Use conditions in PingOne Authorize attributes, rules, and policies to define authorization logic by
comparing one thing to another. Conditions evaluate to either true
or
false
.
You can compare attributes, constant values, and regular expressions in conditions. Conditions can also serve as targets that define when a policy or rule applies to a decision request. For example, you can target a rule so it applies when a payment amount is greater than or equal to a payment limit.
When you define a condition, on the left side, select an attribute that represents unknown or variable information to be validated. On the right side, enter known or predefined criteria in the form of an attribute or constant value. This keeps logical statements consistent regardless of what’s being compared.
You can add conditions directly to resolvers and rules or define them on the Conditions tab as reusable named conditions. You can drag collapsed conditions to change their order.
Condition comparators
You can use the following comparators in condition comparisons. For simplicity, the table groups logical comparator pairs together, but you can only use one comparator at a time in a condition.
Comparator | Supported data types | Description |
---|---|---|
Contains Does Not Contain |
Collection String |
Checks whether a string or collection contains (or doesn’t contain) another string. Use this comparator when you know part of a value that you want to check. For example, this condition evaluates to Note:
Matches for strings can differ from matches for collections.
For example, the string |
Ends With Does Not End With |
String |
Checks whether a string ends with (or doesn’t end with) another string. For example, this condition evaluates to |
Equals Does Not Equal |
Boolean Collection Date Date Time Duration JSON Number Period String Time XML Zoned Date Time |
Checks whether two values are equal (or not equal). For example, this condition evaluates to |
Greater Than Less Than |
Boolean Date Date Time Duration Number String Time Zoned Date Time |
Checks whether a value is greater than (or less than) another value. For example, this condition evaluates to |
Greater Than Or Equal Less Than Or Equal |
Boolean Date Date Time Duration Number String Time Zoned Date Time |
Checks whether a value is greater than or equal to (or less than or equal to) another value. For example, this
condition evaluates to |
In CIDR Block Not In CIDR Block |
String |
Checks whether a user’s IP address is in (or not in) an IP subnet range. IPv4 and IPv6 addresses are supported. To create a comparison:
You must express the IP address range in Classless Inter-Domain Routing (CIDR) notation (the bitmask indicates the size of the routing prefix):
For example, consider a condition that checks for IP addresses
between 192.0.2.0 - 192.0.2.15. CIDR notation for this range is
Tip:
For help expressing an IP address range in CIDR notation, use a CIDR calculator. |
Is In Is Not In |
Collection String |
Checks whether a string or a collection is in (or not in) another collection. For example, this condition evaluates to |
Is Member Of Is Not Member Of |
String |
Checks whether the PingOne user requesting access to a resource is a member of (or not a member of) a PingOne group. To check for group membership in a comparison:
For example, this condition evaluates to
Note:
These comparators rely on identity information provided by the PingOne SSO service. Make sure this service is deployed in your environment before you use these comparators. |
Regular Expression |
String |
Checks whether a string matches a regular expression. For example, this condition evaluates to |
Starts With Does Not Start With |
String |
Checks whether a value starts with (or doesn’t start with) another value. For example, this condition evaluates to |