Configuring Compound Conditions, 10-40 | Cisco Systems OL-24201-01

Chapter 10 Managing Access Policies

Configuring Compound Conditions

Use compound conditions to define a set of conditions based on any attributes allowed in simple policy conditions. You define compound conditions in a policy rule page; you cannot define them as separate condition objects.

This section contains the following topics:

•Compound Condition Building Blocks, page 10-40

•Types of Compound Conditions, page 10-41

•Using the Compound Expression Builder, page 10-44

Compound Condition Building Blocks

Figure 10-1shows the building blocks of a compound condition.

Figure 10-1 Building Blocks of a Compound Condition

•Operands—Any attribute or condition type, such as Protocol/Request Attributes, Identity Attributes, Identity Groups, Network Device Groups (NDGs), Date/Time, and Custom or Standard Conditions.

•Relational Operators—Operators that specify the relation between an operand and a value; for example, equals (=), or does not match. The operators that you can use in any condition vary according to the type of operand.

•Binary condition—A binary condition defines the relation between a specified operand and value; for example, [username = “Smith”].

•Logical Operators—The logical operators operate on or between binary conditions. The supported logical operators are AND and OR.

•Precedence Control—You can alter the precedence of logical operators by using parentheses. Nested parentheses provide administrator control of precedence. The natural precedence of logical operators, that is, without parenthesis intervention, is NOT, AND, OR, where NOT has the highest precedence and OR the lowest.

Table 10-21summarizes the supported dynamic attribute mapping while building Compound

Conditions.

	User Guide for Cisco Secure Access Control System 5.3
10-40	OL-24201-01

Cisco Systems OL-24201-01 Configuring Compound Conditions, Compound Condition Building Blocks

Models: OL-24201-01