Rules examples

This page contains a few useful Perl expressions you can use in your Handler rules, SAML/OIDC/CAS security rules, 2FA Activation rules, etc.

Using session attributes

Session attributes are visible in the Manager’s Session browser, any attribute you see there can be used in a rule!

  • Restricting access to a single user:
$uid eq "dwho"
$uidNumber == 1000
$cn eq "Doctor Who"
$email eq "dwho@badwolf.org"
etc.

Tip

In Perl, eq means Equal and must be used on strings. == should be used only on numbers

Danger

In Perl, @ character means an array and % a hash! If you want to write a macro with these characters, you have to escape them like this:

$my_email = "$uid\@my-domain.com"
$percent = "$rate\%more"
  • Restricting access to specific groups
$groups =~ /\b(?:admins|su)\b/ # admins OR su
$groups =~ /\badmin_[1-3a]\b/ # admin_1 OR admin_2 OR admin_3 OR admin_a

defined $hGroups->{'administrators'}

# 2.0.8 and higher only
inGroup('administrators')
  • Combining multiple expressions
inGroup('timelords') and not $uid eq 'missy'
  • Using Perl’s regular expressions
$cn =~ /^Doctor.*/i
$email !~ /@spam.com$/
  • Filtering on Authentication Level
$authenticationLevel >= 3
  • Filtering on Authentication method
$_auth ne 'Demo'
  • Checking if the user has a an available second factor.
# Since 2.0.10
has2f()
has2f('TOTP')
has2f('TOTP') or has2f('U2F')

# Before 2.0.10
$_2fDevices =~ /"type":\s*"TOTP"/s

Tip

In Perl, ne means Not Equal and must be used on strings. \b means word Boundary. (?:) means non capturing parenthesis.

Using environment variables

  • Comparing the IP address
$env->{REMOTE_ADDR} =~ /^10\./
  • Comparing requested URI
$env->{REQUEST_URI} =~ /test/