The gateway can apply authorization rules to incoming requests. These rules can be either:

  • Defined directly in a policies:authorization entry.
  • Defined here in the authorization section and reference by name in a policies:authorization entry.

This entry defines authorization rules which can be referred to by name in a policies/authorization entry.

This entry is an array and can be used to specify multiple rules.

Rule Format

Authorization rules are composed of credential attributes and the following operators:

logical operatorsand, or, not
multi-valued operatorsany, all
relational operators=, !=, matches, >, >=, <, <=, exists

Parenthesis can be used for controlling the order of evaluation.


(any groupIds = "administrator")Match when the user is in the administrator group.
(all authenticationLevels >= "2")Match when all credential authenticationLevels are at least level 2.
(attribute_a matches "a(?:bc)*")Match when the value of the credential attribute "attribute_a" matches the regular expression.
(level >= "2") and (any groupIds = "forbidden")Match when the credential attribute "level" is at least level 2 and the user is in the forbidden group.
(not exists attribute_c)Match when the credential does not have an attribute named "attribute_c".
(AZN_CRED_PRINCIPAL_NAME = "user_a")Match when the credential attribute "AZN_CRED_PRINCIPAL_NAME" is equal to "user_a".


namestringThe name which will be given to this authorization rule.
rulestringThe authorization rule. See the Rule Format table for a description of the expected format.


    - name: ruleA
      rule: (any groupIds = "administrator")