Constructed attributes are attributes being computed (constructed) by Active Roles by parsing "complex" attributes and retrieving appropriate values in a human-readable format.
Most of the constructed attributes have the 'edsa-' prefix. Examples of such attributes include edsaPasswordNeverExpires and edsaAccountIsDisabled, which have a value that is computed from the userAccountControl attribute.
WORKAROUND 1
Use the bitwise operators on the native LDAP attributes in LDAP queries, Dynamic Group Membership Rules, Managed Unit Membership Rules, Workflow Start Conditions, and the Search activity within a Workflow.
For example:
This native LDAP query returns all disabled accounts of all types:
(userAccountControl:1.2.840.113556.1.4.803:=2)
1.2.840.113556.1.4.803 is called a "Matching Rule OID" and this particular one is named LDAP_MATCHING_RULE_BIT_AND
When using this OID, a match is found only if all bits from the attribute match the value. This rule is equivalent to a bitwise AND operator.
When working with the userAccountControl attribute, Active Roles will offer the option to use Bitwise AND and Bitwise OR operators. So, to return all disabled accounts of all types, search for this query within Active Roles Advanced Find, Workflow filters, and/or Workflow Search Activities:
userAccountControl Bitwise AND 2
For more information on bitwise operators, see this Microsoft resource.
WORKAROUND 2
Use an If/Else branch in a Workflow
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center