The identity condition restricts matching of a rule either to a single entity or a group of entitites. Only authenticated entities can be matched; acceptable means of authentication are defined in protocol-specific documents. As usual, if the condition is omitted, identities are not considered and, thus, the condition matches any user. The identity condition can contain zero or more and elements in any order. The condition matches a particular entity if the entity matches any one of the or elements, i.e., the matching uses a logical OR.

The element matches exactly one entity or user. The entity can be identified by a variety of identifiers. By default, identifiers in the user@domain format are assumed, but it is possible to indicate that the "id" attribute should match only specific other URI schema, by including the schema list in a "schema" parameter. Examples are shown below:

The element is used to match one or more entities based on "wildcard" conditions, based on domains.

without enclosed elements or attributes matches any authenticated user.

The element enclosing one or more elements matches any user from any domain except those enumerated. The element excludes particular users. The exception are logically ORed. An example: This example matches all users except any user in example.com, or any user in example.org or the particular users alice@bad.example.net, bob@good.example.net and the user with the telephone number 'tel:+1-212-555-1234'. The last 'except' element is redundant since alice@example.com is already excluded through the first line.

The element with a domain attribute and zero or more elements matches any user from that domain except those explicitly enumerated. < This example matches any user within example.com (such as carol@example.com) except alice@example and bob@example.com.