Skip to main content



The gateway can apply authorization rules to incoming requests. These rules can be either:

  • Defined directly in a policies:authorization entry.
  • Defined here in the authorization section and reference by name in a policies:authorization entry.

This entry defines authorization rules which can be referred to by name in a policies:authorization entry.

This entry is an array and can be used to specify multiple rules.

Rule Format

Authorization rules are composed of credential attributes and the following operators:

Name Values
logical operators and, or, not
multi-valued operators any, all
relational operators =, !=, matches, >, >=, <, <=, exists

Parenthesis can be used for controlling the order of evaluation.


Rule Description
(any groupIds = "administrator") Match when the user is in the administrator group.
(all authenticationLevels >= "2") Match when all credential authenticationLevels are at least level 2.
(attribute_a matches "a(?:bc)*") Match when the value of the credential attribute "attribute_a" matches the regular expression.
(level >= "2") and (any groupIds = "forbidden") Match when the credential attribute "level" is at least level 2 and the user is in the forbidden group.
(not exists attribute_c) Match when the credential does not have an attribute named "attribute_c".
(AZN_CRED_PRINCIPAL_NAME = "user_a") Match when the credential attribute "AZN_CRED_PRINCIPAL_NAME" is equal to "user_a".


The following table(s) describe the configuration properties for this component:

Name Type Constraints Description
name string The name which will be given to this authorization rule.
rule string The authorization rule. See the Rule Format table for a description of the expected format.


             - name: ruleA
               rule: (any groupIds = "administrator")