Rules
authorization/rules[]
The gateway can apply authorization rules to incoming requests. These rules can be either:
- Defined directly in a policies:authorization entry.
- Defined here in the authorization section and reference by name in a policies:authorization entry.
This entry defines authorization rules which can be referred to by name in a policies/authorization entry.
This entry is an array and can be used to specify multiple rules.
Rule Format
Authorization rules are composed of credential attributes and the following operators:
Name | Values |
---|---|
logical operators | and, or, not |
multi-valued operators | any, all |
relational operators | =, !=, matches, >, >=, <, <=, exists |
Parenthesis can be used for controlling the order of evaluation.
Examples:
Rule | Description |
---|---|
(any groupIds = "administrator") | Match when the user is in the administrator group. |
(all authenticationLevels >= "2") | Match when all credential authenticationLevels are at least level 2. |
(attribute_a matches "a(?:bc)*") | Match when the value of the credential attribute "attribute_a" matches the regular expression. |
(level >= "2") and (any groupIds = "forbidden") | Match when the credential attribute "level" is at least level 2 and the user is in the forbidden group. |
(not exists attribute_c) | Match when the credential does not have an attribute named "attribute_c". |
(AZN_CRED_PRINCIPAL_NAME = "user_a") | Match when the credential attribute "AZN_CRED_PRINCIPAL_NAME" is equal to "user_a". |
Properties
Name | Type | Constraints | Description |
---|---|---|---|
name | string | The name which will be given to this authorization rule. | |
rule | string | The authorization rule. See the Rule Format table for a description of the expected format. |
Example
authorization:
rules:
- name: ruleA
rule: (any groupIds = "administrator")
Updated about 2 years ago