10-41
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter10 Managing Access Poli cies
Configuring Compound Conditions
Configuring Compound Conditions
Use compound conditions to define a set of conditions based on any attributes allowed in simple policy
conditions. You define compound conditions in a policy rule page; you cannot define them as separate
condition objects.
This section contains the following topics:
Compound Condition Building Blocks, page 10-41
Types of Compound Conditions, page 10-42
Using the Compound Expression Builder, page 10-45

Compound Condition Building Blocks

Figure 10-1 shows the building blocks of a compound condition.
Figure10-1 Building Blocks of a Compound Condition
Operands—Any attribute or condition type, such as Protocol/Request Attributes, Identity
Attributes, Identity Groups, Network Device Groups (NDGs), Date/Time, and Custom or Standard
Conditions.
Relational Operators—Operators that specify the relation between an operand and a value; for
example, equals (=), or does not match. The operator s that you can use in any condition vary
according to the type of operand.
Binary condition—A binary condition defines the relation between a specified operand and value;
for example, [username = “Smith”].
Logical Operators—The logical operators operate on or between binary conditions. The supported
logical operators are AND and OR.
Precedence Control—You can alter the precedence of logical operators by using parentheses.
Nested parentheses provide administrator control of precedence. The natural precedence of logical
operators, that is, without parenthesis intervention, is NOT, AND, OR, where NOT has the highest
precedence and OR the lowest.
Table10-21 summarizes the supported dynamic attribute mapping while building Compound
Conditions.