PingAuthorize

Advice

An advice is additional information you can attach to a decision response.

An advice returns to the governance engine so that, depending on the evaluation response from the policy, PingAuthorize can take the appropriate action. If you have a policy set up to verify the authentication level of a user, and if the policy evaluates that a user does not possess the required access privileges, then PingAuthorize can send details about the reason for denying access.

To indicate that the final decision applies only if an advice can be fulfilled, mark the advice as Obligatory. Typically, the service that calls PingAuthorize Server handles this responsibility.

Each advice contains the following mandatory fields:

  • Name – Human-readable label for reference in the Policy Manager

  • Code – Identifier that distinguishes between different types of advice

  • Applies To – Type of decision to which the advice is attached

If an advice applies, PingAuthorize uses it in the final response if its origin decision contributes to the final result. The decision agrees with every decision between its origin and the top-level policy or policy set.

Screen capture of advice with multiple Attributes payloads

Advice carries additional data in the form of payloads and attributes, as follows:

  • The optional field Payload can consist of static or interpolated data.

  • The Attributes field lets you return a key-value mapping of attributes that might be relevant to the advice.

You can reorder collapsed advices by dragging the handles on the left. To reorder using the keyboard, press Tab to go to the advice, press Enter to select the advice, press the Up Arrow or Down Arrow to go to the desired location, press Enter to drop the advice in the new location.

The following table identifies significant advice properties.

Property Description

Name

Friendly name for the advice.

Obligatory

If true, the advice must be fulfilled as a condition of authorizing the request.

If PingAuthorize cannot fulfill an obligatory advice, it fails the operation and returns an error to the client application.

If PingAuthorize cannot fulfill a non-obligatory advice, the server logs an error, but the client’s requested operation continues.

Code

Identifies the advice type. This value corresponds to an advice ID that the PingAuthorize configuration defines.

Applies To

Specifies the policy decisions, such as permit or deny, that include the advice with the policy result.

Payload

Set of parameters governing the actions that the advice performs when PingAuthorize applies the advice. The appropriate payload value depends on the advice type.

PingAuthorize Server supports the following advice types:

To develop custom advice types, use the Server SDK.

Many statement types let you use the JSONPath expression language to specify JSON field paths. To experiment with JSONPath, use this JSONPath evaluator.