Rules
authorization/rules[]
The gateway can apply authorization rules to incoming requests. These rules can be either:
- Defined directly in a policies:authorization entry.
- Defined here in the authorization section and reference by name in a policies:authorization entry.
This entry defines authorization rules which can be referred to by name in a policies/authorization entry.
This entry is an array and can be used to specify multiple rules.
Rule Format
Authorization rules are composed of credential attributes and the following operators:
| Name | Values |
|---|---|
| logical operators | and, or, not |
| multi-valued operators | any, all |
| relational operators | =, !=, matches, >, >=, <, <=, exists |
Parenthesis can be used for controlling the order of evaluation.
Examples:
| Rule | Description |
|---|---|
| (any groupIds = "administrator") | Match when the user is in the administrator group. |
| (all authenticationLevels >= "2") | Match when all credential authenticationLevels are at least level 2. |
| (attribute_a matches "a(?:bc)*") | Match when the value of the credential attribute "attribute_a" matches the regular expression. |
| (level >= "2") and (any groupIds = "forbidden") | Match when the credential attribute "level" is at least level 2 and the user is in the forbidden group. |
| (not exists attribute_c) | Match when the credential does not have an attribute named "attribute_c". |
| (AZN_CRED_PRINCIPAL_NAME = "user_a") | Match when the credential attribute "AZN_CRED_PRINCIPAL_NAME" is equal to "user_a". |
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| name | string | The name which will be given to this authorization rule. | |
| rule | string | The authorization rule. See the Rule Format table for a description of the expected format. |
Example
authorization:
rules:
- name: ruleA
rule: (any groupIds = "administrator")
Updated about 2 years ago