Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010 Manual page 40

LDAP Attribute: Specify the LDAP attribute you want to use in the comparison. Select from the
listed LDAP attributes. To add an attribute that isn't in the list, click New LDAP Attribute, then
specify the name of the attribute.
Comparison: Specify how you want the values compared. All data types are available. Select one
that matches the value type of your attribute.
Mode: Select the mode, if available, that matches the comparison type. For example, if you select to
compare the values as strings, you can select either a Case Sensitive mode or a Case Insensitive
mode.
Value: Specify the second value for the comparison. All data types are available. For example, you
can select to compare the value of one LDAP attribute to the value of another LDAP attribute. Only
you can determine if such a comparison is meaningful.
Result on Condition Error: Specify what the condition returns when the comparison of the two
values returns an error rather than the results of the comparison. Select either False or True. If you
do not want the action applied when an error occurs, select False. If you want the action applied
when an error occurs, select True.
Liberty User Profile Condition
The Liberty User Profile condition allows you to assign a role based on a value in a Liberty User
Profile attribute. The Liberty attributes must be enabled before you can use them in policies (click
Identity Servers > Edit > Liberty > Web Service Provider, then enable one or more of the following:
Employee Profile or Personal Profile).
These attributes can be mapped to LDAP attributes (click Identity Servers > Edit > Liberty > LDAP
Attribute Mapping). When mapped, the actual value comes from your user store. If you are using
multiple user stores with different LDAP schemas, mapping similar attributes to the same Liberty
User Profile attribute allows you to create one policy with the Liberty User Profile attribute rather
than multiple policies for each LDAP attribute.
The selected attribute is compared to a value of the following type:
Roles from an identity provider
Authenticating IDP or user store
Authentication contract, method, or type
Credential profile
LDAP attribute, OU, or group
Liberty User Profile attribute
Static value in a data entry field
To set up the matching for this condition, fill in the following fields:
Liberty User Profile: Select the Liberty User Profile attribute. These attributes are organized into
three main groups: Custom Profile, Corporate Employment Identity, and Entire Personal Identity.
By default, the Common Last Name attribute for Liberty User Profile is mapped to the sn attribute
for LDAP. To select this attribute for comparison, click Entire Personal Identity > Entire Common
Name > Common Analyzed Name > Common Last Name.
Comparison: Select the comparison type that matches the data type of the selected attribute and the
value.
40 Novell Access Manager 3.1 SP2 Policy Guide