Skip to main content

The most recent patch for this version is 7.0.1.  Learn more  

Version: 7.0

Target Editor

In the Target Editor you define the scope of applicability for the current node through a predicate, an expression that evaluates to True or False.

A target expression is a combination of an attribute, an attribute value and a function or an operator between the attribute and the value. The functions that are available depend on the data type of the attribute that is selected. There is only one target per node, but multiple predicates can be combined with logical AND or OR operators.

  • To open the Target Editor, select the node in the policy tree that you want to edit. In the edit panel that opens, click the Add Target button to start adding target expressions.

The edit panel can be maximized to full size. This will resize the frame around the Target Editor to accommodate long attribute names. Use the buttons below the Target Editor to add additional target expressions combined with a logical AND or OR.

Statements combined with a logical AND are stored inside a sequence of XACML AnyOf and AllOf elements. Statements combined with a logical OR are rendered with an added sequence of AllOf and AnyOf.

Note: An attribute can be a "Bag" of values and the operators "==", "\<", etc. handle bags as well as single-valued attributes. If attributes are bags, the operator returns true if at least one of the values matches.

In the example below, the applicability is limited to requests in which the actor has a subject attribute called clearanceLevel with a value greater than 2 and the resource has an attribute called documentType which is called Classified. A Policy Set, Policy, or Rule with this target will be applicable only if both of these conditions are met. The Authorization Service to which this policy has been deployed will disregard this node during policy evaluation if the Target does not match the values of attributes passed in the XACML request context.

Attribute constraints

An attribute in the Attribute Dictionary may be defined with certain constraints regarding the attribute values. See Setting attribute constraints for more information.

If there is a constraint defined in the Attribute Dictionary for the attribute selected for a target expression, this is indicated in the Target Editor via an icon.

Hover with the mouse pointer over the constraint icon to display a tooltip with the definition of the constraint and a sample of the type of value or format allowed. For enumeration constraints, a drop-down menu is populated with selectable values as defined for the attribute in the Attribute Dictionary.

Target expressions with inconsistency warnings are indicated in the UI. Hover with the mouse pointer over the indicated field to display an explanatory message. Values not fitting the constraint can still be entered, and a policy with warnings in the target expression can be saved.

Note: It should be noted that a warning about, for example, an out-of-range value for a constraint does not necessarily mean that the target expression is invalid in terms of the XACML structure. The warning is displayed to alert the user that the policy, as it stands, may lead to valid but unwanted results.

Creating a new target expression

  1. Click the node for which you want to add a target expression. The edit panel for the node is displayed.

  2. Click the Add Target button. The Target Editor interface is displayed. When you move the cursor over a field that can be edited the cursor icon changes to an index finger.

  3. If the target expression is empty, <click here> is shown in the Attribute field.

  4. Point to the field, and click to select it.

  5. Select an attribute from your current Attribute Directory in either of the following ways:

  • type the first letters of the attribute name in the field to filter by name and then select the attribute from the filtered list of attributes.

  • click the arrow to open the drop-down list and scroll to select the attribute.

  1. Place the cursor in the operator field and select an operator in the same fashion.

  2. Finally point to the value field and type the value that the attribute should match.

Deleting a target definition

To delete the entire target definition in one go, click the trash can icon in the upper right-hand corner of the Target Editor.

Adding, deleting, copying or cutting expressions from the Target Editor

To add, delete, copy or cut expressions in the Target Editor:

  1. Select the expression(s) that you want to edit:

  • Click on an individual attribute to select that attribute.

  • Click on the AND/OR operator to select that branch of the expression.

  • Click on the target editor window itself to select the entire expression.

  1. Doing so will reveal a menu icon towards the far right of the row. Click on the icon to display an action menu.

  2. In the menu, choose the action you want to perform on the selected part of the expression.

  1. Alternatively, to DELETE or to add AND or OR operators, you can use the buttons at the bottom of the Target Editor.

Note: Hovering with the mouse pointer towards the far right of the row will also reveal the menu icon.

Copying or cutting and pasting expressions

  1. Select and copy or cut a portion of an expression as explained in Adding, deleting, copying or cutting expressions from the Target Editor above.

  2. Select the position where you want to insert the cut or copied expression.

  3. Click on the menu icon on the far right of the row to show the available actions anew. The Paste function is now enabled.

  4. Click Paste to insert the copied expression at the current location.

Expanding or collapsing expressions

If you have many expressions on multiple lines, you can expand/collapse the logical AND/OR operator of the block.

  1. Click on the logical AND/OR expression.

  2. If it is collapsed a plus symbol is added to the icon:

  1. If it is expanded a minus symbol is added to the icon.

  2. Click again to toggle between the expanded and collapsed state.