PingOne Advanced Identity Cloud

Grant relationships conditionally

Relationships can be granted dynamically, based on a specified condition. In order to conditionally grant a relationship, the schemas for the resources you are creating a relationship between need to be configured to support conditional association. To do this, three fields in the schema are used:

conditionalAssociation

Boolean. This property is applied to the resourceCollection for the grantor of the relationship. For example, the members relationship on managed/realm-name_role specifies that there is a conditional association with the managed/realm-name_user resource:

"resourceCollection" : [
  {
    "notify" : true,
    "conditionalAssociation" : true,
    "path" : "managed/realm-name_user",
    "label" : "User",
    "query" : {
      "queryFilter" : "true",
      "fields" : [
        "userName",
        "givenName",
        "sn"
      ]
    }
  }
]
conditionalAssociationField

String. This property specifies the field used to determine whether a conditional relationship is granted. The field is applied to the resourceCollection of the grantee of the relationship. For example, the roles relationship on managed/realm-name_user specifies that the conditional association with managed/realm-name_role is defined by the condition field in managed/realm-name_role.

"resourceCollection" : [
  {
    "path" : "{managed_role}",
    "label" : "Role",
    "conditionalAssociationField" : "condition",
    "query" : {
      "queryFilter" : "true",
      "fields" : [
        "name"
      ]
    }
  }
]
If you are using the default schema, the field name is usually the condition but can be any field that evaluates a condition and is flagged as isConditional.
isConditional

Boolean. This property is applied to the field to check whether membership in a relationship is granted. You can only mark one field on a resource as isConditional. For example, in the relationship between managed/realm-name_user and managed/realm-name_role, conditional membership in the relationship is determined by the query filter specified in the managed/realm-name_role condition field:

"condition" : {
  "description" : "A conditional filter for this role",
  "title" : "Condition",
  "viewable" : false,
  "searchable" : false,
  "isConditional" : true,
  "type" : "string"
}

Conditions support both properties and virtual properties derived from other relationships, if the query property has been configured. Conditions are a powerful tool for dynamically creating relationships between two objects. An example of conditional relationships in use is covered in Grant a Role Based on a Condition.

Copyright © 2010-2024 ForgeRock, all rights reserved.