Skip to main content
Version: 2.0.0

Building Conditions

Conditions for an ABAC Policy can be very complex. We can have many conditions in one group, and several groups working together to produce a rule. For both user sets and resource sets, conditions within a group are made up of attributes, attribute types and comparison operators. Multiples of these can be joined together by logical operators within each group. Groups can also be combined together with logical operators.

Condition Outline

Writing the API call payload, we start a condition definition by creating a key called conditions with an object as it's value.

"conditions": {}

Working with Logical Operators

Any of the logical operators below can be defined within the conditions object, where each of these take an array as a value. Within the array we define sub-conditions that are made up of attributes, attribute types and comparison operators.

allOf

The allOf operator only returns true if condition A AND B are true.

example

Only employees that are located in the US AND have a role of editor can have access to resource X.

"conditions": {
"allOf": [
...
]
}

anyOf

The anyOf operator only returns true if condition A OR condition B is true.

example

Only students with a maths score higher than 80% OR students with an average of 60% from all subjects can participate.

"conditions": {
"anyOf": [
...
]
}

not

The not operator returns the inverted result. If condition A is false, it will return true.

example

If we go ahead and make a statement that says:

"A user with the Editor role can only request changed to the document."

will be reflected as:

"An Editor can request changes to the document and any other available resources."

"conditions": {
"not": [
...
]
}
tip

It is important to note that when writing your conditions, you can either use the alias versions of the logical operators (allOf, anyOf), or the normal verbose version (and, or).

Working with Comparison Operators

There are many ways to go about defining conditions within groups. Let's look at some examples, ones that are valid, and others that are not. This will give you a good understanding of how conditions can be built and how complex they might get.

Logical-First Conditions

VALID

{
"allOf": [
{"subject.paying": {"equals": True}},
{
"anyOf": [
{"subject.role": {"equals": "editor"}},
{"subject.department": {"equals": "marketing"}},
]
},
{"environment.location": {"in": ["US", "Canada"]}},
]
}

INVALID

This version is invalid because the logical operator is invalid.

{
"all_of": [
{"subject.paying": {"equals": True}},
{
"any_of": [
{"subject.role": {"equals": "editor"}},
{"subject.department": {"equals": "marketing"}},
]
},
{"environment.location": {"in": ["US", "Canada"]}},
]
}

VALID

{
"allOf": [
{
"subject.time": {
"anyOf": [{"between": [9, 12]}, {"between": [13, 18]}]
}
},
{
"resource.weekday": {
"not": {"anyOf": [{"equals": "saturday"}, {"equals": "sunday"}]}
}
},
]
}

INVALID

This example is invalid because we specify the user.age to be between 15 and 18, but then set another condition to test for the age being greater than 48. This will throw an Unbound Error.

{
"or": [
{"user.age": {"between": [15, 18]}},
{"user.age": {"greater-than": 40}},
]
}

Attribute-First Conditions

VALID

{"subject.time": {"and": [{"between": [9, 12]}, {"equals": "13:00"}]}}

INVALID

This example is invalid because the conditional operator is invalid.

{
"user.age": {
"or": [
{"between": [15, 18]},
{"greater-than-unsupported": 40},
]
}
}

VALID

{
"user.age": {
"or": [
{"between": [15, 18]},
{"greater-than": 40},
]
}
}