Conditions Reference#

This chapter documents the conditions that the Guardian provides for configuring capabilities on roles. This is of interest for both app developers and guardian admins, that want to configure roles properly.

All conditions listed here are created in the guardian app’s builtin namespace. Therefore the identifier of any condition is guardian:builtin:condition_name, where condition_name is the name of the specific condition.

Note

Requests to the Authorization API supply both an old_target, the state of the target before a change, and a new_target, the state of the target after the change.

In this document, conditions on the target apply only to the old_target.

actor_does_not_have_role#

Parameter name

Value type

role

ROLE (string)

This condition applies if the actor does not have the role specified in the role parameter.

no_targets#

This condition applies if the authorization request does not contain a specific target.

only_if_param_result_true#

Parameter name

Value type

result

BOOLEAN

This condition is included for testing and debugging purposes only and should not be used.

target_does_not_have_role#

Parameter name

Value type

role

ROLE (string)

This condition applies if the target does not have the role specified in the role parameter.

target_does_not_have_role_in_same_context#

Parameter name

Value type

role

ROLE (string)

This condition applies if the target does not have the role specified in the role parameter with the same context as the actor’s role currently being evaluated. For example, if the actor’s role is company:default:admin in the context DEPARTMENT1 and the role parameter is company:default:user, this condition would apply as long as the target does not have the role company:default:user with the context DEPARTMENT1.

target_field_equals_actor_field#

Parameter name

Value type

target_field

STRING

actor_field

STRING

This condition applies if the specified field of the actor and the specified field of the target have the same value.

target_field_equals_value#

Parameter name

Value type

field

STRING

value

ANY

This condition applies if the specified field of the target has the same value as specified in the value parameter.

target_field_not_equals_value#

Parameter name

Value type

field

STRING

value

ANY

This condition applies if the specified field of the target does not have the same value as specified in the value parameter.

target_has_role#

Parameter name

Value type

role

ROLE (string)

This condition applies if the target has the role specified in the role parameter.

target_has_role_in_same_context#

Parameter name

Value type

role

ROLE (string)

This condition applies if the target has the role specified in the role parameter with the same context as the actor’s role currently being evaluated. If for example the actor’s role is company:default:admin in the context DEPARTMENT1 and the role parameter is company:default:user, this condition would apply as long as the target has the role company:default:user with the context DEPARTMENT1.

target_has_same_context#

This condition applies if any of the target’s roles have the same context as any of the actor’s roles.

target_is_self#

Parameter name

Value type

field

STRING

This condition applies if the actor and the target are the same. Per default this is decided by comparing their id attribute. If the field value is specified this field is used for identification instead.