You can compare attributes, constant values, and regular expressions in conditions. Conditions can also serve as targets that define when a policy or rule applies to a decision request. For example, you can target a rule so it applies when a payment amount is greater than or equal to a payment limit.

Screen capture showing a condition comparing a Payment Amount attribute to a Payment Limit attribute using the Greater Than Or Equal comparator.

When you define a condition, on the left side, select an attribute that represents unknown or variable information to be validated. On the right side, enter known or predefined criteria in the form of an attribute or constant value. This keeps logical statements consistent regardless of what’s being compared.

You can add conditions directly to resolvers and rules or define them on the Conditions tab as reusable named conditions. You can drag collapsed conditions to change their order.

Condition comparators

You can use the following comparators in condition comparisons. For simplicity, the table groups logical comparator pairs together, but you can only use one comparator at a time in a condition.

Comparator Supported data types Description

Contains

Does Not Contain

Collection

String

Checks whether a string or collection contains (or doesn’t contain) another string. Use this comparator when you know part of a value that you want to check.

For example, this condition evaluates to true if the user roles attribute contains the string Manager.

Screen capture showing a condition comparing a Roles attribute to a constant value of Manager using the Contains comparator.
Note:

Matches for strings can differ from matches for collections. For example, the string 1234 contains the constant 23, but the collection [1234] does not contain this constant. One possible matching collection for the constant 23 is [21, 22, 23].

Ends With

Does Not End With

String

Checks whether a string ends with (or doesn’t end with) another string.

For example, this condition evaluates to true if the user’s email address ends with the domain example.com.

Screen capture showing a condition comparing a Game player email address attribute to a constant value of example.com using the Ends With comparator.

Equals

Does Not Equal

Boolean

Collection

Date

Date Time

Duration

JSON

Number

Period

String

Time

XML

Zoned Date Time

Checks whether two values are equal (or not equal).

For example, this condition evaluates to true if an anonymous network is detected.

Screen capture showing a condition comparing an Anonymous Network Detected attribute to a constant value of true using the Equals comparator.

Greater Than

Less Than

Boolean

Date

Date Time

Duration

Number

String

Time

Zoned Date Time

Checks whether a value is greater than (or less than) another value.

For example, this condition evaluates to true if a payment amount is greater than a deposit limit.

Screen capture showing a condition comparing a Payment Amount attribute to a Deposit Limit attribute using the Greater Than comparator.

Greater Than Or Equal

Less Than Or Equal

Boolean

Date

Date Time

Duration

Number

String

Time

Zoned Date Time

Checks whether a value is greater than or equal to (or less than or equal to) another value.

For example, this condition evaluates to true if a payment amount is greater than or equal to a payment limit.

Screen capture showing a condition comparing a Payment Amount attribute to a Payment Limit attribute using the Greater Than Or Equal comparator.

In CIDR Block

Not In CIDR Block

String

Checks whether a user’s IP address is in (or not in) an IP subnet range. IPv4 and IPv6 addresses are supported.

To create a comparison:

  1. Select an attribute that resolves to a valid IP address.
  2. Select the In CIDR Block or Not In CIDR Block comparator.
  3. Enter the IP address range as a constant or select an attribute that resolves to the IP address range.

You must express the IP address range in Classless Inter-Domain Routing (CIDR) notation (the bitmask indicates the size of the routing prefix):

IP address/bitmask

For example, consider a condition that checks for IP addresses between 192.0.2.0 - 192.0.2.15. CIDR notation for this range is 192.0.2.0/28. If the IP address attribute resolves to 192.0.2.1, for example, the condition evaluates to true.

Screen capture showing a condition comparing an IP address attribute to an IP address range in CIDR notation using the In CIDR Block comparator.
Tip:

For help expressing an IP address range in CIDR notation, use a CIDR calculator.

Is In

Is Not In

Collection

String

Checks whether a string or a collection is in (or not in) another collection.

For example, this condition evaluates to true if the requesting user’s ID is in a collection of IDs representing a parent’s dependent children.

Screen capture showing a condition comparing a Uesr ID attribute to a Dependents attribute using the Is In comparator.

Is Member Of

Is Not Member Of

String

Checks whether the PingOne user requesting access to a resource is a member of (or not a member of) a PingOne group.

To check for group membership in a comparison:

  1. Select the PingOne.User.ID attribute.
  2. Select the Is Member Of or Is Not Member Of comparator.
  3. Select a PingOne group. You can search for groups. As you enter a search query, the group list shows matching results.

For example, this condition evaluates to true if the user is a member of the Admins group.

Screen capture showing a condition comparing a User ID attribute to a constant value of Admins using the Is Member Of comparator.
Note:

These comparators rely on identity information provided by the PingOne SSO service. Make sure this service is deployed in your environment before you use these comparators.

Regular Expression

String

Checks whether a string matches a regular expression.

For example, this condition evaluates to true if the user’s name starts with a capital letter and only contains letters. The regular expression being matched is ^[A-Z]+[a-zA-Z]*$.

Screen capture showing a condition comparing a Name attribute to a regular expression using the Regular Expression comparator.

Starts With

Does Not Start With

String

Checks whether a value starts with (or doesn’t start with) another value.

For example, this condition evaluates to true if the user’s IP address starts with the network identifier 192.

Screen capture showing a condition comparing an IP address attribute to a constant value of 192 using the Starts With comparator.