# Identity and Access Management

## Realm Trust Relationships

Realms may choose to trust authentication credentials from other realms. Suppose that realm pete trusts realm purdue. If user mary authenticates to purdue, her credentials would also be accepted by pete.

## Characteristic Boolean Expressions

Tests of characteristics associated with PUIDs are made in a form or mathematical logic known as a Boolean expression (after George Boole who invented it). A Boolean expression combines characteristics with logical or, and, and negation operators to produce a binary (true or false) evaluation of the expression.

Characteristic Boolean expressions, supplied in an authorization expression field, PUIDNETD_DATA_EXP, are evaluated by the I2A2 authorizer DBM, and the result is returned in the authorization expression value field PUIDNETD_DATA_EXPV. (PUIDNETD_DATA symbols are defined in puidnetd.h.)

## Characteristic Boolean Operators

The authorizer DBM recognizes three operators:

• | -- The Boolean or operator with this truth table:
0 | 0 = 0
0 | 1 = 1
1 | 0 = 1
1 | 1 = 1

• & -- The Boolean and operator with this truth table:
0 & 0 = 0
0 & 1 = 0
1 & 0 = 0
1 & 1 = 1

• ~ -- the Boolean negation operator with this truth table:
~0 = 1
~1 = 0

The authorizer DBM also recognizes parentheses for purposes of grouping operands and their related expressions.

## Characteristic Boolean Operands

The operands in characteristic Boolean expressions are usually characteristic numbers. They can be found in the characteristics list or via authorization characteristic lookup calls to the authorizer DBM.

Characteristics have two (Boolean) values:

• 0 -- or false, if the characteristic is not associated with the PUID
• 1 -- or true, if the characteristic is associated with the PUID

## Limits

A characteristic Boolean expression may have no more than 1,024 operators, and no more than 2,048 operands.

Examples Here are some examples. The external protocol examples use PUID 18 as the target.

Is the person associated with PUID 18 a student enrolled in Engineering 106, division 1, section 2?

Student characteristic number: 1
"ENGR106 0102" characteristic: 1008673

Characteristic Boolean expression: 1 & 1008673

External protocol lookup command message:

l p18 X1 & 1008673

Is the student enrolled in Computer Science 180 also a regular employee who has a graduate assistant or administrative appointment?

Employee characteristic number: 0
Student characteristic number: 1
"C S 180" characteristic number: 1003722
Regular employee characteristic number: 2000
Graduate assistant appointment type characteristic number: 2059 Administrative appointment type characteristic number: 2066

Characteristic Boolean expression: 0 & 1 & 2000 & (2059 | 2066)

External protocol lookup command message:

lp X0 & 1 & 2000 & (2059 | 2066)

## Notes

The examples show some aspects of I2A2 authorization characteristics worth noting.

• The use of characteristics numbers as operands may seem cumbersome, but they are easy to determine from the characteristics list or from direct characteristics lookup calls to the authorizer DBM.
• Course names have embedded spaces and they must be provided to the authorizer DBM when looking up a course characteristic's number, using its name. When in doubt, follow the spacing shown in the characteristics list.
• Parentheses are both useful and necessary in characteristics Boolean expressions.

## Errors

If the authorizer command has an error in it, the reply will be a negative acknowledgement (NAK) with an error code field (PUIDNETD_DATA_ERRC in puidnetd.h).

If an error was detected in the Boolean expression, there will also be message fields (PUIDNETD_DATA_MSG in puidnetd.h) which can be positioned directly under the Boolean expression to identify the exact position of the expression in error. Here's a simple example with the NAK messages aligned to identify the error position.

External protocol lookup command message:

l p18 1 || 0

(The error is that there are two consecutive or ('|') operators.)

Negative acknowledgement (NAK):

n\te17\tMIncompatible previous operator or operand (334)\t
M "1 || 0"
M ^

Using Names and Macros  Characteristic operands are usually expressed as characteristic numbers, but they may be expressed as characteristic names and macros.

Characteristic names are the names associated with characteristics on the characteristics page. For example characteristic number 1003722 is assigned to the "C S 180" course name. When a characteristic name is used in a Boolean expression, it must be enclosed in double quote ('"') marks to protect its spaces and special characters -- e.g.,

l p18 X(0 | "C S 180")

A characteristic macro is a shorthand form for a longer Boolean expression. Macros are pre-defined and may be found on the characteristics page. Here's an example of the macro that checks for authorization to use the Purdue Air Link wireless system:

PAL: (0|1|2094|13672|13676|13679)

Here's an example that uses the PAL macro to determine if PUID 18 is enrolled in CS 180 and is eligible to use PAL:

lp18 X("C S 180" & PAL)

If there is a characteristic expression for which you would like to have a macro name, contact the I2A2 Administrators.

Feedback | Contact Purdue
Maintained by: IAMO Team

Purdue University, West Lafayette, IN 47907, (765) 494-4600
© 2010 - 2013 Purdue University | An equal access/equal opportunity university | Copyright Complaints