Condition
Syntax
{
"Condition": {
"Operator": "AND|OR",
"<condition_type>": {
"Operator": "AND|OR",
"<left_operand>": "<right_operand>",
...
},
...
}
}
Definition
Conditions in the JSON policy framework are incredibly powerful, offering the capability to apply conditionally statements or params. These conditions, evaluated at runtime, can dynamically incorporate variables from the application context, such as environment variables, user identity, and HTTP requests.
The primary function of conditions is to ascertain whether a given statement or parameter is applicable. This determination is achieved by assessing various types of conditions and yielding a singular boolean value of true when applicable.
While the framework inherently supports several condition types, it readily accommodates custom extensions. For further details, please refer to the How to register a custom condition type?.
To ensure clarity, the following terminology is utilized to delineate specific aspects of policy conditions:
- "Type" denotes the condition type, such as Equals, In, or Regex.
- "Operand" refers to either the left or right component of a condition pair within a group. For instance, in the provided condition sample, the left operand is
${USER.username}
, and the right operand isjohnsmith
.
{
"Condition": {
"Equals": {
"${USER.username}": "johnsmith"
}
}
}
- "Group" signifies a collection of conditions of the same type. An example is the "Like" group below:
{
"Condition": {
"Like": {
"${USER.email}": "*@gmail.com",
"${USER.fullname}": "John*"
}
}
}
The Condition
property can include various condition types and, by default, they are assessed using the AND
logical operator. Similarly, a conditional group might feature several defined conditions; however, they are typically evaluated using the OR
logical operator by default.
Nevertheless, the logical operator for both can be modified using the designated Operator
property, as detailed below.
Operator
- Type:
String
- Supported Values:
AND
,OR
- Optional
The Operator
attribute dictates the logical operator between condition types or within a specific group. If unspecified, the default operator is AND
between condition types and OR
within a specific group.
{
"Condition": {
"Operator": "OR",
"Equals": {
"${DATATIME.D}": "Mon"
},
"In": {
"${USER.user_email}": [
"admin@mydomain.com",
"editor@mydomain.com"
]
}
}
}
In the above condition, it evaluates to true if today is Monday
or if the user's email address is either admin@mydomain.com
or editor@mydomain.com
.
Groups can comprise multiple conditions, where the default logical OR
operator is applied. This allows for conditions like "If a user's first name starts with 'Ja' or the last name starts with 'Mor'". Nevertheless, the logical operator can be customized using the Operator
attribute as well.
{
"Condition": {
"Operator": "OR",
"Like": {
"Operator": "AND",
"${USER.first_name}": "Ja*",
"${USER.last_name}": "Mor*"
},
"In": {
"${USER.status}": [
"pastdue",
"pending"
]
}
}
}
The above conditions verify if the user's first name starts with Ja
and the last name starts with Mor
, or if the user's status is either pastdue
or pending
.
Left Operand Naming Collision
Due to JSON document constraints, identical left operands within the same group are prohibited. For instance, the condition "If user's city equals London or Dubai" cannot be defined like this:
{
"Condition": {
"Equals": {
"${USER.city}": "London",
"${USER.city}": "Dubai"
}
}
}
When PHP parses this JSON, the above condition will choose the last city "Dubai" for the condition.
To address left operand naming collisions, define the right operand as an array of values:
{
"Condition": {
"Equals": {
"${USER.city}": [
"London",
"Dubai"
]
}
}
}
This approach is valid for any supported by AAM condition type. You can even do this for more complex conditions like Between or In.
{
"Condition": {
"In": {
"${ENV.WEBSITE_ENVIRONMENT}": [
[
"Test",
"Production"
],
[
"T",
"Prod"
]
]
}
}
}