Difference between EPM vs Domain policy configuration for multi line attributes

Document ID:  TEC565903
Last Modified Date:  07/06/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details


  • CA Single Sign-On


  • CA Single Sign-On:Release:12.52 SP1



Creating policies using the "Classic" and "EPM" modes (application based policies) are quite different especially if you are creating AZ policies that are based on a mutil-value string attribute.

For example, mail can contain multiple email addresses. But if you want to authorize the user, you should specify only 1 email address among the list. Classic and EPM modes have different syntax to do it.


To illustrate the configuration difference :

User1 has following emails in the user directory - user1@ca.comuser1@ca1.com and user1@ca2.com.

In classic mode in R12 SP3 in the policy we create the LDAP search expression using the Expression Editor as (mail=user1@ca.com) and User Class as Search Users

In EPM mode use the "IN" operator rather than the "=" or the "LIKE" 
Create an attribute mapping the user directory 
*Name: Multivalue 
*Value: (user1@ca.com IN email) 
Create a role : Boolean(Multivalue)

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255


Not what you were looking for?

Search Again >

Product Information

Support by Product >


Join a Community >