---
title: Grant relationships conditionally
description: Relationships can be granted dynamically, based on a specified condition. In order to conditionally grant a relationship, the schemas for the resources you are creating a relationship between need to be configured to support conditional association. To do this, three fields in the schema are used:
component: pingidm
version: 8.1
page_id: pingidm:objects-guide:conditional-relationships
canonical_url: https://docs.pingidentity.com/pingidm/8.1/objects-guide/conditional-relationships.html
keywords: ["Data Object Model", "Relationships"]
---

# Grant relationships conditionally

Relationships can be granted dynamically, based on a specified condition. In order to conditionally grant a relationship, the schemas for the resources you are creating a relationship between need to be configured to support conditional association. To do this, three fields in the schema are used:

* `conditionalAssociation`

  Boolean. This property is applied to the `resourceCollection` for the grantor of the relationship. For example, the `members` relationship on `managed/role` specifies that there is a conditional association with the `managed/user` resource:

  ```json
  "resourceCollection" : [
      {
          "notify" : true,
          "conditionalAssociation" : true,
          "path" : "managed/user",
          "label" : "User",
          "query" : {
              "queryFilter" : "true",
              "fields" : [
                  "userName",
                  "givenName",
                  "sn"
              ]
          }
      }
  ]
  ```

* `conditionalAssociationField`

  This property is a string, specifying the field used to determine whether a conditional relationship is granted. The field is applied to the `resourceCollection` of the grantee of the relationship. For example, the `roles` relationship on `managed/user` specifies that the conditional association with `managed/role` is defined by the `condition` field in `managed/role`:

  ```json
  "resourceCollection" : [
      {
          "path" : "managed/role",
          "label" : "Role",
          "conditionalAssociationField" : "condition",
          "query" : {
              "queryFilter" : "true",
              "fields" : [
                  "name"
              ]
          }
      }
  ]
  ```

  The field name specified will usually be `condition` if you are using default schema, but can be any field that evaluates a condition and has been flagged as `isConditional`.

* `isConditional`

  Boolean. This is applied to the field you wish to check to determine whether membership in a relationship is granted. Only one field on a resource can be marked as `isConditional`. For example, in the relationship between `managed/user` and `managed/role`, conditional membership in the relationship is determined by the query filter specified in the `managed/role` `condition` field:

  ```json
  "condition" : {
      "description" : "A conditional filter for this role",
      "title" : "Condition",
      "viewable" : false,
      "searchable" : false,
      "isConditional" : true,
      "type" : "string"
  }
  ```

Conditions support both properties and [virtual properties derived from other relationships](managed-object-virtual-properties.html#relationship-derived-virtual-properties), if the query property has been configured. Conditions are a powerful tool for dynamically creating relationships between two objects. An example of conditional relationships in use is covered in [Grant a Role Based on a Condition](roles-over-rest.html#conditional-role-grants).