--- title: Authorization conditions description: Use conditions in PingOne Authorize attributes, rules, and policies to define authorization logic by comparing one thing to another. component: pingone page_id: pingone:authorization_using_pingone_authorize:p1az_conditions canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_conditions.html revdate: August 22, 2025 section_ids: p1_az_condition_comparators: Condition comparators --- # Authorization conditions Use conditions in PingOne Authorize attributes, rules, and policies to define authorization logic by comparing one thing to another. Conditions evaluate to either `true` or `false`. You can compare attributes, constant values, and regular expressions in conditions. Conditions can also serve as [targets](p1az_policy_targets.html) that define when a policy or rule applies to a decision request. For example, you can target a rule so it applies when a payment amount is greater than or equal to a payment limit. ![Screen capture showing a condition comparing a Payment Amount attribute to a Payment Limit attribute using the Greater Than Or Equal comparator.](_images/ubo1685464624868.png) When you define a condition, on the left side, select an attribute that represents unknown or variable information to be validated. On the right side, enter known or predefined criteria in the form of an attribute or constant value. This keeps logical statements consistent regardless of what's being compared. If there are multiple conditions, the decision service evaluates them in order from top to bottom according to the following options for combining conditions: * **All** is like adding an `AND`Boolean operator between conditions. When one condition evaluates to false, evaluation stops and the remaining conditions are not executed. * **Any** is like adding an `OR` Boolean operator between conditions. When one condition evaluates to true, evaluation stops and the remaining conditions are not executed. * **None** is like adding a `NOT` Boolean operator between conditions. This invokes the condition when none of the conditions are true. You can drag collapsed conditions to rearrange them and change the order in which they're evaluated. You can add conditions directly to [resolvers](p1_az_resolvers.html#section_glx_yvw_4wb) and rules or define them on the **Conditions** tab as reusable [named conditions](p1_az_adding_named_conditions.html). ## Condition comparators You can use the following comparators in condition comparisons. | | | | - | --------------------------------------------------------------------------------------------------------------------------------- | | | For simplicity, the table groups logical comparator pairs together, but you can only use one comparator at a time in a condition. | | Comparator | Supported data types | Description | | ----------------------------------------------- | ---------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Contains****Does Not Contain** | CollectionString | Checks whether a string or collection contains (or doesn't contain) another string. Use this comparator when you know part of a value that you want to check.For example, this condition evaluates to `true` if the user roles attribute contains the string `Manager`.![Screen capture showing a condition comparing a Roles attribute to a constant value of Manager using the Contains comparator.](_images/hgs1685471012461.png) Matches for strings can differ from matches for collections. For example, the string 1234 contains the constant 23, but the collection \[1234] does not contain this constant. One possible matching collection for the constant 23 is \[21, 22, 23]. | | **Ends With****Does Not End With** | String | Checks whether a string ends with (or doesn't end with) another string.For example, this condition evaluates to `true` if the user's email address ends with the domain `example.com`.![Screen capture showing a condition comparing a Game player email address attribute to a constant value of example.com using the Ends With comparator.](_images/vvo1685471320467.png) | | **Equals****Does Not Equal** | BooleanCollectionDateDate TimeDurationJSONNumberPeriodStringTimeXMLZoned Date Time | Checks whether two values are equal (or not equal).For example, this condition evaluates to `true` if an anonymous network is detected.![Screen capture showing a condition comparing an Anonymous Network Detected attribute to a constant value of true using the Equals comparator.](_images/tmw1685471521984.png) | | **Greater Than****Less Than** | BooleanDateDate TimeDurationNumberStringTimeZoned Date Time | Checks whether a value is greater than (or less than) another value.For example, this condition evaluates to `true` if a payment amount is greater than a deposit limit.![Screen capture showing a condition comparing a Payment Amount attribute to a Deposit Limit attribute using the Greater Than comparator.](_images/qly1685472001283.png) | | **Greater Than Or Equal****Less Than Or Equal** | BooleanDateDate TimeDurationNumberStringTimeZoned Date Time | Checks whether a value is greater than or equal to (or less than or equal to) another value.For example, this condition evaluates to `true` if a payment amount is greater than or equal to a payment limit.![Screen capture showing a condition comparing a Payment Amount attribute to a Payment Limit attribute using the Greater Than Or Equal comparator.](_images/ubo1685464624868.png) | | **Has Permission** | String | Checks whether the PingOne user requesting access to a resource has a PingOne [application permission](../applications/p1_application_permissions.html).To check a permission in a comparison:1) Select the **PingOne.User.ID** attribute. 2) Select the **Has Permission** comparator. 3) Select a PingOne permission from the list of application permissions that are available in the environment.For example, this condition evaluates to `true` if the user has the `Invoices:Update` permission.![Screen capture showing a condition comparing a User ID attribute to an Invoices:Update permission using the Has Permission comparator.](_images/xqs1704994197793.png) This comparator relies on identity information provided by the PingOne SSO service. Make sure this service is deployed in your environment before you use this comparator. | | **In CIDR Block****Not In CIDR Block** | String | Checks whether a user's IP address is in (or not in) an IP subnet range. IPv4 and IPv6 addresses are supported.To create a comparison:1) Select an attribute that resolves to a valid IP address. 2) Select the **In CIDR Block** or **Not In CIDR Block** comparator. 3) Enter the IP address range as a constant or select an attribute that resolves to the IP address range.You must express the IP address range in Classless Inter-Domain Routing (CIDR) notation (the bitmask indicates the size of the routing prefix):``` IP address/bitmask ```For example, consider a condition that checks for IP addresses between 192.0.2.0 - 192.0.2.15. CIDR notation for this range is `192.0.2.0/28`. If the IP address attribute resolves to `192.0.2.1`, for example, the condition evaluates to `true`.![Screen capture showing a condition comparing an IP address attribute to an IP address range in CIDR notation using the In CIDR Block comparator.](_images/bvv1685472423361.png) For help expressing an IP address range in CIDR notation, use a CIDR calculator. | | **Is In****Is Not In** | CollectionString | Checks whether a string or a collection is in (or not in) another collection.For example, this condition evaluates to `true` if the requesting user's ID is in a collection of IDs representing a parent's dependent children.![Screen capture showing a condition comparing a Uesr ID attribute to a Dependents attribute using the Is In comparator.](_images/ioh1685472652086.png) | | **Is Member Of****Is Not Member Of** | String | Checks whether the PingOne user requesting access to a resource is a member of (or not a member of) a PingOne group.To check for group membership in a comparison:1) Select the **PingOne.User.ID** attribute. 2) Select the **Is Member Of** or **Is Not Member Of** comparator. 3) Select a PingOne group. You can search for groups. As you enter a search query, the group list shows matching results.For example, this condition evaluates to `true` if the user is a member of the `Admins` group.![Screen capture showing a condition comparing a User ID attribute to a constant value of Admins using the Is Member Of comparator.](_images/zyb1685473565216.png) These comparators rely on identity information provided by the PingOne SSO service. Make sure this service is deployed in your environment before you use these comparators. | | **Regular Expression** | String | Checks whether a string matches a regular expression.For example, this condition evaluates to `true` if the user's name starts with a capital letter and only contains letters. The regular expression being matched is `^[A-Z]+[a-zA-Z]*$`.![Screen capture showing a condition comparing a Name attribute to a regular expression using the Regular Expression comparator.](_images/ydy1685473736685.png) | | **Starts With****Does Not Start With** | String | Checks whether a value starts with (or doesn't start with) another value.For example, this condition evaluates to `true` if the user's IP address starts with the network identifier `192`.![Screen capture showing a condition comparing an IP address attribute to a constant value of 192 using the Starts With comparator.](_images/tun1685473892840.png) |