PSLang Expressions
PSLang is a scripting language with a syntax much like C, but with a large set of built-in functions.
You can use PSLang expressions in Bravura Security Fabric to define:
account attribute values (other than boolean types)
The format of profile IDs
User classes
Managed system policy memberships and managed accounts
PSLang expressions let you use the value of a profile attribute indirectly. That is, you can modify them, add them to another fixed value, or combine them with another profile attribute.
For more details about the language, refer to the PSLang Reference Manual (pslang.pdf).
Syntax
An expression is some sequence of operations that yields a result. A literal value, a variable, or a function by themselves can be an expression. The following are valid expressions:
5 "3" myfunction( 1 ) 5+3 5 + "3" "5" + "3" "5" + myfunction( innerfunction() - 6 ) $x + $y + $z
A PSLang expression can include a sequence of variable declarations (including initializers) and function calls. The final statement must be an expression; its value is taken as the overall result.
Here is a sequence of statements:
var $a = "hello"; var $b = ", world"; var $c = strlen( $a ); $a + $b + " - length: " + $c
This is acceptable as a PSLang expression because the last statement is itself a normal expression. The result here would be: hello, world - length: 5.
In the Bravura Security Fabric GUI, the same sequence of statements would be written on one line:
var $a = "hello"; var $b = ", world"; var $c = strlen( $a); $a + $b + " - length:" + $c
Types of expressions
PSLang supports the following types of expressions:
Operation | Description |
|---|---|
< string literal > | string literal |
< integer literal > | integer literal |
- < integer literal > | negate an integer |
< floating-point literal > | floating-point literal |
- < floating-point literal > | negate a floating-point literal |
$var | the value of the variable |
$var[expr] | string and array indexing |
(expr) | for clarity or to change order of evaluation |
expr + expr | addition or string concatenation |
expr - expr | subtraction |
expr * expr | multiplication |
expr ∕ expr | division |
expr % expr | modulus |
expr isin expr | is left a substring of right? |
expr == expr | equality |
expr ! = expr | inequality |
expr ≤ expr | left is less than or equal to right? |
expr < expr | left is less than right? |
expr ≥ expr | left is greater than or equal to right? |
expr > expr | left is greater than right? |
~expr | bitwise negation |
expr & expr | bitwise and |
expr — expr | bitwise or |
expr && expr | logical and |
expr—— expr | logical or |
$var++ | post increment operator |
$var– | post decrement operator |
! expr | logical negation |
func(...) | function call |
iif( test , true _ part , false _ part) | ternary operator |
A boolean expression yields an integer result, where zero is interpreted as false , and any value other than zero is interpreted as true .
Bitwise operators (~, &, —) must not be confused with logical operators ( ! , &&, ——). Although PSLang does not support “^”, the bitwise exclusive or operator (xor), you can achieve the same results using: (A & ~B ) | ( ~A & B ).
The PSLang + operator can be used with numerical values, or to append string values. In an expression such as x+y, where x is a string and y is a number, y is converted to a string and appended to x.
The ternary operator works the same way as the C++ ternary operator ( ?: ). The test expression is evaluated, and if the result is non-zero, the true _ part expression is evaluated and returned. Otherwise, the false _ part expression is evaluated and returned.
Order of evaluation
The order of evaluation proceeds according to the precedence of the operators in the expression. The following table lists the precedence of the operators, with the highest priority at the top of the list.
Precedence Level | Operators |
|---|---|
1 | [ ] |
2 | ! ~ |
3 | * ∕ % |
4 | + - |
5 | isin |
6 | ≤ ≥ < > |
7 | == ! = |
8 | & |
9 | | |
10 | && |
11 | || |
12 | parentheses |
Evaluation of the expression moves left to right and stops at the earliest possible pass/fail decision; unnecessary conditions are not evaluated.
PSLang auto-completion
The user interface can be configured to offer auto-completion of variable or function calls when writing PSLang expressions. Enabling auto-complete provides quick access to help and formatting information.
Only the PSLang functions in the string, time, and misc sections are available for auto-completion.
The auto-complete drop-down list appears as you type a valid expression into a PSLang text area. Only variables, functions and completion options that match your typing are displayed. For detailed information, click the ? link to the right of each listed item.
To see the complete drop-down list of all available options:
Click in an empty PSLang text field.
Press the ↓ key at a word break while typing an expression in a PSLang text area.
Press the ↓ key mid-word while typing an expression that does not match any of the available expressions.
Navigation through the list can be done with the mouse, or using the ↑ and ↓ keys. Selections can be made using the Enter or Tab keys. The Esc key closes the menu.
The PSLang auto-completion functionality can be disabled or enabled by clicking disable auto-completion or enable auto-completion beneath any PSLang text area.
The default settings for the PSLang auto-complete functionality are controlled by the config.js script, located in the \<instance>\design\src\js\ directory. In this script, the AutoCompletePslang group has the following options:
Option | Description |
|---|---|
enabled | Controls whether the script is available to users.The default value is true. |
initiallyOff | Controls whether PSLang auto-completion is enabled when a page loads. The default value is false. If set to true, then PSLang auto-completion is off by default when a page loads.. |
Default expressions
This section illustrates the use of PSLang expressions by explaining expressions used by default by Bravura Security Fabric .
Each of these expressions use an iif() function, which takes 3 parameters – iif(boolean expression, "true-part", "false-part" )
It evaluates the boolean expression, and when it’s true, it returns the true-part. Otherwise, it returns the false-part.
In PSLang, a variable is prefixed by $. The variables discussed in this chapter represent a string of characters, or an array of strings.
The characters [n] are placed after variable names to index the n th character in a string, or the n th value in an array, starting from 0. This is used with profile attributes, which can have multiple values. The first of an array of values is represented by $ATTRIBUTE[0], the second by $ATTRIBUTE[1], and so on.
All built-in attributes must be expressed as an array. That is – $FIRST_NAME[0] , $OTHER_NAME[0], $LAST_NAME[0].
IDSYNCH ID PLUGIN MASK
The default function for the IDSYNCH ID PLUGIN MASK is:
iif( (size($LAST_NAME) > 0 && size($FIRST_NAME) > 0), substr($LAST_NAME[0], 0, 5) + substr($FIRST_NAME[0], 0, 1), "" )
First, the boolean expression ensures that there are values for $FIRST_NAME and $LAST_NAME . If check is successful, then it takes the 0-5 characters (first 6) of LAST_NAME and the 0-1 characters (first 2) of FIRST_NAME and put them together to form a user’s profile ID.
If the safety check fails, then it returns an empty string.
FULLNAME
This is used for the value of many target attributes (e.g., displayName on Active Directory):
iif( size($OTHER_NAME) > 0, $FIRST_NAME[0] + " " + $OTHER_NAME[0] + " " + $LAST_NAME[0], $FIRST_NAME[0] + " " + $LAST_NAME[0] )
This first checks whether $OTHER_NAME has any values. If it does, then it composes a string such as “John Angus Doe”. If $OTHER_NAME does not have any values (the user has no middle name) then it composes a string such as “Bill Smith”.
MIDDLE INITIAL
This PSLang expression, also used for the value of target attributes (e.g., initials on Active Directory), contains more than one statement:
var $other = iif( size($OTHER_NAME) > 0, $OTHER_NAME[0], "" ); $other[0];
This retrieves the first character of a user’s “other name”. The $OTHER_NAME variable is an array of strings. Like other profile attributes it could be defined to accept more than one value. So, the expression assigns the first element of $OTHER_NAME (assuming it exists, otherwise it returns a blank string) to $other. Since the variable $other is just a string, and not an array, the expression $other[0] gets just the first character of the “other name”.