Policy rules power the fine-grained access control capability of PingAuthorize. Rules contain logical conditions that
evaluate to true
or false
.
When you create a rule, you set the conditions and criteria that dictate when the rule applies and how the rule evaluates. The rule structure begins with the Applies to criteria, which define the conditions under which the rule applies.
Applies to
By default, rules target all requests with no conditions. You can leave this default criteria in place, if desired. You can also add targets, set a condition, or include a group of conditions. If the Applies to criteria are not met, the rule effect is Not Applicable.
The Applies to criteria are always enabled, whether shown or hidden. When there are Applies to criteria that are not met, the effect is always Not Applicable, regardless of which effect type is selected.
Effect
Whether you choose to change the Applies to criteria or not, you must give each rule one of the following effects:
- Permit
- Deny
- Permit if condition holds, otherwise deny
- Deny if condition holds, otherwise permit
If the Applies to criteria evaluate to true
, the
Permit and Deny effects cause the
rule to permit or deny, respectively.
The following example includes an Applies to condition and a Permit effect:
- If the condition evaluates to
true
, the rule permits. - If it evaluates to
false
, the effect is Not Applicable.
If the example included a Deny effect instead, the
rule would deny when the Applies to condition evaluated to
true
.
To configure a rule to permit or deny based on how its Effect conditions evaluate, choose one of the following effect types:
- The Permit if condition holds, otherwise deny effect causes the rule to permit if the conditions are met and to deny if the conditions are not met.
- The Deny if condition holds, otherwise permit effect does the opposite, causing the rule to deny if the conditions are met and to permit if the conditions are not met.
Effect conditions are hidden until you select one of the if condition holds effect types.
- When a logical condition involves comparing two attributes, try to ensure the attributes have the same data type. Comparing different data types requires an implicit conversion that might not always yield the intended result.
- Just as with Trust Framework entities, you can check which entities depend on a policy or policy set.
The following example includes a Permit if condition holds, otherwise deny effect without any Applies to criteria:
- If the group Effect condition evaluates to
true
, the rule permits. - If the group condition evaluates to
false
, the rule denies.
When there are no Applies to criteria, the rule always permits or denies.
Rules with conditional effects display two effect icons in the rule header. The icon for the if condition holds effect displays on the left and is larger than the icon for the otherwise effect.
Rule order
When a policy has multiple rules, rule order can affect the way the policy evaluates. You can reorder collapsed rules by dragging the handles on the left. To reorder rules using the keyboard, do the following:
- Press Tab to move the cursor to a rule. When the cursor is positioned on the entire rule, a blue box displays and the rule changes color to purple.
- Press Enter to select the rule. When a rule is selected, it changes color to dark green.
- Press the Up Arrow or Down Arrow to move the cursor to the desired location.
- Press Enter to drop the selected rule in the new location.