Conditions Reference#
This chapter documents the conditions that the Guardian provides for configuring capabilities on roles. This is of interest for both app developers and guardian admins, that want to configure roles properly.
All conditions listed here are created in the guardian app’s builtin namespace. Therefore the identifier of
any condition is guardian:builtin:condition_name, where condition_name is the name of the specific condition.
Note
Requests to the Authorization API supply both an old_target,
the state of the target before a change,
and a new_target,
the state of the target after the change.
In this document, conditions on the target apply only to the old_target.
- actor_does_not_have_role#
Parameter name |
Value type |
|---|---|
role |
ROLE (string) |
This condition applies if the actor does not have the role specified in the role parameter.
- no_targets#
This condition applies if the authorization request does not contain a specific target.
- only_if_param_result_true#
Parameter name |
Value type |
|---|---|
result |
BOOLEAN |
This condition is included for testing and debugging purposes only and should not be used.
- target_does_not_have_role#
Parameter name |
Value type |
|---|---|
role |
ROLE (string) |
This condition applies if the target does not have the role specified in the role parameter.
- target_does_not_have_role_in_same_context#
Parameter name |
Value type |
|---|---|
role |
ROLE (string) |
This condition applies if the target does not have the role specified in the role parameter with the
same context as the actor’s role currently being evaluated. For example, if the actor’s role is
company:default:admin in the context DEPARTMENT1 and the role parameter is company:default:user,
this condition would apply as long as the target does not have the role company:default:user
with the context DEPARTMENT1.
- target_field_equals_actor_field#
Parameter name |
Value type |
|---|---|
target_field |
STRING |
actor_field |
STRING |
This condition applies if the specified field of the actor and the specified field of the target have the same value.
- target_field_equals_value#
Parameter name |
Value type |
|---|---|
field |
STRING |
value |
ANY |
This condition applies if the specified field of the target has the same value as specified in the value parameter.
- target_field_not_equals_value#
Parameter name |
Value type |
|---|---|
field |
STRING |
value |
ANY |
This condition applies if the specified field of the target does not have the same value as specified in the
value parameter.
- target_has_role#
Parameter name |
Value type |
|---|---|
role |
ROLE (string) |
This condition applies if the target has the role specified in the role parameter.
- target_has_role_in_same_context#
Parameter name |
Value type |
|---|---|
role |
ROLE (string) |
This condition applies if the target has the role specified in the role parameter with the
same context as the actor’s role currently being evaluated. If for example the actor’s role is
company:default:admin in the context DEPARTMENT1 and the role parameter is company:default:user,
this condition would apply as long as the target has the role company:default:user
with the context DEPARTMENT1.
- target_has_same_context#
This condition applies if any of the target’s roles have the same context as any of the actor’s roles.
- target_is_self#
Parameter name |
Value type |
|---|---|
field |
STRING |
This condition applies if the actor and the target are the same. Per default this is decided by comparing their id
attribute. If the field value is specified this field is used for identification instead.