You can use conditional targets to extend the capability of the "Applies to" concept when creating attribute-based access control (ABAC) rules and policies.
Conditional targets extend the capability of the "Applies to" concept because they:
- Permit the interweaving of targets with other conditional logic.
- Allow standalone logic to determine if and when a policy or rule applies.
To enable this functionality, click Applies to and then When.
You can include the following types of conditions in a logical expression:
- Attribute comparison – Allows the comparison of an attribute with another attribute or with a constant.
- Request comparison – Allows the matching of incoming requests by answering questions like "Is the requested service equal to Banking.Payment?"
- Named condition – Click + Named Condition to show a Named Condition drop-down list that displays named conditions.
The following image provides an example. See Conditions for more information.
You can navigate conditions using the Up Arrow and the Down Arrow to move between members of a group or using the Left Arrow and Right Arrow to move in and out of nested groups.
You can reorder conditions by dragging the handles on the left. To reorder using the keyboard, press Tab to go to the condition, press Enter to select the condition, press the Up Arrow or Down Arrow to go to the desired location, and press Enter to drop the condition in the new location.
To switch between Attribute Comparison mode and Request Comparison mode, click A and R, respectively, to the left of the comparator.