Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

APM Advanced Resource Assign based on "user in list" expression

nickamon
Nimbostratus
Nimbostratus

Hi,

I'm attempting to assign resources to a user if their user name, retrieved during authentication, exists in a list.  I've tried many combinations of the following to no avail:

expr { lsearch {"user1" "user2" "user3"}  [mcget {session.logon.last.username}] }

I've also tried (many, many) combinations of:

expr { [mcget {session.logon.last.username}] in {"user1" "user2" "user3"}  }

or

expr { [mcget {session.logon.last.username}] in [list "user1" "user2" "user3"] }

None of these works. 

This works though but rather not use it, there are corner cases where it can fail:

expr { "user1 user2 user3" contains [mcget {session.logon.last.username}] }

Any ideas?

Sys::Version
Main Package
    Product BIG-IP
    Version 16.1.3.3

Thanks!

1 REPLY 1

Hi nickamon,

I think multiple variable cannot be compare without using "or" in the expression. Using iRule can help.

  • Add iRule event before Advanced Resource Assign.
  • Compare user names with datagroup in the iRule.
  • Set new variable by datagroup match in the iRule.
  • Use the variable in Advanced Resource Assign Expression.
expr { [mcget {session.logon.last.usergroup}] equals "usergroup1"  }

 iRule:

when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "usercheck" } {
        if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist1] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup1"
        }
		elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist2] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup2"
		}
		elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist3] } {
            ACCESS::session data set session.logon.last.usergroup "usergroup3"
		}
		else {
			ACCESS::session data set session.logon.last.usergroup "usergroup4"
		}
    }
}

If you add the datagroup records as string-value(username-variable), you can use only one datagroup and simplify the iRule by assigning datagroup parameter's value to the variable.

when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "usercheck" } {
        if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist] } {
            ACCESS::session data set session.logon.last.usergroup [class match -value [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist]
        }
		else {
			ACCESS::session data set session.logon.last.usergroup "nondatagroupuser"
		}
    }
}