Grant relationships conditionally
Relationships can be granted dynamically, based on a specified condition. In order to conditionally grant a relationship, the schemas for the resources you are creating a relationship between need to be configured to support conditional association. To do this, three fields in the schema are used:
conditionalAssociation-
Boolean. This property is applied to the
resourceCollectionfor the grantor of the relationship. For example, themembersrelationship onmanaged/rolespecifies that there is a conditional association with themanaged/userresource:"resourceCollection" : [ { "notify" : true, "conditionalAssociation" : true, "path" : "managed/user", "label" : "User", "query" : { "queryFilter" : "true", "fields" : [ "userName", "givenName", "sn" ] } } ] conditionalAssociationField-
This property is a string, specifying the field used to determine whether a conditional relationship is granted. The field is applied to the
resourceCollectionof the grantee of the relationship. For example, therolesrelationship onmanaged/userspecifies that the conditional association withmanaged/roleis defined by theconditionfield inmanaged/role:"resourceCollection" : [ { "path" : "managed/role", "label" : "Role", "conditionalAssociationField" : "condition", "query" : { "queryFilter" : "true", "fields" : [ "name" ] } } ]The field name specified will usually be
conditionif you are using default schema, but can be any field that evaluates a condition and has been flagged asisConditional. isConditional-
Boolean. This is applied to the field you wish to check to determine whether membership in a relationship is granted. Only one field on a resource can be marked as
isConditional. For example, in the relationship betweenmanaged/userandmanaged/role, conditional membership in the relationship is determined by the query filter specified in themanaged/roleconditionfield:"condition" : { "description" : "A conditional filter for this role", "title" : "Condition", "viewable" : false, "searchable" : false, "isConditional" : true, "type" : "string" }
Conditions support both properties and virtual properties derived from other relationships, if the query property has been configured. Conditions are a powerful tool for dynamically creating relationships between two objects. An example of conditional relationships in use is covered in Grant a Role Based on a Condition.