---
title: Adding Groovy script rules
description: Add a Groovy script rule to provide advanced rule logic that extends PingAccess rule development beyond the capabilities of the packaged Rules.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_groovy_script_rules
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_groovy_script_rules.html
revdate: July 17, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  choose-from: Choose from:
---

# Adding Groovy script rules

Add a Groovy script rule to provide advanced rule logic that extends PingAccess rule development beyond the capabilities of the packaged [Rules](pa_rules.html).

## About this task

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Through Groovy scripts, PingAccess administrators can perform sensitive operations that might affect system behavior and security. Since the regular Groovy rule and the OAuth *(tooltip: \<div class="paragraph">&#xA;\<p>A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\</p>&#xA;\</div>)* Groovy rule differ in the scope of their functionality, the relevant rules are tagged for Web App or for application programming interface (API) *(tooltip: \<div class="paragraph">&#xA;\<p>A specification of interactions available for building software to access an application or service.\</p>&#xA;\</div>)*, respectively, in the rules list. |

## Steps

1. Click **Access**, then go to **Rules > Rules**.

2. Click **[icon: plus, set=fa]Add Rule**.

3. In the **Name** field, enter a unique name, up to 64 characters long.

   Special characters and spaces are allowed.

4. In the **Type** list, select **Groovy Script (for Web App)**.

5. In the **Groovy Script** field, enter the Groovy script to use for rule evaluation.

   ### Example:

   To validate that an HTTP request does not come from Internet Explorer, you might include the `requestHeaderDoesntContain("User-Agent", "InternetExplorer")` PingAccess matcher in your Groovy script.

   Groovy script rules must end execution with a matcher instance. For more information, see [Matcher usage reference](../reference_guides/pa_matcher_usage_ref.html).

6. To configure rejection handling, click **Show Advanced Settings**, then select a rejection handling method.

   ### Choose from:

   * If you select **Default**, use the **Rejection Handler** list to select an existing [rejection handler](pa_rejection_handlers.html) that defines whether to display an error template or redirect to a URL.

   * If you select **Basic**, you can customize an error message to display as part of the default error page rendered in the end user's browser if rule evaluation fails. This page is among the templates you can modify with your own branding or other information. If you select **Basic**, provide the following:

     1. In the **Error Response Code** field, enter the HTTP status response code to send if rule evaluation fails.

        The default is `403`.

     2. In the **Error Response Status Message** field, enter the HTTP status response message to send if rule evaluation fails.

        The default is `Forbidden`.

     3. In the **Error Response Template File** field, enter the HTML template page for customizing the error message that displays if rule evaluation fails. This template file is located in the `<PA_HOME>/conf/template/` directory.

     4. From the **Error Response Content Type** list, select the type of content for the error response.

        This lets the client properly display the response.

7. Click **Save**.