PingOne

Adding statements to policies and rules

Include statements in rules and policies to perform additional processing as part of an authorization decision.

About this task

You can add statements to the policy as a whole and to individual rules, or you can pull in statement templates from the Library.

Some built-in statements require an API gateway integration and a policy or rule that targets an API service.

You can drag collapsed statements to rearrange them and change the order in which they are evaluated.

Steps

  1. Go to Authorization > Policies, and click a policy or add a new policy.

  2. Do one of the following to add a statement.

    Choose from:

    • In the Statement section, click +Add Statement.

    • From the Library on the Components tab, drag a statement template into the Statement section. Statements pulled in from the Library are read-only. To make changes to the statement, click the hamburger menu next to the Obligatory check box and select Replace with clone.

      • Changes you make to a clone don’t affect the template in the Library.

      • You can add statements to individual rules the same way that you add them to policies. To add a statement to a rule, click the hamburger menu next to the rule Name field and select Add Statement. Then click Add Statement or drag a statement template from the Library to the Statement section in the rule.

  3. Enter a Name and an optional Description for the statement.

  4. Optional: If the statement must be fulfilled as a condition of authorizing the decision request, select the Obligatory check box.

    If the decision service can’t fulfill an obligatory statement, the decision evaluation fails and the decision service returns an error to the client application. When a non-obligatory advice statement can’t be fulfilled, the decision service logs an error and continues the decision evaluation.

  5. Enter a statement Code to identify the type of statement.

    If you pulled in a statement template, use the default code populated from the template. Otherwise, enter your own code. For example, you can enter a code such as MFA_REQ or APPROVE to return a statement code to a DaVinci flow.

    For more information about built-in statement codes and payloads, see Statement templates.

  6. In the Create list, select the kinds of decisions produced by the policy or rule that will create the statement.

    Statements can apply to permit, deny, permit or deny, or indeterminate decisions. Select When Applicable if the statement applies to any of these. This is the default option.

    If you’re using a built-in statement in a policy that targets protected API services and operations, make sure you select On Permit. If the policy or rule produces a deny decision, built-in statements are not processed.

    Screen capture showing an Include Attributes statement with a name, description, code, and payload. The statement applies to Permit decisions.
  7. In the Attach to final decision list, select an option for how the statement propagates through the decision tree and whether it is returned in the overall decision response.

    Choose from:

    • When all decisions in path match: The statement is returned when the decision for the rule or policy with which the statement is associated matches all decisions in the path. For example, when the decision for the rule with which the statement is associated is permit, and all decisions in the path are permit, the statement is returned. This is the default option.

    • When final decision matches "Create" condition: The statement is returned when the decision for the rule or policy with which the statement is associated matches the overall decision. For example, when the decision for the rule with which the statement is associated is permit, and the overall decision is permit, the statement is returned even if there are deny decisions in between.

    • Always: The statement is always returned, unless there’s an error in the associated decision.

  8. Optional: In the Payload field, enter JSON parameters that govern the actions that the decision point performs when it applies the statement.

    Payloads can include static or interpolated data and provide instructions for things such as filtering and transforming headers, query parameters, and request and response bodies. For payload examples, see Statement templates.

    To experiment with JSONPath expressions, use a JSONPath evaluator, such as the JSONPath Online Evaluator.

  9. Optional: To include attributes relevant to the statement in the decision response, drag one or more attributes from the Components tab to the Attach field.

  10. Optional: To add the statement to the Library as a reusable component, click the hamburger menu next to the Obligatory check box and select Add to library.

  11. Click Save changes.

Next steps

To reuse a statement in other policies or rules, you can make a copy of it by selecting Make Copy from the hamburger menu of that statement. You can copy custom Library statements and statements in Library rules, but you cannot copy top-level, bootstrapped Library statements.

You can copy any Library statement at its point of use. If you copy a Library statement in a rule or policy, the copy displays at the point of use and on the Library tab.