Include statements in rules and policies to perform additional processing as part of an authorization decision.
You can add statements to the policy as a whole and to individual rules, or you can pull in statement templates from the Library.
You can drag collapsed statements to rearrange them and change the order in which they are evaluated.
- Go to add a new policy. , and click a policy or
Do one of the following to add a statement.
- In the Statement section, click +Add Statement.
- From the Library on the
Components tab, drag a statement template into
the Statement section. Statements pulled in from the
Library are read-only. To make changes to the
statement, click the hamburger menu next to the
Obligatory check box and select
Replace with clone. Note:
Changes you make to a clone don’t affect the template in the Library.
You can add statements to individual rules the same way that you add them to policies. To add a statement to a rule, click the hamburger menu next to the rule Name field and select Add Statement. Then click + Add Statement or drag a statement template from the Library to the Statement section in the rule.
- Enter a Name and an optional Description for the statement.
If the statement must be fulfilled as a condition of authorizing the decision
request, select the Obligatory check box.
If the decision service can’t fulfill an obligatory statement, the decision evaluation fails and the decision service returns an error to the client application. When a non-obligatory advice statement can’t be fulfilled, the decision service logs an error and continues the decision evaluation.
Enter a statement Code to identify the type of
If you pulled in a statement template, use the default code populated from the template. Otherwise, enter your own code. For example, you can enter a code such as MFA_REQ or APPROVE to return a statement code to a DaVinci flow.
For more information about built-in statement codes and payloads, see Statement templates.
In the Create list, select the kinds of decisions
produced by the policy or rule that will create the statement.
Statements can apply to
permit or deny, or
indeterminatedecisions. Select When Applicable if the statement applies to any of these. This is the default option.Tip:
If you’re using a built-in statement in a policy that targets protected API services and operations, make sure you select On Permit. If the policy or rule produces a deny decision, built-in statements are not processed.
In the Attach to final decision list, select an option
for how the statement propagates through the decision tree and whether it is
returned in the overall decision response.
- When all decisions in path match: The statement is returned when
the decision for the rule or policy with which the statement is associated
matches all decisions in the path. For example, when the decision for the
rule with which the statement is associated is
permit, and all decisions in the path are
permit, the statement is returned. This is the default option.
- When final decision matches "Create" condition: The statement is
returned when the decision for the rule or policy with which the statement
is associated matches the overall decision. For example, when the decision
for the rule with which the statement is associated is
permit, and the overall decision is
permit, the statement is returned even if there are deny decisions in between.
- Always: The statement is always returned, unless there's an error in the associated decision.
- When all decisions in path match: The statement is returned when the decision for the rule or policy with which the statement is associated matches all decisions in the path. For example, when the decision for the rule with which the statement is associated is
In the Payload field, enter JSON parameters that govern
the actions that the decision point performs when it applies the
Payloads can include static or interpolated data and provide instructions for things such as filtering and transforming headers, query parameters, and request and response bodies. For payload examples, see Statement templates.Tip:
To experiment with JSONPath expressions, use a JSONPath evaluator, such as the JSONPath Online Evaluator.
- Optional: To include attributes relevant to the statement in the decision response, drag one or more attributes from the Components tab to the Attach field.
- Optional: To add the statement to the Library as a reusable component, click the hamburger menu next to the Obligatory check box and select Add to library.
- Click Save changes.
To reuse a statement in other policies or rules, you can make a copy of it by selecting Make Copy from the hamburger menu of that statement. You can copy custom Library statements and statements in Library rules, but you cannot copy top-level, bootstrapped Library statements.
You can copy any Library statement at its point of use. If you copy a Library statement in a rule or policy, the copy displays at the point of use and on the Library tab.