Difference between EPM vs Domain policy configuration for multi line attributes

Document ID : KB000009423
Last Modified Date : 14/02/2018
Show Technical Document Details

Creating policies using the "Classic" and "EPM" modes (application based policies) are quite different especially if you are creating AZ policies that are based on a mutil-value string attribute.

For example, mail can contain multiple email addresses. But if you want to authorize the user, you should specify only 1 email address among the list. Classic and EPM modes have different syntax to do it.


To illustrate the configuration difference :

User1 has following emails in the user directory - user1@ca.comuser1@ca1.com and user1@ca2.com.

In classic mode in R12 SP3 in the policy we create the LDAP search expression using the Expression Editor as (mail=user1@ca.com) and User Class as Search Users

In EPM mode use the "IN" operator rather than the "=" or the "LIKE" 
Create an attribute mapping the user directory 
*Name: Multivalue 
*Value: (user1@ca.com IN email) 
Create a role : Boolean(Multivalue)