Grant relationships conditionally
Relationships can be granted dynamically, based on a specified condition. In order to conditionally grant a relationship, the schemas for the resources you are creating a relationship between need to be configured to support conditional association. To do this, three fields in the schema are used:
conditionalAssociation
-
Boolean. This property is applied to the
resourceCollection
for the grantor of the relationship. For example, themembers
relationship onmanaged/realm-name_role
specifies that there is a conditional association with themanaged/realm-name_user
resource:"resourceCollection" : [ { "notify" : true, "conditionalAssociation" : true, "path" : "managed/realm-name_user", "label" : "User", "query" : { "queryFilter" : "true", "fields" : [ "userName", "givenName", "sn" ] } } ]
conditionalAssociationField
-
String. This property specifies the field used to determine whether a conditional relationship is granted. The field is applied to the
resourceCollection
of the grantee of the relationship. For example, theroles
relationship onmanaged/realm-name_user
specifies that the conditional association withmanaged/realm-name_role
is defined by thecondition
field inmanaged/realm-name_role
."resourceCollection" : [ { "path" : "{managed_role}", "label" : "Role", "conditionalAssociationField" : "condition", "query" : { "queryFilter" : "true", "fields" : [ "name" ] } } ]
If you are using the default schema, the field name is usually the condition
but can be any field that evaluates a condition and is flagged asisConditional
. isConditional
-
Boolean. This property is applied to the field to check whether membership in a relationship is granted. You can only mark one field on a resource as
isConditional
. For example, in the relationship betweenmanaged/realm-name_user
andmanaged/realm-name_role
, conditional membership in the relationship is determined by the query filter specified in themanaged/realm-name_role
condition
field:"condition" : { "description" : "A conditional filter for this role", "title" : "Condition", "viewable" : false, "searchable" : false, "isConditional" : true, "type" : "string" }
Conditions support both properties and virtual properties derived from other relationships, if the query property has been configured. Conditions are a powerful tool for dynamically creating relationships between two objects. An example of conditional relationships in use is covered in Grant a Role Based on a Condition.