Condition Evaluation Result

A CO trace has the following fields:

~<ConditionID>~<LHSOperand>~<Operator>~<RHSOperand>~<NOT>~<Result>[~<ResultOnError>]

A CO trace looks similar to the following:

~~CO~1~LdapGroup(6645):no-param:hidden-value:~ldap-group-is-member-of~SelectedLdapGroup(66455):hidden-param:hidden-value:~~~True(69)

Table 33-7 describes the fields in a Condition trace.

Table 33-7 Fields in a Condition Trace

Element

Description

<ConditionID>

The identifier assigned to the conditions in the condition group. The first condition is assigned 1.

In the sample CO trace, this is 1.

<LHSOperand>

The enumerative value and parameter list of the left operand. It is the first value specified for the comparison and has the following format:

<Condition Name(Data ID)>: <Parameter> : <Value>

The Condition Name is the string assigned to the condition type specified in the policy. The Data ID is a numerical value assigned to the condition type.

<Parameter> contains one of the following strings:

  • no-param when no parameters are specified for the operand, followed by a colon, followed by one of the following: the value, no-value, or hidden-value when the value contains sensitive information.

  • hidden-param followed by a colon, and then hidden-value. This string is used when both the parameter and its value contain sensitive information.

In the sample CO trace, this is LdapGroup(6645):no-param:hidden-value. LdapGroup is the string for the LDAP Group condition. The policy specified [Current], so no parameters were specified. The groups that the user belongs to are considered sensitive data, so the log file displays hidden-value for the names of the groups.

<Operator>

The display name of the comparison operator.

In the sample CO trace, this is ldap-group-is-member-of. In the policy, this is displayed as LDAP Group: Is Member of.

<RHSOperand>

The enumerative value and parameter list of the right operand. It is the second value specified for the comparison and has the same format as the <LHSOperand>.

In the sample CO trace, this is SelectedLdapGroup(66455):hidden-param:hidden-value. The actual policy specifies LDAP Group as the parameter, and the value is the DN of the group.

<NOT>

The string NOT if the result was negated prior to reporting; otherwise the field has no value. This is the If Not option when creating a condition.

In the sample CO trace, this condition result was not negated, therefore the field is represented by a tilde.

<Result>

A string followed by a number that specifies the result of the comparison. See Policy Result Values.

In the sample CO trace, this is True (69), indicating that the condition evaluated to True—the user is a member of the specified LDAP group.

<ResultOnError>

A string describing the error that occurred. This is an optional field that only appears when the condition evaluation results in an error.

The sample CO trace did not result in an error, so it has no string.