Reset Search
 

 

Article

KB43937 - System Variables

« Go Back

Information

 
Last Modified Date11/6/2018 5:59 PM
Synopsis
This article provides details on the system variables that are supported in PCS OS and the values that can be used with them.
Problem or Goal
Cause
Solution

Variable

Description

Usage

Examples

authMethod

Type of authentication method used to authenticates a user.

role mapping rules, resource policy rules

authMethod = ‘ACE Server’

 

cacheCleanerStatus

The status of Cache Cleaner. Possible values:

1 - if it is running

0 - if otherwise

 

cacheCleanerStatus = 1

cacheCleanerStatus = 0

certAttr.<cert-attr>

Attributes from a client-side certificate. Examples of certAttr attributes include:

  • C - country
  • CN - common name
  • description - description
  • e-mailAddress - e-mail address
  • GN - given name
  • initials - initials
  • L - locality name
  • O - organization
  • OU - organizational unit
  • SN - surname
  • serialNumber- serial number
  • ST - state or province
  • title - title
  • UI - unique identifier

Use this variable to check that the user’s client has a client-side certificate with the value(s) specified.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • LDAP configuration

certAttr.OU = 'Retail Products Group'

certAttr.altName.<Alt-attr>

Subject alternative name value from a client-side certificate where <Alt-attr> may be:

  • Email
  • Emailld
  • EmailDomain
  • DNS
  • registeredId
  • ipAddress
  • UPN
  • UPNid
  • UPNDomain
  • fascn
  • fascnAC
  • fascnSC
  • fascnCN
  • fascnCS
  • fascnICI
  • fascnPI
  • fascnOC
  • fascnOI
  • fascnPOA
  • fascnLRC
  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • LDAP configuration
  • certAttr.altName.email = "joe@company.com"
  • certAttr.altName.ipAddress = 10.10.83.2

certAttr.serialNumber

Client certificate serial number.

Note that all characters other than [0-9 a-f A-F] are stripped out of a string before comparison with certAttr.SN. Wildcards are not supported.

 

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • LDAP configuration
  • certAttr.SerialNumber = userAttr.certSerial
  • certAttr.SerialNumber = "6f:05:45:ab"

 

certDN

Client certificate subject DN. Wildcards are not permitted.

role mapping rules, resource policy rules

  • certDN = 'cn=John Harding,ou=eng,c=Company'
  • certDN = userDN (match the certificate subject DN with the LDAP user DN) 
  • certDN = userAttr.x509SubjectName
  • certDN = ('cn=John Harding,ou=eng,c=Company' or 'cn=Julia Yount,ou=eng,c=Company')

certDN.<subject-attr>

Any variable from the client certificate subject DN, where subject-attr is the name of the RDN key.

Use to test the various subject DN attributes in a standard x.509 certificate.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • LDAP configuration
  • certDN.OU = 'company'
  • certDN.E = 'joe@company.com'
  • certDN.ST = 'CA'

certDNText

Client certificate user DN stored as a string. Only string comparisons to this value are allowed.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

certDNText = 'cn=John Harding,ou=eng,c=Company'

certIssuerDN

Client certificate-issuer subject DN. This variable works like a standard DN attribute such as CertDN. Wildcards are not permitted.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • certIssuerDN = 'cn=John Harding,ou=eng,c=Company'
  • certIssuerDN = userAttr.x509Issuer
  • certIssuerDN = ('ou=eng,c=Company' or 'ou=operations,c=Company')

certIssuerDN.<issuer-attr>

Any variable from the client certificate-issuer subject DN, where issuer-attr is the name of the RDN key.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • certIssuerDN.OU = 'company'
  • certIssuerDN.ST = 'CA'

 

certIssuerDNText

Client certificate-issuer subject DN stored as a string. Only string comparisons to this value are allowed.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

certIssuerDNText = 'cn=John Harding,ou=eng,c=Company'

defaultNTDomain

Contains the Domain value set in the authentication server configuration when you use AD/NT authentication.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

defaultNTDomain=” CORP”

group.<group-name>

User’s group membership as provided by the realm authentication or directory server.

  • role mapping rules
  • resource policy rules

Only those groups evaluated for role mapping rules are available in the detailed rules (conditions) in the resource policies. We recommend that you use the groups variable instead of group.<group-name>, which is supported only for backwards compatibility.

  • group.preferredPartner
  • group.goldPartner or group.silverPartner
  • group.employees and time.month = 9

Combination examples: 

Allow all partners with active status from Monday to Friday but preferred partners Monday through Saturday: 

((group.partners and time = (Mon to Fri)) or

(group.preferredPartners and time = (Mon to Sat))) and userAttr.partnerStatus = 'active'

NOTE: Spaces are not supported, such as, group.sales managers

groups

List of groups as provided by the realm authentication or directory server.

NOTE: You can enter any characters in the groupname, although wildcard characters are not supported.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

groups=('sales managers')

 

hostCheckerPolicy

Host Checker polices that the client has met.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

hostCheckerPolicy = ('Norton' and 'Sygate') and cacheCleanerStatus = 1hostCheckerPolicy = ('Norton' and 'Sygate')

 

loginHost

Hostname or IP address that the browser uses to contact the Pulse Secure client service.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • LDAP configuration

loginHost = 10.10.10.10

 

loginTime

The time of day at which the user submits his credentials. The time is based on system time.

NOTE: When using this variable in an SSO parameter field, the variable returns the UNIX string time.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

·loginTime = (8:00am)

·loginTime= (Mon to Fri)

 

loginTime.day

The day of month on which the user submits his credentials, where day is 1-31. The time is based on the system time.

You cannot use the TO operator with this variable.

  • role mapping rules
  • resource policy rules

loginTime.day = 3

 

loginTime.dayOfWeek

The day of the week on which the user submits his credentials, where dayOfWeek is in the range [0-6] where 0 = Sunday.

The system does not support the TO operator with time.dayOfWeek expressions if you use numbers instead of strings. In other words, “ loginTime.dayOfWeek = (2 TO 6)” does not work, but “ loginTime.dayOfWeek = (mon to fri)” does work.

  • role mapping rules
  • resource policy rules
  • loginTime.dayOfWeek = (0 OR 6)
  • loginTime.dayOfWeek = (mon TO fri)
  • loginTime.dayOfWeek = (1)
  • loginTime.dayOfWeek = 5

loginTime.dayOfYear

The numeric day of the year on which the user submits his credentials, where dayOfYear can be set to [0-365].

You cannot use the TO operator with this variable.

  • role mapping rules
  • resource policy rules

loginTime.dayOfYear = 100

 

loginTime.month

The month in which the user submits his credentials, where month can be set to [1-12] where

1 = January.

You cannot use the TO operator with this variable.

  • role mapping rules
  • resource policy rules

loginTime.month >= 4 AND loginTime.month <=9

 

loginTime.year

The year in which the user submits his credentials, where year can be set to [1900-2999].

You cannot use the TO operator with this variable.

  • role mapping rules
  • resource policy rules

loginTime.year = 2005

 

loginURL

URL of the page that the user accessed to sign in. The system gets this value from the Administrator URLs|User URLs column on the Authentication > Signing In > Sign-in Policies page of the admin console.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • LDAP configuration

loginURL = */admin

 

networkIf

The network interface on which the user request is received. Possible values: internal, external

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

sourceIp = 192.168.1.0/24 and networkIf = internal

ntdomain

The NetBIOS NT domain used in NT4 and Active Directory authentication.

  • role mapping rules
  • SSO parameter fields

ntdomain = jnpr

 

ntuser

The NT username used in Active Directory authentication

  • role mapping rules
  • SSO parameter fields

ntuser = jdoe

password

password[1]

password[2]

The password entered by the user for the primary authentication server (password and password[1]) or the secondary authentication server (password[2]).

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

password = A1defo2z

 

realm

The name of the authentication realm to which the user is signed in.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

Realm = ('GoldPartners' or 'SilverPartners')

 

NOTE: AND condition will always fail as a user is only allowed to sign in to a single realm in a session. 

role

List of all the user roles for the session.

In SSO, if you want to send all the roles to back-end applications, use <role sep = ";"> - where sep is the separator string for multiple values. The system supports all separators except “ and >.

  • resource policy rules
  • SSO parameter fields
  • Role = ('sales' or 'engineering')
  • Role = ('Sales' AND 'Support')

 

sourceIP

The IP address of the machine on which the user authenticates. You can specify the netmask using the bit number or in the netmask format: '255.255.0.0'. Note that you can evaluate the sourceIP expression against a string variable such as an LDAP attribute.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • sourceIP = 192.168.10.20
  • sourceIP = 192.168.1.0/24 and networkIf internal
  • userAttr.dept = ('eng' or 'it') and sourceIP = 10.11.0.0/16
  • sourceIP = 192.168.10.0/24 (Class C)

is the same as:

sourceIP = 192.168.10.0/255.255.255.0

  • sourceIP=userAttr.sourceip

time

The time of day at which the role mapping rule or resource policy rule is evaluated. The time of the day can be in 12-hour or 24-hour format.

  • role mapping rules
  • resource policy rules
  • time = (9:00am to 5:00pm)
  • time = (09:00 to 17:00)
  • time = (Mon to Fri)

 

 

Combination examples: 

Allow executive managers and their assistants access from Monday to Friday: 

 

userAttr.employeeType = ('*manager*' or '*assistant*') and

group.executiveStaff and

time = (Mon to Fri)

time.day

The day of month on which the user submits his credentials to, where day is 1-31. The time is based on the system time.

  • role mapping rules
  • resource policy rules

loginTime.day = 3

 

time.dayOfWeek

The day of the week on which the role mapping rule or resource policy rule is evaluated, where dayOfWeek is in the range [0-6] where 0 = Sunday.

  • role mapping rules
  • resource policy rules
  • loginTime.dayOfWeek = (0 OR 6)
  • loginTime.dayOfWeek = (1 to 5)
  • loginTime.dayOfWeek = 5

time.dayOfYear

The day of the year on which the role mapping rule or resource policy rule is evaluated. Possible values include: 1-365.

  • role mapping rules
  • resource policy rules

time.dayOfYear = 100

 

time.month

The month in which the role mapping rule or resource policy rule is evaluated. Possible values include: 1-12

  • role mapping rules
  • resource policy rules
  • time.month >= 9 and time.month <= 12 and time.year = 2004
  • group.employees and time.month = 9

time.year

The year in which the role mapping rule or resource policy rule is evaluated, where year can be set to [1900-2999].

  • role mapping rules
  • resource policy rules

time.year = 2005

 

user

user@primary_auth_server_name

user@secondary_auth_server_name

Pulse Secure client username for the user’s primary authentication server (user and user@primary_auth_server_name) or secondary authentication server (user@secondary_auth_server_name). Use when authenticating against an Active Directory server, domain and username.

primary_auth_server_name is the name of the primary auth server. If there are spaces or special characters in the name, it can be enclosed in curly brackets. For example user@{My Primary Auth Server}

secondary_auth_server_name is the name of the secondary auth server. If there are spaces or special characters in the name, it can be enclosed in curly brackets. For example user@{My Secondary Auth Server}

NOTE: When including a domain as part of a username, you must include two slashes between the domain and user. For example: user=’yourcompany.net\\joeuser’.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • user = 'steve'
  • user = 'domain\\steve'

 

username

username@primary_auth_server_name

username@secondary_auth_server_ name

Pulse Secure client system username for the user’s primary authentication server (username and username@primary_auth_server_name) or secondary authentication server (username@secondary_auth_server_name). If the user is signing in to a certificate authentication server, then the user’s Pulse Secure client system username is the same as CertDN.cn.

primary_auth_server_name is the name of the primary auth server. If there are spaces or special characters in the name, it can be enclosed in curly brackets. For example user@{My Primary Auth Server}

secondary_auth_server_name is the name of the secondary auth server. If there are spaces or special characters in the name, it can be enclosed in curly brackets. For example user@{My Secondary Auth Server}

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • username = 'steve' and time = mon
  • username = 'steve'
  • username = 'steve*'
  • username = ('steve' or '*jankowski')

 

userAgent

The browser’s user agent string.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

The browser’s user agent string.

 

userAttr.<auth-attr>

User attributes retrieved from an LDAP, RADIUS, or SiteMinder authentication or directory server.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields
  • userAttr.building = ('HQ*' or 'MtView[1-3]')
  • userAttr.dept = ('sales' and 'eng')
  • userAttr.dept = ('eng' or 'it' or 'custsupport')
  • userAttr.division = 'sales'
  • userAttr.employeeType != 'contractor'
  • userAttr.salaryGrade > 10
  • userAttr.salesConfirmed >= userAttr.salesQuota

Negative examples: 

  • userAttr.company != "Acme Inc" or not group.contractors
  • not (user = 'guest' or group.demo)

 

Combination examples: 

Allow executive managers and their assistants access from Monday to Friday: 

 

userAttr.employeeType = ('*manager*' or '*assistant*') and

group.executiveStaff and

time = (Mon to Fri)

 

Allow all partners with active status from Monday to Friday but preferred partners Monday through Saturday: 

 

((group.partners and time = (Mon to Fri)) or

(group.preferredPartners and time = (Mon to Sat))) and

userAttr.partnerStatus = 'active'

userDN

The user DN from an LDAP server (not applicable to Active Directory auth server with ldap group lookup). If the user is authenticated by the LDAP server, then this DN is from the authentication server; otherwise, the DN comes from the realm's Directory/Attribute server.

  • role mapping rules
  • resource policy rules
  • userDN = 'cn=John Harding,ou=eng,c=Company'
  • userDN = certDN

 

userDN.<user-attr>

Any variable from the user DN, where user-attr is the name of the RDN key.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

Any variable from the user DN, where user-attr is the name of the RDN key.

 

userDNText

User DN stored as a string. Only string comparisons to this value are allowed.

  • role mapping rules
  • resource policy rules
  • SSO parameter fields

userDNText = 'cn=John Harding,ou=eng,c=Company'

 

Related Links
Attachment 1 
Created ByKaren Mayberry

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255