PingOne

Statements

Statements extend authorization decisions by instructing the policy decision service to perform additional processing.

Without statements, your policies can tell the decision service to either permit or deny a decision request. With statements, you can include additional information in Permit and Deny decisions, such as specifying response headers to add to Permit decisions or including reasons for denial with Deny decisions.

Statements only apply to Permit or Deny decisions. They aren’t returned with Indeterminate or Not Applicable decisions.

Statements enable you to be more expressive in your policies by allowing you to do things such as add or remove specific fields from requests and responses, return statement codes to DaVinci flows, update risk indicators, and provide authorized records for consent enforcement.

Statement enforcement

Statements processed by the dynamic authorization decision service can return statement codes and attributes in decision responses. With an API gateway integration, the API Access Management HTTP Access Policy Service can enforce built-in statements that filter and transform inbound request and outbound response data. PingOne Authorize provides templates for these built-in statements.

Advice and obligations

Statements are sometimes called advice and obligations. Authorization advice provides information about an authorization decision, such as the reason a transaction was denied. Obligations are conditions or actions that must be fulfilled along with an authorization decision. They enhance security, ensure compliance, or trigger other processes. For example, an obligation related to a payment might generate an email notification when a transaction is successful.

PingOne Authorize handles obligations differently in dynamic authorization and API Access Management:

  • Dynamic authorization: PingOne Authorize doesn’t enforce obligations in policies published to decision endpoints. The decision service includes the obligation in the decision response and it’s the client’s responsibility to enforce the obligation.

  • API Access Management: PingOne Authorize attempts to enforce obligations in policies published to API services. If the decision service can’t fulfill an obligation, the decision evaluation fails and returns an error to the client.

    If a non-obligatory statement can’t be fulfilled, the decision service logs an error and continues the decision evaluation.

Learn more about using statements in policies in Adding statements to policies and rules.