Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


If more than one rule with the same target name matches, then the attribute will have more than one value. All values are passed if that attribute is released, and all values are used by statistics if it is reportable. Unfortunately the interface cannot display muliti-valued attributes on accounts at the moment.

If a rule is using the 'any' condition, or conditions are based on any multi-valued attributes such as memberOf(e.g. memberOf), then your rule can could match on any of the multiple values that it sees. Negative Care must be taken with negative matches such as 'does not contain' are best avoided in those these cases.



An organisation has offices in 20 cities around the world. The directory they have connected to OpenAthens can pass the name of the office (e.g. Abuja office), but not the country. All users have access to the same set of resources and are not separated by sub-organistaion or permission set.