Extend the policy service
You can extend the policy service by adding policies that are applied only under certain conditions.
Add conditional policy definitions
You can extend the policy service to support policies that are applied only under specific conditions. To apply a conditional policy to managed objects, add the policy to your project’s managed object schema. To apply a conditional policy to other objects, add it to your project’s policy configuration.
The following managed object configuration shows a sample conditional policy for the password
property of managed user objects. The policy indicates that sys-admin users have a more lenient password policy than regular employees:
{
"objects" : [
{
"name" : "user",
...
"properties" : {
...
"password" : {
"title" : "Password",
"type" : "string",
...
"conditionalPolicies" : [
{
"condition" : {
"type" : "text/javascript",
"source" : "(fullObject.org === 'sys-admin')"
},
"dependencies" : [ "org" ],
"policies" : [
{
"policyId" : "max-age",
"params" : {
"maxDays" : ["90"]
}
}
]
},
{
"condition" : {
"type" : "text/javascript",
"source" : "(fullObject.org === 'employees')"
},
"dependencies" : [ "org" ],
"policies" : [
{
"policyId" : "max-age",
"params" : {
"maxDays" : ["30"]
}
}
]
}
],
"fallbackPolicies" : [
{
"policyId" : "max-age",
"params" : {
"maxDays" : ["7"]
}
}
]
}
...
}
There are two distinct scripted conditions (defined in the condition
elements). The first condition asserts that the user object, contained in the fullObject
argument, is a member of the sys-admin
org. If that assertion is true, the max-age
policy is applied to the password
attribute of the user object, and the maximum number of days that a password may remain unchanged is set to 90
.
The second condition asserts that the user object is a member of the employees
org. If that assertion is true, the max-age
policy is applied to the password
attribute of the user object, and the maximum number of days that a password may remain unchanged is set to 30
.
In the event that neither condition is met (the user object is not a member of the sys-admin
org or the employees
org), an optional fallback policy can be applied. In this example, the fallback policy also references the max-age
policy and specifies that for such users, their password must be changed after 7 days.
The dependencies
field prevents the condition scripts from being run at all, if the user object does not include an org
attribute.