Forum Discussion
NimbostratusAPM Advanced Resource Assign based on "user in list" expression
Hi,
I'm attempting to assign resources to a user if their user name, retrieved during authentication, exists in a list. I've tried many combinations of the following to no avail:
expr { lsearch {"user1" "user2" "user3"} [mcget {session.logon.last.username}] }
I've also tried (many, many) combinations of:
expr { [mcget {session.logon.last.username}] in {"user1" "user2" "user3"} }
or
expr { [mcget {session.logon.last.username}] in [list "user1" "user2" "user3"] }
None of these works.
This works though but rather not use it, there are corner cases where it can fail:
expr { "user1 user2 user3" contains [mcget {session.logon.last.username}] }
Any ideas?
Sys::Version
Main Package
Product BIG-IP
Version 16.1.3.3
Thanks!
1 Reply
Hi nickamon,
I think multiple variable cannot be compare without using "or" in the expression. Using iRule can help.
- Add iRule event before Advanced Resource Assign.
- Compare user names with datagroup in the iRule.
- Set new variable by datagroup match in the iRule.
- Use the variable in Advanced Resource Assign Expression.
expr { [mcget {session.logon.last.usergroup}] equals "usergroup1" }iRule:
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "usercheck" } { if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist1] } { ACCESS::session data set session.logon.last.usergroup "usergroup1" } elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist2] } { ACCESS::session data set session.logon.last.usergroup "usergroup2" } elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist3] } { ACCESS::session data set session.logon.last.usergroup "usergroup3" } else { ACCESS::session data set session.logon.last.usergroup "usergroup4" } } }If you add the datagroup records as string-value(username-variable), you can use only one datagroup and simplify the iRule by assigning datagroup parameter's value to the variable.
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "usercheck" } { if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist] } { ACCESS::session data set session.logon.last.usergroup [class match -value [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist] } else { ACCESS::session data set session.logon.last.usergroup "nondatagroupuser" } } }
