Adding a named authorization condition
Named conditions provide a way to reuse conditional logic across attributes and policies.
About this task
Named conditions can help provide consistency in authorization logic and minimize repetition throughout policies. You can use named conditions as components in more complicated condition expressions.
For example, consider a named condition that compares the account status received in a decision request to a status code to determine if the account is blocked. You can use this condition in multiple policies to check a user’s account status.
Steps
-
Go to Authorization > Trust Framework and click the Conditions tab.
-
Click the icon and select Add new Condition.
-
Define general information for the named condition:
-
Enter a unique Name for the condition.
The following characters are not allowed in the name:
-
Period (.)
-
Curly brackets ({ })
-
Pipe (|)
-
-
Optional: For Description, enter information that describes the condition’s purpose.
-
Optional: To nest the condition under a parent in the tree, in the Parent list, select a parent condition.
Nesting helps group related conditions together. You can move the condition to another location in the tree by selecting a different parent condition.
To remove nesting, click the Delete icon and leave the Parent blank.
-
-
To add a comparison to the condition, click Comparison.
-
Select an attribute to use in the comparison, select a comparator, and then enter a constant or click the Switch to Attribute () icon to select an attribute.
When you select an attribute, you can select a property that’s grayed out to generate an attribute that resolves against the parent attribute’s JSON schema. If the property is nested, generate an attribute for the property above first and then generate an attribute for the child property.
-
To nest a comparison under another comparison, click Group.
Subgroups allow more permutations in comparisons. To remove nesting while keeping the comparison, click Ungroup.
-
To add a named condition, click Named Condition, select a named condition, and then select is True or is False.
-
To combine multiple conditions, named conditions, or groups, select one of the following options.
Choose from:
-
All: Invokes the condition when all of the conditions are true. If one condition evaluates to false, evaluation stops and the remaining conditions are not executed. This is like adding an
AND
Boolean operator between conditions. -
Any: Invokes the condition when at least one of the conditions is true. If one condition evaluates to true, evaluation stops and the remaining conditions are not executed. This is like adding an
OR
Boolean operator between conditions. -
None: Invokes the condition when none of the conditions are true. This is like adding a
NOT
Boolean operator.
-
-
Click Save Changes.
You can copy a named condition defined on the Conditions tab for reuse by selecting Make Copy from the hamburger menu of that condition. If you copy a named condition with children, only the parent is duplicated. You can not copy a named condition at its point of use in a rule or policy.