exclude some paths from signature based ASM

Hi nickamon,

I think multiple variable cannot be compare without using "or" in the expression. Using iRule can help.

• Add iRule event before Advanced Resource Assign.
• Compare user names with datagroup in the iRule.
• Set new variable by datagroup match in the iRule.
• Use the variable in Advanced Resource Assign Expression.

expr { [mcget {session.logon.last.usergroup}] equals "usergroup1"  }

 iRule:

when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "usercheck" } {
        if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist1] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup1"
        }
		elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist2] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup2"
		}
		elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist3] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup3"
		}
		else {
			ACCESS::session data set session.logon.last.usergroup "usergroup4"
		}
    }
}

If you add the datagroup records as string-value(username-variable), you can use only one datagroup and simplify the iRule by assigning datagroup parameter's value to the variable.

when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "usercheck" } {
        if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist] } {
            ACCESS::session data set session.logon.last.usergroup [class match -value [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist]
        }
		else {
			ACCESS::session data set session.logon.last.usergroup "nondatagroupuser"
		}
    }
}