Forum Discussion

nickamon's avatar
nickamon
Icon for Nimbostratus rankNimbostratus
Apr 17, 2023

APM Advanced Resource Assign based on "user in list" expression

Hi,

I'm attempting to assign resources to a user if their user name, retrieved during authentication, exists in a list.  I've tried many combinations of the following to no avail:

expr { lsearch {"user1" "user2" "user3"}  [mcget {session.logon.last.username}] }

I've also tried (many, many) combinations of:

expr { [mcget {session.logon.last.username}] in {"user1" "user2" "user3"}  }

or

expr { [mcget {session.logon.last.username}] in [list "user1" "user2" "user3"] }

None of these works. 

This works though but rather not use it, there are corner cases where it can fail:

expr { "user1 user2 user3" contains [mcget {session.logon.last.username}] }

Any ideas?

Sys::Version
Main Package
    Product BIG-IP
    Version 16.1.3.3

Thanks!

application delivery
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Apr 18, 2023

    Hi nickamon,

    I think multiple variable cannot be compare without using "or" in the expression. Using iRule can help.

    • Add iRule event before Advanced Resource Assign.
    • Compare user names with datagroup in the iRule.
    • Set new variable by datagroup match in the iRule.
    • Use the variable in Advanced Resource Assign Expression.
    expr { [mcget {session.logon.last.usergroup}] equals "usergroup1"  }

     iRule:

    when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "usercheck" } {
        if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist1] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup1"
        }
		elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist2] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup2"
		}
		elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist3] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup3"
		}
		else {
			ACCESS::session data set session.logon.last.usergroup "usergroup4"
		}
    }
}

    If you add the datagroup records as string-value(username-variable), you can use only one datagroup and simplify the iRule by assigning datagroup parameter's value to the variable.

    when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "usercheck" } {
        if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist] } {
            ACCESS::session data set session.logon.last.usergroup [class match -value [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist]
        }
		else {
			ACCESS::session data set session.logon.last.usergroup "nondatagroupuser"
		}
    }
}