Authorization conditions
Use conditions in PingOne Authorize attributes, rules, and policies to define authorization logic by comparing one thing to another. Conditions evaluate to either true
or false
.
You can compare attributes, constant values, and regular expressions in conditions. Conditions can also serve as targets that define when a policy or rule applies to a decision request. For example, you can target a rule so it applies when a payment amount is greater than or equal to a payment limit.
When you define a condition, on the left side, select an attribute that represents unknown or variable information to be validated. On the right side, enter known or predefined criteria in the form of an attribute or constant value. This keeps logical statements consistent regardless of what’s being compared.
If there are multiple conditions, the decision service evaluates them in order from top to bottom according to the following options for combining conditions:
-
All is like adding an
AND
Boolean operator between conditions. When one condition evaluates to false, evaluation stops and the remaining conditions are not executed. -
Any is like adding an
OR
Boolean operator between conditions. When one condition evaluates to true, evaluation stops and the remaining conditions are not executed. -
None is like adding a
NOT
Boolean operator between conditions. This invokes the condition when none of the conditions are true.
You can drag collapsed conditions to rearrange them and change the order in which they’re evaluated.
You can add conditions directly to resolvers and rules or define them on the Conditions tab as reusable named conditions.
Condition comparators
You can use the following comparators in condition comparisons.
For simplicity, the table groups logical comparator pairs together, but you can only use one comparator at a time in a condition. |
Comparator | Supported data types | Description | ||
---|---|---|---|---|
Contains Does Not Contain |
Collection String |
Checks whether a string or collection contains (or doesn’t contain) another string. Use this comparator when you know part of a value that you want to check. For example, this condition evaluates to
|
||
Ends With Does Not End With |
String |
Checks whether a string ends with (or doesn’t end with) another string. For example, this condition evaluates to |
||
Equals Does Not Equal |
Boolean Collection Date Date Time Duration JSON Number Period String Time XML Zoned Date Time |
Checks whether two values are equal (or not equal). For example, this condition evaluates to |
||
Greater Than Less Than |
Boolean Date Date Time Duration Number String Time Zoned Date Time |
Checks whether a value is greater than (or less than) another value. For example, this condition evaluates to |
||
Greater Than Or Equal Less Than Or Equal |
Boolean Date Date Time Duration Number String Time Zoned Date Time |
Checks whether a value is greater than or equal to (or less than or equal to) another value. For example, this condition evaluates to |
||
Has Permission |
String |
Checks whether the PingOne user requesting access to a resource has a PingOne application permission. To check a permission in a comparison:
For example, this condition evaluates to
|
||
In CIDR Block Not In CIDR Block |
String |
Checks whether a user’s IP address is in (or not in) an IP subnet range. IPv4 and IPv6 addresses are supported. To create a comparison:
You must express the IP address range in Classless Inter-Domain Routing (CIDR) notation (the bitmask indicates the size of the routing prefix): IP address/bitmask For example, consider a condition that checks for IP addresses between 192.0.2.0 - 192.0.2.15. CIDR notation for this range is
|
||
Is In Is Not In |
Collection String |
Checks whether a string or a collection is in (or not in) another collection. For example, this condition evaluates to |
||
Is Member Of Is Not Member Of |
String |
Checks whether the PingOne user requesting access to a resource is a member of (or not a member of) a PingOne group. To check for group membership in a comparison:
For example, this condition evaluates to
|
||
Regular Expression |
String |
Checks whether a string matches a regular expression. For example, this condition evaluates to |
||
Starts With Does Not Start With |
String |
Checks whether a value starts with (or doesn’t start with) another value. For example, this condition evaluates to |