Authorization conditions

Use conditions in PingOne Authorize attributes, rules, and policies to define authorization logic by comparing one thing to another. Conditions evaluate to either true or false.

You can compare attributes, constant values, and regular expressions in conditions. Conditions can also serve as targets that define when a policy or rule applies to a decision request. For example, you can target a rule so it applies when a payment amount is greater than or equal to a payment limit.

Screen capture showing a condition comparing a Payment Amount attribute to a Payment Limit attribute using the Greater Than Or Equal comparator.

When you define a condition, on the left side, select an attribute that represents unknown or variable information to be validated. On the right side, enter known or predefined criteria in the form of an attribute or constant value. This keeps logical statements consistent regardless of what’s being compared.

If there are multiple conditions, the decision service evaluates them in order from top to bottom according to the following options for combining conditions:

All is like adding an ANDBoolean operator between conditions. When one condition evaluates to false, evaluation stops and the remaining conditions are not executed.
Any is like adding an OR Boolean operator between conditions. When one condition evaluates to true, evaluation stops and the remaining conditions are not executed.
None is like adding a NOT Boolean operator between conditions. This invokes the condition when none of the conditions are true.

You can drag collapsed conditions to rearrange them and change the order in which they’re evaluated.

You can add conditions directly to resolvers and rules or define them on the Conditions tab as reusable named conditions.

Condition comparators

You can use the following comparators in condition comparisons.

For simplicity, the table groups logical comparator pairs together, but you can only use one comparator at a time in a condition.

Comparator Supported data types Description

Contains

Does Not Contain

Collection

String

Checks whether a string or collection contains (or doesn’t contain) another string. Use this comparator when you know part of a value that you want to check.

For example, this condition evaluates to true if the user roles attribute contains the string Manager.

Screen capture showing a condition comparing a Roles attribute to a constant value of Manager using the Contains comparator.

Matches for strings can differ from matches for collections. For example, the string 1234 contains the constant 23, but the collection [1234] does not contain this constant. One possible matching collection for the constant 23 is [21, 22, 23].

Ends With

Does Not End With

String

Checks whether a string ends with (or doesn’t end with) another string.

For example, this condition evaluates to true if the user’s email address ends with the domain example.com.

Screen capture showing a condition comparing a Game player email address attribute to a constant value of example.com using the Ends With comparator.

Equals

Does Not Equal

Boolean

Collection

Date

Date Time

Duration

JSON

Number

Period

String

Time

XML

Zoned Date Time

Checks whether two values are equal (or not equal).

For example, this condition evaluates to true if an anonymous network is detected.

Screen capture showing a condition comparing an Anonymous Network Detected attribute to a constant value of true using the Equals comparator.

Greater Than

Less Than

Boolean

Date

Date Time

Duration

Number

String

Time

Zoned Date Time

Checks whether a value is greater than (or less than) another value.

For example, this condition evaluates to true if a payment amount is greater than a deposit limit.

Screen capture showing a condition comparing a Payment Amount attribute to a Deposit Limit attribute using the Greater Than comparator.

Greater Than Or Equal

Less Than Or Equal

Boolean

Date

Date Time

Duration

Number

String

Time

Zoned Date Time

Checks whether a value is greater than or equal to (or less than or equal to) another value.

For example, this condition evaluates to true if a payment amount is greater than or equal to a payment limit.

Has Permission

String

Checks whether the PingOne user requesting access to a resource has a PingOne application permission.

To check a permission in a comparison:

Select the PingOne.User.ID attribute.
Select the Has Permission comparator.
Select a PingOne permission from the list of application permissions that are available in the environment.

For example, this condition evaluates to true if the user has the Invoices:Update permission.

Screen capture showing a condition comparing a User ID attribute to an Invoices:Update permission using the Has Permission comparator.

This comparator relies on identity information provided by the PingOne SSO service. Make sure this service is deployed in your environment before you use this comparator.

In CIDR Block

Not In CIDR Block

String

Checks whether a user’s IP address is in (or not in) an IP subnet range. IPv4 and IPv6 addresses are supported.

To create a comparison:

Select an attribute that resolves to a valid IP address.
Select the In CIDR Block or Not In CIDR Block comparator.
Enter the IP address range as a constant or select an attribute that resolves to the IP address range.

You must express the IP address range in Classless Inter-Domain Routing (CIDR) notation (the bitmask indicates the size of the routing prefix):

IP address/bitmask

For example, consider a condition that checks for IP addresses between 192.0.2.0 - 192.0.2.15. CIDR notation for this range is 192.0.2.0/28. If the IP address attribute resolves to 192.0.2.1, for example, the condition evaluates to true.

Screen capture showing a condition comparing an IP address attribute to an IP address range in CIDR notation using the In CIDR Block comparator.

For help expressing an IP address range in CIDR notation, use a CIDR calculator.

Is In

Is Not In

Collection

String

Checks whether a string or a collection is in (or not in) another collection.

For example, this condition evaluates to true if the requesting user’s ID is in a collection of IDs representing a parent’s dependent children.

Screen capture showing a condition comparing a Uesr ID attribute to a Dependents attribute using the Is In comparator.

Is Member Of

Is Not Member Of

String

Checks whether the PingOne user requesting access to a resource is a member of (or not a member of) a PingOne group.

To check for group membership in a comparison:

Select the PingOne.User.ID attribute.
Select the Is Member Of or Is Not Member Of comparator.
Select a PingOne group. You can search for groups. As you enter a search query, the group list shows matching results.

For example, this condition evaluates to true if the user is a member of the Admins group.

Screen capture showing a condition comparing a User ID attribute to a constant value of Admins using the Is Member Of comparator.

These comparators rely on identity information provided by the PingOne SSO service. Make sure this service is deployed in your environment before you use these comparators.

Regular Expression

String

Checks whether a string matches a regular expression.

For example, this condition evaluates to true if the user’s name starts with a capital letter and only contains letters. The regular expression being matched is ^[A-Z]+[a-zA-Z]*$.

Screen capture showing a condition comparing a Name attribute to a regular expression using the Regular Expression comparator.

Starts With

Does Not Start With

String

Checks whether a value starts with (or doesn’t start with) another value.

For example, this condition evaluates to true if the user’s IP address starts with the network identifier 192.

Screen capture showing a condition comparing an IP address attribute to a constant value of 192 using the Starts With comparator.