10-42
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter10 Managing Access Policies
Configuring Compound Conditions
Note Dynamic attribute mapping is not applicable for ExternalGroups attribute of Type "String Enum" and
"Time And Date" attribute of type "Date Time Period".
For hierarchical attribute, the value is appended with attribute name so while configuring any string
attribute to compare with hierarchical attribute the value of the string attribute has to start with
hierarchical attribute name.
For example:
When you define a new string attribute named UrsAttr to compare against DeviceGroup attribute
created under NDG, then the value of the UsrAttr has to be configured as follows:
DeviceGroup: Valu e
When you want to compare a string attribute with UserIdentityGroup which is a hierarchy type
attribute within each internal users, then the string attribute has to be configured as follows:
IdentityGroup:All Groups:”Identity Group Name”
Related Topics
Types of Compound Conditions, page 10-42
Using the Compound Expression Builder, page 10-45
Types of Compound Conditions
You can create three types of compound conditions:
Atomic Condition
Consists of a single predicate and is the only entry in the list. Because all simple conditions in a rule
table, except for NDGs, assume the equals (=) operation between the attribute and value, the atomic
condition is used to choose an operator other tha n equals (=). See Figure 10-2 for an example.
Table10-21 Supported Dynamic Attribute Mapping in Policy Compound Condition
Operand1 Operand2 Example
String attribute String attribute
Integer attribute Integer attribute
Enumeration attribute Enumeration attribute
Boolean attribute Boolean attribute
IP address attribute IP address attribute
Special cases
Hierarchical attribute String attribute NDG:Customer vs. 'Internal
Users' string attribute
String attribute Hierarchical attribute