Condition
Syntax
{
"Condition": {
"Operator": "AND|OR",
"<condition_type>": {
"Operator": "AND|OR",
"<left_operand>": "<right_operand>",
...
},
...
}
}
Definition
Conditions in the JSON policy framework are incredibly powerful, offering the capability to apply conditionally statements or params. These conditions, evaluated at runtime, can dynamically incorporate variables from the application context, such as environment variables, user identity, and HTTP requests.
The primary function of conditions is to ascertain whether a given statement or parameter is applicable. This determination is achieved by assessing various types of conditions and yielding a singular boolean value of true when applicable.
While the framework inherently supports several condition types, it readily accommodates custom extensions. For further details, please refer to the How to register a custom condition type?.
To ensure clarity, the following terminology is utilized to delineate specific aspects of policy conditions:
- "Type" denotes the condition type, such as Equals, In, or Regex.
- "Operand" refers to either the left or right component of a condition pair within a group. For instance, in the provided condition sample, the left operand is
${USER.username}, and the right operand isjohnsmith.
{
"Condition": {
"Equals": {
"${USER.username}": "johnsmith"
}
}
}
- "Group" signifies a collection of conditions of the same type. An example is the "Like" group below:
{
"Condition": {
"Like": {
"${USER.email}": "*@gmail.com",
"${USER.fullname}": "John*"
}
}
}
The Condition property can include various condition types and, by default, they are assessed using the AND logical operator. Similarly, a conditional group might feature several defined conditions; however, they are typically evaluated using the OR logical operator by default.
Nevertheless, the logical operator for both can be modified using the designated Operator property, as detailed below.
Operator
- Type:
String - Supported Values:
AND,OR - Optional
The Operator attribute dictates the logical operator between condition types or within a specific group. If unspecified, the default operator is AND between condition types and OR within a specific group.
{
"Condition": {
"Operator": "OR",
"Equals": {
"${DATATIME.D}": "Mon"
},
"In": {
"${USER.user_email}": [
"admin@mydomain.com",
"editor@mydomain.com"
]
}
}
}
In the above condition, it evaluates to true if today is Monday or if the user's email address is either admin@mydomain.com or editor@mydomain.com.
Groups can comprise multiple conditions, where the default logical OR operator is applied. This allows for conditions like "If a user's first name starts with 'Ja' or the last name starts with 'Mor'". Nevertheless, the logical operator can be customized using the Operator attribute as well.
{
"Condition": {
"Operator": "OR",
"Like": {
"Operator": "AND",
"${USER.first_name}": "Ja*",
"${USER.last_name}": "Mor*"
},
"In": {
"${USER.status}": [
"pastdue",
"pending"
]
}
}
}
The above conditions verify if the user's first name starts with Ja and the last name starts with Mor, or if the user's status is either pastdue or pending.
Left Operand Naming Collision
Due to JSON document constraints, identical left operands within the same group are prohibited. For instance, the condition "If user's city equals London or Dubai" cannot be defined like this:
{
"Condition": {
"Equals": {
"${USER.city}": "London",
"${USER.city}": "Dubai"
}
}
}
When PHP parses this JSON, the above condition will choose the last city "Dubai" for the condition.
To address left operand naming collisions, define the right operand as an array of values:
{
"Condition": {
"Equals": {
"${USER.city}": [
"London",
"Dubai"
]
}
}
}
This approach is valid for any supported by AAM condition type. You can even do this for more complex conditions like Between or In.
{
"Condition": {
"In": {
"${ENV.WEBSITE_ENVIRONMENT}": [
[
"Test",
"Production"
],
[
"T",
"Prod"
]
]
}
}
}