These properties include the following.

Property Description

request-criteria

An optional reference to a request criteria object that must match the operation for this criteria to match.

result-code-criteria

Specifies the criteria that the operation’s result code must match for this criteria to match. Allowed values include:

all-result-codes
Any result code can match. This is the default behavior.
non-failure-result-codes
Only operations with non-failure result codes (success, compareFalse, compareTrue, referral, saslBindInProgress, and noOperation) can match this criteria.
failure-result-codes
Only operations with failure result codes (all result codes other than the non-failure result codes) can match this criteria.
selected-result-codes
Only operations with one of the result codes listed in the result-code-value property can match this criteria.

result-code-value

The set of result codes that an operation might have to match this criteria. This is only used if the result-code-criteria property has a value of selected-result-codes. Values can include any result code that the PingDirectory Server can use.

processing-time-criteria

Specifies the criteria that the operation’s processing time must satisfy for this criteria to match. Allowed values include:

less-than-or-equal-to
Indicates that only operations with a processing time that is less than or equal to the value of the processing-time-value property can match this criteria.
greater-than-or-equal-to
Indicates that only operations with a processing time that is greater than or equal to the value of the processing-time-value property can match this criteria.
any
Indicates that operations with any processing time can match this criteria. This is the default value for this property.

processing-time-value

The duration to use in conjunction with the processing-time-criteria property. This property is ignored if the processing-time-criteria property has a value of any.

queue-time-criteria

Specifies the criteria that the operation’s queue time (the time that it spent waiting in the work queue before it was picked up by a worker thread) must satisfy for this criteria to match. Allowed values include:

less-than-or-equal-to
Indicates that only operations with a processing time that is less than or equal to the value of the processing-time-value property can match this criteria.
greater-than-or-equal-to
Indicates that only operations with a processing time that is greater than or equal to the value of the processing-time-value property can match this criteria.
any
Indicates that operations with any processing time can match this criteria. This is the default value for this property.

queue-time-value

The duration to use in conjunction with the queue-time-criteria property. This property is ignored if the queue-time-criteria property has a value of any.

referral-returned

Indicates whether this criteria should match operations that included one or more referral URLs. Allowed values include:

required
Indicates that this criteria only matches operations that include one or more referral URLs.
prohibited
Indicates that this criteria does not match operations that include any referral URLs.
optional
Indicates that this criteria can match operations regardless of whether they contain referral URLs. This is the default value for this property.

all-included-response-control

An optional set of the OIDs of controls that might be included in responses that can match this criteria. If multiple OIDs are specified, then the operation must include all of those response controls.

any-included-response-control

An optional set of the OIDs of controls that might be included in responses that can match this criteria. If multiple OIDs are specified, then the operation must include at least one of those response controls.

not-all-included-response-control

An optional set of the OIDs of controls that should not be included in responses that may match this criteria. If multiple OIDs are specified, then the operation can optionally include one or more of those controls as long as it does not include all of them.

none-included-response-control

An optional set of the OIDs of controls that should not be included in responses that can match this criteria. If multiple OIDs are specified, then the operation must not include any of those response controls.

used-alternate-authzid

Indicates whether this criteria should match operations that used an authorization identity that is different from the authentication identity (for example, as a result of the proxied authorization request control). Allowed values include:

required
Indicates that this criteria only matches operations that include one or more referral URLs.
prohibited
Indicates that this criteria does not match operations that include any referral URLs.
optional
Indicates that this criteria can match operations regardless of whether they contain referral URLs. This is the default value for this property.

used-any-privilege

Indicates whether this criteria should match operations in which the requester used one or more privileges.

required
Indicates that this criteria only matches operations in which the requester used one or more privileges.
prohibited
Indicates that this criteria only matches operations in which the requester did not use any privileges.
optional
Indicates that this criteria can match operations regardless of whether the requester used any privileges.

used-privilege

An optional set of the privileges that the requester might have used for this criteria to match the operation. If multiple privileges are specified, then the requester must have used at least one of those privileges.

missing-any-privilege

Indicates whether this criteria should match operations in which the requester was missing one or more required privileges.

required
Indicates that this criteria only matches operations in which the requester was missing one or more privileges.
prohibited
Indicates that this criteria only matches operations in which the requester was not missing any privileges.
optional
Indicates that this criteria can match operations regardless of whether the requester was missing any required privileges.

missing-privilege

An optional set of the privileges that were required for the associated operation that the requester must have been missing for this criteria to match. If multiple privileges are specified, then the requester must have been missing at least one of those privileges.

retired-password-used-for-bind

Indicates whether this criteria should match bind operations based on whether the client authenticated with a retired password. This property is ignored for all operations other than bind. Allowed values include:

retired-password-used
Indicates that this criteria only matches bind operations in which the user authenticated with a retired password.
retired-password-not-used
Indicates that this criteria only matches bind operations in which the user did not authenticate with a retired password.
any
Indicates that this criteria can match bind operations regardless of whether the user authenticated with a retired password. This is the default value for the property.

search-entry-returned-criteria

Specifies the criteria for the number of entries returned in response to a search operation that operations matching this criteria should use. This property is ignored for all operations other than search. Allowed values include:

equal-to
Indicates that this criteria only matches search operations in which the number of entries returned matches the value of the search-entry-returned-count property.
not-equal-to
Indicates that this criteria only matches search operations in which the number of entries returned does not match the value of the search-entry-returned-count property.
greater-than-or-equal-to
Indicates that this criteria only matches search operations in which the number of entries returned is greater than or equal to the value of the search-entry-returned-count property.
less-than-or-equal-to
Indicates that this criteria only matches search operations in which the number of entries returned is less than or equal to the value of the search-entry-returned-count property.
any
Indicates that this criteria can match search operations regardless of the number of entries that were returned. This is the default value for the property.

included-authz-user-base-dn

An optional set of base DNs below which the operation’s authorization identity might exist for the criteria to match.

excluded-authz-user-base-dn

An optional set of base DNs below which the operation’s authorization identity must not exist for the criteria to match.

all-included-authz-user-group-dn

An optional set of the DNs of groups in which the operation’s authorization identity must be a member for this criteria to match. If multiple group DNs are specified, then the user must be a member of all of those groups.

any-included-authz-user-group-dn

An optional set of the DNs of groups in which the operation’s authorization identity must be a member for this criteria to match. If multiple group DNs are specified, then the user must be a member of at least one of those groups.

not-all-included-authz-user-group-dn

An optional set of the DNs of groups in which the operation’s authorization identity should not be a member for this criteria to match. If multiple group DNs are specified, then the user can optionally be a member of one or more of those groups as long as it is not a member of all of them.

none-included-authz-user-group-dn

An optional set of the DNs of groups in which the operation’s authorization identity should not be a member for this criteria to match. If multiple group DNs are specified, then the user must not be a member of any of them.

The default settings for the simple result criteria matches any operation. If you set values for multiple properties, then it essentially behaves as a logical AND, and the criteria only matches operations that match all of those properties.