If you use an LDAP attribute as the condition for a Role policy or an Authorization policy and your users are not being assigned the role or are denied access to a resource, the most likely cause of the problem is the LDAP attribute name used in the policy. Some administration tools for the LDAP user stores display a UI name or an eDirectory™ name rather than the LDAP attribute name. Access Manager policies require the LDAP attribute name.
Use the following steps to identity whether the Access Manager policy has been configured for the LDAP attribute name, a UI name, or an eDirectory name:
Use an LDAP browser to view one of your users in your LDAP user store.
You can download a Java-based tool from the Internet.
Verify the LDAP name of the attribute and that the user has the expected value.
In Administration Console Dashboard, click Policies > Policies > [Name of Policy] > Rule Number.
View the attribute name and value for the LDAP Attribute condition.
Verify the following:
The name of the attribute should match the name as displayed in the LDAP browser. The attribute name is not case sensitive, but it should not contain any spaces. If you need to modify the attribute used by the policy, click the attribute name, then select an attribute from the list or select New LDAP Attribute to add one.
The value can be case sensitive, depending upon how you have configured the Mode for the policy. If you have selected case sensitive for the Mode, ensure that the case in the policy matches the case in the LDAP user store.
If the attribute is multi-valued and your users typically have multiple values, select Substring as the Comparison type.
If these steps have not solved the problem, see Result on Condition Error Value.