...
You can use entity.memberOf('full:group:id:path') exactly like that to see if user is in a group or not.
| Expression | Description |
|---|
| Code Block |
|---|
${ entity.memberOf('ref:staff') && entity.memberOf('ref:payroll:fullTime') && entity.memberOf('ref:mfaEnrolled') } |
| Three part intersection. Full time staff in MFA |
| Code Block |
|---|
${ ( entity.memberOf('ref:employee')
|| entity.memberOf('ref:student') |
// employees or students
|| (entity.memberOf('ref:guests')
&& entity.memberOf('app:vpn:vpnManualOverrides'))) |
// or guests who are in manual allow
&& !entity.memberOf('ref:globalLockout')
&& !entity.memberOf('app:vpn:vpnManualLockout') } // and not in either lockout group |
| Example policy That means users who are not in globalLockout and not in vpnManualLockout
and in an eligible population which is faculty, students, or guests who are in the manual app override group |
| Code Block |
|---|
${ entity.memberOf('app:vpn:users') != entity.memberOf('ref:mfaEnrolled') } |
| Exclusive OR This is VPN users not in MFA and MFA users not in VPN: |
How it works
There are some trade-offs with performance and resources. This is the current implementation. It is optimized to reduce run-time. It does use a lot of memory, though that was a consideration.
...