An advice is additional information you can attach to a decision response.
An advice returns to the governance engine so that, depending on the evaluation response from the policy, PingAuthorize can take the appropriate action. If you have a policy set up to verify the authentication level of a user, and if the policy evaluates that a user does not possess the required access privileges, then PingAuthorize can send details about the reason for denying access.
To indicate that the final decision applies only if an advice can be fulfilled, mark the advice as Obligatory. Typically, the service that calls PingAuthorize Server handles this responsibility.
Each advice contains the following mandatory fields:
- Name – Human-readable label for reference in the Policy Manager
- Code – Identifier that distinguishes between different types of advice
- Applies To – Type of decision to which the advice is attached
If an advice applies, PingAuthorize uses it in the final response if its origin decision contributes to the final result. The decision agrees with every decision between its origin and the top-level policy or policy set.
Advice carries additional data in the form of payloads and attributes, as follows:
- The optional field Payload can consist of static or interpolated data.
- The Attributes field lets you return a key-value mapping of attributes that might be relevant to the advice.
You can reorder collapsed advices by dragging the handles on the left. To reorder using the keyboard, press Tab to go to the advice, press Enter to select the advice, press the Up Arrow or Down Arrow to go to the desired location, press Enter to drop the advice in the new location.
The following table identifies significant advice properties.
|Friendly name for the advice.
If true, the advice must be fulfilled as a condition of authorizing the request.
If PingAuthorize cannot fulfill an obligatory advice, it fails the operation and returns an error to the client application.
If PingAuthorize cannot fulfill a non-obligatory advice, the server logs an error, but the client's requested operation continues.
|Identifies the advice type. This value corresponds to an advice ID that the PingAuthorize configuration defines.
|Specifies the policy decisions, such as
deny, that include the advice with the policy
|Set of parameters governing the actions that the advice performs when PingAuthorize applies the advice. The appropriate payload value depends on the advice type.
PingAuthorize Server supports the following advice types:
- Add Filter
- Combine SCIM Search Authorizations
- Denied Reason
- Exclude Attributes
- Filter Response
- Include Attributes
- Modify Attributes
- Modify Headers
- Modify query
- Modify SCIM Patch
- Regex Replace Attributes
To develop custom advice types, use the Server SDK.
Many statement types let you use the JSONPath expression language to specify JSON field paths. To experiment with JSONPath, use this JSONPath evaluator.