=value For example, to exclude one set of logon IDs identified by a wildcard (those that start with the letter "j"), but include all others:
~logon=j@
- Include only several attributes of the same type
- user_attribute_type=value[,value]... For example, to include three specific users and exclude all others:
logon=jsmith1,jbrown1,jjones1
- Exclude several attributes of the same type
- ~user_attribute_type=value[,value]... For example, to exclude three specific users and include all others:
~logon=jsmith1,jbrown1,jjones1
- Complex selection expressions
-
- Include users identified by different selection expressions
- basic_selection_expression[+basic_selection_expression]...
The selection expressions can be of the same or a different attribute type:
- Same attribute type
- An example of the same attribute type is the following, which
selects all the groups beginning with the letter "j", as well as those
with the letter "z":
If the first selection identifies 200 users, and the second 300, the total users selected is 500.group=j@+group=z@
- Different attribute type
- An example of selection expressions of a
different attribute type is the following, which selects all the groups
beginning with the letter "j", as well as all users with IDs beginning
with a "6":
group=j@+logon=6@
If the first selection identifies 200 users, and the second 20, of whom 5 are also in the first group, the total users selected is 5.
- Exclude users identified in one selection expressions from those identified in another
- basic_selection_expression[~basic_selection_expression]...
- Same attribute type
- The selection expressions can be of the same attribute type, provided
that the second is a subset of the first. An example of the same attribute
type is the following, which selects all the workstations beginning
with the letter "j", but excludes those with a "z" as a second letter:
If the first selection identifies 200 users, and the second 20, the total users selected is 180. Note that if the second expression had not been a subset of the first, the second expression would have been ignored.group=j@~group=jz@
- Different attribute type
- Selection expressions of a different attribute type do not have
to have a subset relationship, an example being the following, which
selects the group "mygroup", but excludes from the selection all users
in the group with IDs beginning with a "6":
group=mygroup~logon=6@
If the first selection identifies 200 users, and the second 20, of whom 5 are also in the first group, the total users selected is 195.
- Multiple includes and excludes
- You can link together as many include and exclude expressions
as you need to identify the precise subset of users who require the
same access. The overall syntax is thus:
[~]user_attribute_type=value[,value]... [{+|~}user_attribute_type=value[,value]...
user_attribute_type=@~same_user_attribute_type=value
However, if you use this syntax, you cannot, and do not need to, specifically add "+user_attribute_type=@", after the negated item, so you do not define:
~user_attribute_type=value+same_user_attribute_type=@