Rules examples

This page contains a few useful Perl expressions you can use in your Handler rules, SAML/OIDC/CAS security rules, 2FA Activation rules, etc.

Using session attributes

Session attributes are visible in the Manager’s Session browser, any attribute you see there can be used in a rule!

  • Restricting access to a single user:

$uid eq "dwho"
$uidNumber == 1000
$cn eq "Doctor Who"
$email eq ""


In Perl, eq means Equal and must be used on strings. == should be used only on numbers


In Perl, @ character means an array and % a hash! If you want to write a macro with these characters, you have to escape them like this:

$my_email = "$uid\"
$percent = "$rate\%more"
  • Restricting access to specific groups

$groups =~ /\b(?:admins|su)\b/ # admins OR su
$groups =~ /\badmin_[1-3a]\b/ # admin_1 OR admin_2 OR admin_3 OR admin_a

defined $hGroups->{'administrators'}

# 2.0.8 and higher only
  • Combining multiple expressions

inGroup('timelords') and not $uid eq 'missy'
  • Using Perl’s regular expressions

$cn =~ /^Doctor.*/i
$email !~ /$/
  • Filtering on Authentication Level

$authenticationLevel >= 3
  • Filtering on Authentication method

$_auth ne 'Demo'
  • Checking if the user has a an available second factor.

# Since 2.0.10
has2f('TOTP') or has2f('U2F')

# Before 2.0.10
$_2fDevices =~ /"type":\s*"TOTP"/s


In Perl, ne means Not Equal and must be used on strings. \b means word Boundary. (?:) means non capturing parenthesis.

Using environment variables

  • Comparing the IP address

$env->{REMOTE_ADDR} =~ /^10\./
  • Comparing requested URI

$env->{REQUEST_URI} =~ /test/