---
title: Grant relationships conditionally
description: Relationships can be granted dynamically, based on a specified condition. In order to conditionally grant a relationship, the schemas for the resources you are creating a relationship between need to be configured to support conditional association. To do this, three fields in the schema are used:
component: pingoneaic
page_id: pingoneaic:idm-objects:conditional-relationships
canonical_url: https://docs.pingidentity.com/pingoneaic/idm-objects/conditional-relationships.html
keywords: ["Data Object Model", "Relationships"]
---

# Grant relationships conditionally

Relationships can be granted dynamically, based on a specified condition. In order to conditionally grant a relationship, the schemas for the resources you are creating a relationship between need to be configured to support conditional association. To do this, three fields in the schema are used:

* `conditionalAssociation`

  Boolean. This property is applied to the `resourceCollection` for the grantor of the relationship. For example, the `members` relationship on `managed/realm-name_role` specifies that there is a conditional association with the `managed/realm-name_user` resource:

  ```json
  "resourceCollection" : [
    {
      "notify" : true,
      "conditionalAssociation" : true,
      "path" : "managed/realm-name_user",
      "label" : "User",
      "query" : {
        "queryFilter" : "true",
        "fields" : [
          "userName",
          "givenName",
          "sn"
        ]
      }
    }
  ]
  ```

* `conditionalAssociationField`

  String. This property specifies the field used to determine whether a conditional relationship is granted. The field is applied to the `resourceCollection` of the grantee of the relationship. For example, the `roles` relationship on `managed/realm-name_user` specifies that the conditional association with `managed/realm-name_role` is defined by the `condition` field in `managed/realm-name_role`.

  ```json
  "resourceCollection" : [
    {
      "path" : "{managed_role}",
      "label" : "Role",
      "conditionalAssociationField" : "condition",
      "query" : {
        "queryFilter" : "true",
        "fields" : [
          "name"
        ]
      }
    }
  ]
  ```

  |   |                                                                                                                                                                   |
  | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | If you are using the default schema, the field name is usually the `condition` but can be any field that evaluates a condition and is flagged as `isConditional`. |

* `isConditional`

  Boolean. This property is applied to the field to check whether membership in a relationship is granted. You can only mark one field on a resource as `isConditional`. For example, in the relationship between `managed/realm-name_user` and `managed/realm-name_role`, conditional membership in the relationship is determined by the query filter specified in the `managed/realm-name_role` `condition` field:

  ```json
  "condition" : {
    "description" : "A conditional filter for this role",
    "title" : "Condition",
    "viewable" : false,
    "searchable" : false,
    "isConditional" : true,
    "type" : "string"
  }
  ```

Conditions support both properties and [virtual properties derived from other relationships](managed-object-virtual-properties.html#relationship-derived-virtual-properties), if the query property has been configured. Conditions are a powerful tool for dynamically creating relationships between two objects. An example of conditional relationships in use is covered in [Grant a Role Based on a Condition](roles-over-rest.html#conditional-role-grants).