Conditional targets (Applies to)
You can use conditional targets to extend the capability of the "Applies to" concept when creating attribute-based access control (ABAC) rules and policies.
Conditional targets extend the capability of the "Applies to" concept because they:
-
Permit the interweaving of targets with other conditional logic.
-
Allow standalone logic to determine if and when a policy or rule applies.
To enable this functionality, click Applies to and then When.
You can include the following types of conditions in a logical expression:
-
Attribute comparison – Allows the comparison of an attributes with another attribute or with a constant.
-
Request comparison – Allows the matching of incoming requests by answering questions like, "Is the requested service equal to
Banking.Payment
?" -
Named condition – Click Named Condition to show a Named Condition drop-down list that displays named conditions.
The following image provides an example.
You can navigate conditions using the Up Arrow and the Down Arrow to move between members of a group or using the Left Arrow and Right Arrow to move in and out of nested groups.
You can reorder conditions by dragging the handles on the left. To reorder using the keyboard, press Tab to go to the condition, press Enter to select the condition, press the Up Arrow or Down Arrow to go to the desired location, press Enter to drop the condition in the new location.
To switch between Attribute Comparison mode and Request Comparison mode, click A and R, respectively, to the left of the comparator.