The identity condition restricts matching of a rule either to a
single entity or a group of entitites. Only authenticated entities can
be matched; acceptable means of authentication are defined in
protocol-specific documents. As usual, if the condition is omitted,
identities are not considered and, thus, the condition matches any
user.
The identity condition can contain zero or more and
elements in any order. The condition matches a particular entity if the
entity matches any one of the or elements, i.e., the
matching uses a logical OR.
The element matches exactly one entity or user. The entity
can be identified by a variety of identifiers. By default, identifiers
in the user@domain format are assumed, but it is possible to indicate
that the "id" attribute should match only specific other URI schema, by
including the schema list in a "schema" parameter. Examples are shown
below:
The element is used to match one or more entities based on
"wildcard" conditions, based on domains.
without enclosed elements or attributes matches any
authenticated user.
The element enclosing one or more
elements matches any user from any domain except those enumerated. The
element excludes particular users. The exception are
logically ORed. An example:
This example matches all users except any user in example.com, or any
user in example.org or the particular users alice@bad.example.net,
bob@good.example.net and the user with the telephone number
'tel:+1-212-555-1234'. The last 'except' element is redundant since
alice@example.com is already excluded through the first line.
The element with a domain attribute and zero or more elements matches any user from that domain except those
explicitly enumerated.
<
This example matches any user within example.com (such as
carol@example.com) except alice@example and bob@example.com.