The gateway can apply authorization rules to incoming requests. These rules can be either:
- Defined directly in a policies:authorization entry.
- Defined here in the authorization section and reference by name in a policies:authorization entry.
This entry defines authorization rules which can be referred to by name in a policies/authorization entry.
This entry is an array and can be used to specify multiple rules.
Authorization rules are composed of credential attributes and the following operators:
|logical operators||and, or, not|
|multi-valued operators||any, all|
|relational operators||=, !=, matches, >, >=, <, <=, exists|
Parenthesis can be used for controlling the order of evaluation.
|(any groupIds = "administrator")||Match when the user is in the administrator group.|
|(all authenticationLevels >= "2")||Match when all credential authenticationLevels are at least level 2.|
|(attribute_a matches "a(?:bc)*")||Match when the value of the credential attribute "attribute_a" matches the regular expression.|
|(level >= "2") and (any groupIds = "forbidden")||Match when the credential attribute "level" is at least level 2 and the user is in the forbidden group.|
|(not exists attribute_c)||Match when the credential does not have an attribute named "attribute_c".|
|(AZN_CRED_PRINCIPAL_NAME = "user_a")||Match when the credential attribute "AZN_CRED_PRINCIPAL_NAME" is equal to "user_a".|
|name||string||The name which will be given to this authorization rule.|
|rule||string||The authorization rule. See the Rule Format table for a description of the expected format.|
authorization: rules: - name: ruleA rule: (any groupIds = "administrator")
Updated about 2 years ago