2.5.1.2.2 @Prefixed Attribute Name Form
The @Prefixed Attribute name form allows an attribute name to identify an attribute as being of type "User", "Device" or "Resource" and MUST follow the pattern:
-
@<attribute type>.<attribute name>
During policy evaluation, an attribute name in @Prefixed form references a user or device claim or resource attribute according to the following:
|
"@"prefix Policy |
evaluation reference |
|---|---|
|
@User. |
Claim of same name in UserClaims[] array of token/authorization context (section 2.5.2.) |
|
@Device. |
Claim of same name in DeviceClaims[] array of token/authorization context (section 2.5.2.) |
|
@Resource. |
Resource attribute of the same name encoded in the System Access Control List of the evaluated security descriptor as a SYSTEM_RESOURCE_ATTRIBUTE_ACE (section 2.4.4.15.) |
An attribute name in @Prefixed form is case-insensitive and valid characters include all ANSI and Unicode characters of the range 0x0-0xFFFF. See attr-char2 in section 2.5.1.1 for encoding requirements.