Selection expressions

You can use the following different types of selection expression:
Basis selection expressions
Include only one attribute
user_attribute_type=value
For example, to include one named user logon ID, and exclude all other users:
logon=jsmith1
Exclude one attribute
~user_attribute_type=value
For example, to exclude one set of logon IDs identified by a wildcard (those that start with the letter "j"), but include all others:
~logon=j@
Include only several attributes of the same type
user_attribute_type=value[,value]...
For example, to include three specific users and exclude all others:
logon=jsmith1,jbrown1,jjones1
Exclude several attributes of the same type
~user_attribute_type=value[,value]...
For example, to exclude three specific users and include all others:
~logon=jsmith1,jbrown1,jjones1
Complex selection expressions
Include users identified by different selection expressions
basic_selection_expression[+basic_selection_expression]...

The selection expressions can be of the same or a different attribute type:

Same attribute type
An example of the same attribute type is the following, which selects all the groups beginning with the letter "j", as well as those with the letter "z":
group=j@+group=z@
If the first selection identifies 200 users, and the second 300, the total users selected is 500.
Different attribute type
An example of selection expressions of a different attribute type is the following, which selects all the groups beginning with the letter "j", as well as all users with IDs beginning with a "6":
group=j@+logon=6@

If the first selection identifies 200 users, and the second 20, of whom 5 are also in the first group, the total users selected is 5.

Exclude users identified in one selection expressions from those identified in another
basic_selection_expression[~basic_selection_expression]...
Same attribute type
The selection expressions can be of the same attribute type, provided that the second is a subset of the first. An example of the same attribute type is the following, which selects all the workstations beginning with the letter "j", but excludes those with a "z" as a second letter:
group=j@~group=jz@
If the first selection identifies 200 users, and the second 20, the total users selected is 180. Note that if the second expression had not been a subset of the first, the second expression would have been ignored.
Different attribute type
Selection expressions of a different attribute type do not have to have a subset relationship, an example being the following, which selects the group "mygroup", but excludes from the selection all users in the group with IDs beginning with a "6":
group=mygroup~logon=6@

If the first selection identifies 200 users, and the second 20, of whom 5 are also in the first group, the total users selected is 195.

Multiple includes and excludes
You can link together as many include and exclude expressions as you need to identify the precise subset of users who require the same access. The overall syntax is thus:

[~]user_attribute_type=value[,value]... [{+|~}user_attribute_type=value[,value]...

Note: Making your first user attribute an exclude means that all user attributes of that type are selected except the indicated value. Thus, ~user_attribute_type=value equates to the following:

user_attribute_type=@~same_user_attribute_type=value

However, if you use this syntax, you cannot, and do not need to, specifically add "+user_attribute_type=@", after the negated item, so you do not define:

~user_attribute_type=value+same_user_attribute_type=@