Statements

Statements are directives that instruct the policy enforcement point (PEP) to perform additional processing in conjunction with an authorization decision.

When a policy is applied to a request or response, the policy result might include one or more statements. Statements enable the PEP to do more than simply permit or deny access. For example, a statement can:

Require the removal of specific fields from a response
Provide explanatory details when access is denied

You can add a statement directly to a policy or rule and configure it as part of the policy definition. You can also create reusable statements in Components for use across multiple policies or rules.

Screen capture of a statement checking the risk for a specific customer and returning multiple attribute key-value pairs

Statements are sometimes called obligations. An obligation is a statement that must be fulfilled as a condition of authorizing the decision request. To indicate that the final decision applies only if a statement can be fulfilled, mark the statement as Obligatory. Typically, the service that calls PingAuthorize Server fulfills this obligation.

Statements carry additional data through payloads and attributes:

The optional Payload field can consist of static or interpolated data.
The Attributes field lets you return a key-value mapping of attributes that might be relevant to the statement.

You can drag collapsed statements to rearrange them and change the order in which they’re evaluated.

Statement properties

You can configure the following statement properties:

Property Required Description

Name

Required

Specifies a friendly name for the statement.

Obligatory

Optional

When enabled, the statement must be fulfilled as a condition of authorizing the request:

If PingAuthorize can’t fulfill an obligatory statement, it fails the operation and returns an error to the client application.
If PingAuthorize can’t fulfill a non-obligatory statement, the server logs an error, but the client’s requested operation continues.

Code

Required

Specifies the statement type. This value corresponds to a statement ID that the PingAuthorize configuration defines.

Create

Required

Specifies the decision types that should include the associated statement with the result. Available types include:

When Applicable (default)

Select this option when the statement should apply to any of the following decision types.
On Permit
On Deny
On Permit or Deny
On Indeterminate

If the Create condition is met for a rule or policy that contributes to the final decision, PingAuthorize includes the statement in its final response when the statement’s Attach to final decision condition is also met.

Attach to final decision

Required

Specifies how the statement propagates through the decision tree and whether it’s returned in the overall decision response. Available options include:

When all decisions in path match (default): Returns the statement when the associated decision matches all decisions in the path. For example, when a rule produces a Permit decision, and all other decisions in the path are Permit, PingAuthorize returns the statement.
When final decision matches "Create" condition: Returns the statement when the associated decision matches the final decision, even if intermediate decisions differ.
When all decisions in path are applicable: Always returns the statement unless an error occurs in its associated decision.

Payload

Optional

Specifies a set of parameters that determine the actions the statement performs when PingAuthorize applies it. The appropriate payload value depends on the statement type.

PingAuthorize Server supports all of the provided statement types except for custom statements. To develop custom statement types, use the PingAuthorize Server SDK. Learn more in Managing Server SDK Extensions.

Many statement types let you use the JSONPath expression language to specify JSON field paths. To experiment with JSONPath, use the JSONPath evaluator.