The following are the different types of selection expression you
can use:
- Basis selection expressions
- Include only one attribute
- user_attribute_type=value
For example, to include one named user
logon ID, and exclude all other users:
logon=jsmith1
- Exclude one attribute
- ~user_attribute_type=value
For example, to
exclude one set of logon IDs identified by a wildcard (those that
start with the letter "j"), but include all others:
~logon=j@
- Include only several attributes of the same type
- user_attribute_type=value[,value]...
For example, to include three specific users and exclude
all others:
logon=jsmith1,jbrown1,jjones1
- Exclude several attributes of the same type
- ~user_attribute_type=value[,value]...
For example, to exclude three specific
users and include all others:
~logon=jsmith1,jbrown1,jjones1
- Complex selection expressions
- Include users identified by different selection expressions
- basic_selection_expression[+basic_selection_expression]...
The
selection expressions can be of the same or a different attribute
type:
- Same attribute type
- An example of the same attribute type is the following, which
selects all the groups beginning with the letter "j", as well as those
with the letter "z":
group=j@+group=z@
If the first selection
identifies 200 users, and the second 300, the total users selected
is 500.
- Different attribute type
- An example of selection expressions of
a different attribute type is the following, which selects all the
groups beginning with the letter "j", as well as all users with IDs
beginning with a "6":
group=j@+logon=6@
If the first selection
identifies 200 users, and the second 20, of whom 5 are also in the
first group, the total users selected is 5.
- Exclude users identified in one selection expressions from those
identified in another
- basic_selection_expression[~basic_selection_expression]...
- Same attribute type
- The selection expressions can be of the same attribute type,
provided that the second is a subset of the first. An example of the
same attribute type is the following, which selects all the workstations
beginning with the letter "j", but excludes those with a "z" as a
second letter:
group=j@~group=jz@
If the first selection
identifies 200 users, and the second 20, the total users selected
is 180. Note that if the second expression had not been a subset of
the first, the second expression would have been ignored.
- Different attribute type
- Selection expressions of a different attribute type do not have
to have a subset relationship, an example being the following, which
selects the group "mygroup", but excludes from the selection all users
in the group with IDs beginning with a "6":
group=mygroup~logon=6@
If the first selection identifies 200 users, and the second 20, of
whom 5 are also in the first group, the total users selected is 195.
- Multiple includes and excludes
- You can link together as many include and exclude expressions
as you need to identify the precise subset of users who require the
same access. The overall syntax is thus:
[~]user_attribute_type=value[,value]... [{+|~}user_attribute_type=value[,value]...
Note: Making your
first user
attribute an
exclude means that
all user attributes of that type are selected
except the indicated
value.
Thus,
~user_attribute_type=
value equates to the following:
user_attribute_type=@~same_user_attribute_type=value
However, if you use this syntax, you cannot, and do not need to, specifically
add "+user_attribute_type=@", after the negated item, so you do not define:
~user_attribute_type=value+same_user_attribute_type=@