With the release of PingAccess we have introduced rule types that enable the Groovy scripting language to be used for rule development beyond the capabilities of packaged rule sets.
Groovy provides a powerful tool to solve policy requirements that cannot be solved with one of the other rules in PingAccess. In this article I am going to show you how to invoke other rules in Groovy script, for example to do an OR condition.
The existing set of rules in PingAccess provide a rich set of rule types that can solve many problems. I expect this list of rules to grow as our Engineering team at Ping adds more features in future releases.
The following example is for a use case where I want to allow access to a particular application if the user is a member of one of two groups. This is basically an OR condition that in pseudo code would look like:
if member of Sales group or member of Executive group
then allow access
else deny access
In Groovy script we would write this by using the Web Session Attribute rule, creating a script as follows:
The first parameter is the name of the attribute. This attribute must be part of the attributes returned by PingFederate as part of the Web Session OpenID Connect request made by PingAccess when the user is authenticated.
The second parameter is the value that is looked for in the attribute: If the values match then the method returns true, otherwise it returns false.