Include statements in rules and policies to perform additional processing as part of an authorization decision.
You can add statements to the policy as a whole and to individual rules, or you can pull in statement templates from the Library.
Some built-in statements require an API gateway integration and a policy or rule that targets an API service or custom operation.
You can drag collapsed statements to rearrange them and change the order in which they are evaluated.
- Go to add a new policy. , and click a policy or
Do one of the following to add a statement:
- In the Statement section, click +Add Statement.
- From the Library on the Components tab,
drag a statement template into the Statement
Statements pulled in from the Library are read-only. To make changes to the statement, click the hamburger menu next to the Obligatory check box and select Replace with clone. Changes you make to a clone don’t affect the template in the Library.
You can add statements to individual rules the same way that you add them to policies. To add a statement to a rule, click the hamburger menu next to the rule Name field and select Add Statement. Then click + Add Statement, or drag a statement template from the Library to the Statement section in the rule.
- Enter a Name and an optional Description for the statement.
If the statement must be fulfilled as a condition of authorizing the decision
request, select the Obligatory check box.
If the decision service can’t fulfill an obligatory statement, the decision evaluation fails and the decision service returns an error to the client application. When a non-obligatory advice statement can’t be fulfilled, the decision service logs an error and continues the decision evaluation.
Enter a statement Code to identify the type of
If you pulled in a statement template, use the default code populated from the template. Otherwise, enter your own code. For example, you can enter a code such as MFA_REQ or APPROVE to return a statement code to a DaVinci flow. For more information about built-in statement codes and payloads, see Statement templates.
In the Create list, select the kinds of decisions
produced by the policy or rule that will create the statement.
Statements can apply to permit, deny, permit or deny, or indeterminate decisions. Select When Applicable if the statement applies to any of these. This is the default option.Tip:
If you’re using a built-in statement in a policy that targets protected API services and operations, make sure you select On Permit. If the policy or rule produces a deny decision, built-in statements are not processed.
In the Attach to final decision list, select an option
for how the statement propagates through the decision tree and whether it is
returned in the overall decision response.
- When all decisions in path match: The statement is returned when the decision for the rule or policy with which the statement is associated matches all decisions in the path. For example, when the decision for the rule with which the statement is associated is permit, and all decisions in the path are permit, the statement is returned. This is the default option.
- When final decision matches "Create" condition: The statement is returned when the decision for the rule or policy with which the statement is associated matches the overall decision. For example, when the decision for the rule with which the statement is associated is permit, and the overall decision is permit, the statement is returned even if there are deny decisions in between.
- Always: The statement is always returned, unless there's an error in the associated decision.
In the Payload field, enter JSON parameters that govern
the actions that the decision point performs when it applies the
Payloads can include static or interpolated data and provide instructions for things such as filtering and transforming headers, query parameters, and request and response bodies. For payload examples, see Statement templates.Tip:
To experiment with JSONPath expressions, use the Jayway JSONPath Evaluator.
- Optional: To include attributes relevant to the statement in the decision response, drag one or more attributes from the Components tab to the Attach field.
- Optional: To add the statement to the Library as a reusable component, click the hamburger menu next to the Obligatory check box and select Add to library.
- Click Save changes.
When a statement is no longer needed, you can delete it by selecting Remove from the hamburger menu.