Realm Trust Relationships
Realms may choose to trust authentication credentials from other realms. Suppose that realm pete trusts realm purdue. If user mary authenticates to purdue, her credentials would also be accepted by pete.
Characteristic Boolean Expressions
Tests of characteristics associated with PUIDs are made in a form or mathematical logic known as a Boolean expression (after
George Boole who invented it). A Boolean expression combines characteristics with logical or, and, and negation operators to
produce a binary (true or false) evaluation of the expression.
Characteristic Boolean expressions, supplied in an authorization expression field, PUIDNETD_DATA_EXP, are evaluated by the
I2A2 authorizer DBM, and the result is returned in the authorization expression value field PUIDNETD_DATA_EXPV.
(PUIDNETD_DATA symbols are defined in puidnetd.h.)
Characteristic Boolean Operators
The authorizer DBM recognizes three operators:
-
| -- The Boolean or operator with this truth table:
0 | 0 = 0
0 | 1 = 1
1 | 0 = 1
1 | 1 = 1
-
& -- The Boolean and operator with this truth table:
0 & 0 = 0
0 & 1 = 0
1 & 0 = 0
1 & 1 = 1
-
~ -- the Boolean negation operator with this truth table:
~0 = 1
~1 = 0
The authorizer DBM also recognizes parentheses for purposes of grouping operands and their related expressions.
Characteristic Boolean Operands
The operands in characteristic Boolean expressions are usually characteristic numbers. They can be found in the
characteristics list or via
authorization characteristic
lookup calls to the authorizer DBM.
Characteristics have two (Boolean) values:
- 0 -- or false, if the characteristic is not associated with the PUID
- 1 -- or true, if the characteristic is associated with the PUID
Characteristic operands may also be names and macros. See the Using Names and Macros section of this page for more information.
Limits
A characteristic Boolean expression may have no more than 1,024 operators, and no more than 2,048 operands.
Examples Here are some examples. The external protocol examples use PUID 18 as the target.
Is the person associated with PUID 18 a student enrolled in Engineering 106, division 1, section 2?
Student characteristic number: 1
"ENGR106 0102" characteristic: 1008673
Characteristic Boolean expression: 1 & 1008673
External protocol lookup command message:
l p18 X1 & 1008673
Is the student enrolled in Computer Science 180 also a regular employee who has a graduate assistant or administrative appointment?
Employee characteristic number: 0
Student characteristic number: 1
"C S 180" characteristic number: 1003722
Regular employee characteristic number: 2000
Graduate assistant appointment type characteristic number: 2059
Administrative appointment type characteristic number: 2066
Characteristic Boolean expression: 0 & 1 & 2000 & (2059 | 2066)
External protocol lookup command message:
lp X0 & 1 & 2000 & (2059 | 2066)
Notes
The examples show some aspects of I2A2 authorization characteristics worth noting.
- The use of characteristics numbers as operands may seem cumbersome, but they are easy to determine from the characteristics list or from direct characteristics lookup calls to the authorizer DBM.
- Course names have embedded spaces and they must be provided to the authorizer DBM when looking up a course characteristic's number, using its name. When in doubt, follow the spacing shown in the characteristics list.
- Parentheses are both useful and necessary in characteristics Boolean expressions.
Errors
If the authorizer command has an error in it, the reply will be a negative acknowledgement
(NAK) with an error code field (PUIDNETD_DATA_ERRC in puidnetd.h).
If an error was detected in the Boolean expression, there will also be message fields (PUIDNETD_DATA_MSG in puidnetd.h) which
can be positioned directly under the Boolean expression to identify the exact position of the expression in error.
Here's a simple example with the NAK messages aligned to identify
the error position.
External protocol lookup command message:
l p18 1 || 0
(The error is that there are two consecutive or ('|') operators.)
Negative acknowledgement (NAK):
n\te17\tMIncompatible previous operator or operand (334)\t
M "1 || 0"
M ^
Using Names and Macros Characteristic operands are usually
expressed as characteristic numbers, but they may be expressed as characteristic names and macros.
Characteristic names are the names associated with characteristics on the
characteristics page.
For example characteristic number 1003722 is assigned to the "C S 180" course name. When a characteristic name is used in a
Boolean expression, it must be enclosed in double quote ('"') marks to protect its spaces and special
characters -- e.g.,
l p18 X(0 | "C S 180")
A characteristic macro is a shorthand form for a longer Boolean expression. Macros are pre-defined and may be found on the characteristics page. Here's an example of the macro that checks for authorization to use the Purdue Air Link wireless system:
PAL: (0|1|2094|13672|13676|13679)
Here's an example that uses the PAL macro to determine if PUID 18 is enrolled in CS 180 and is eligible to use PAL:
lp18 X("C S 180" & PAL)
If there is a characteristic expression for which you would like to have a macro name, contact the I2A2 Administrators.