Constructed attributes, which are attributes being computed (constructed) by Active Roles by parsing "complex" attributes and retrieving appropriate values in a human readable format.
Most of the constructed attributes have the 'edsa-' prefix. Example of such attributes include edsaPasswordNeverExpires and edsaAccountIsDisabled, which have a value which is computed from the userAccountControl attribute.
Use the bitwise operators on the native LDAP attributes in LDAP queries, Dynamic Group Membership Rules, Managed Unit Membership Rules, Workflow Start Conditions, and the Search activity within a Workflow.
This native LDAP query returns all disabled accounts of all types:
1.2.840.1135126.96.36.1993 is called a "Matching Rule OID" and this particular one is named LDAP_MATCHING_RULE_BIT_AND
When using this OID, a match is found only if all bits from the attribute match the value. This rule is equivalent to a bitwise AND operator.
When working with the userAccountControl attribute, Active Roles will offer the option to use Bitwise AND and Bitwise OR operators. So, to return all disabled accounts of all types, search for this query within Active Roles Advanced Find, Workflow filters, and/or Workflow Search Activities:
userAccountControl Bitwise AND 2
For more information on bitwise operators, see this Microsoft resource.
Use an If/Else branch in a Workflow