Guardian Manual 2.0

Conditions Reference

Conditions Reference#

This section documents the conditions that the Guardian provides for configuring capabilities on roles. This is of interest to both app developers and guardian administrators who want to configure roles properly.

All conditions listed here come from the builtin namespace of the guardian app. Therefore, the identifier of any condition is guardian:builtin:condition_name, where condition_name is the name of the specific condition.

Important

Requests to the Authorization API supply both an old_target, the state of the target before a change, and a new_target, the state of the target after the change.

In this document, conditions on the target apply only to the old_target.

actor_does_not_have_role#

Parameter name

Value type

role

ROLE (string)

This condition is true if the actor doesn’t have the role specified in the role parameter.

no_targets#

This condition is true if the authorization request doesn’t contain a specific target.

only_if_param_result_true#

Parameter name

Value type

result

BOOLEAN

Don’t use this condition. It exists for testing and debugging purposes only.

target_does_not_have_role#

Parameter name

Value type

role

ROLE (string)

This condition is true if the target doesn’t have the role specified in the role parameter.

target_does_not_have_role_in_same_context#

Parameter name

Value type

role

ROLE (string)

This condition is true if the target doesn’t have the role specified in the role parameter with the same context as the actor’s role currently under evaluation. For example, if the actor’s role is company:default:admin in the context DEPARTMENT1 and the role parameter is company:default:user, this condition would be true as long as the target doesn’t have the role company:default:user with the context DEPARTMENT1.

target_field_equals_actor_field#

Parameter name

Value type

target_field

STRING

actor_field

STRING

This condition is true if the specified field of the actor and the specified field of the target have the same value.

target_field_equals_value#

Parameter name

Value type

field

STRING

value

ANY

This condition is true if the specified field of the target has the same value as specified in the value parameter.

target_field_not_equals_value#

Parameter name

Value type

field

STRING

value

ANY

This condition is true if the specified field of the target doesn’t have the same value as specified in the value parameter.

target_has_role#

Parameter name

Value type

role

ROLE (string)

This condition is true if the target has the role specified in the role parameter.

target_has_role_in_same_context#

Parameter name

Value type

role

ROLE (string)

This condition is true if the target has the role specified in the role parameter with the same context as the actor’s role currently under evaluation. For example, if the actor’s role is company:default:admin in the context DEPARTMENT1 and the role parameter is company:default:user, this condition would be true as long as the target has the role company:default:user with the context DEPARTMENT1.

target_has_same_context#

This condition is true if any of the target’s roles have the same context as any of the actor’s roles.

target_is_self#

Parameter name

Value type

field

STRING

This condition is true if the actor and the target are the same. By default, this is determined by comparing their id attribute. If the field value is specified, this field is used for identification instead.