PingOne Advanced Identity Cloud

Migrate policy condition scripts to next-generation scripts

Different bindings are available to a policy condition script depending on the scripting engine version, legacy or next-generation.

To migrate legacy scripts to next-generation scripts:

  1. Complete the steps to migrate common bindings as described in Migrate to next-generation scripts.

  2. Next, migrate the bindings specific to policy condition scripts by referring to the information in the following table.

    Binding Next-generation change

    environment

    The binding now returns a Map<String, List<String>> rather than a Map<String, Set<String>>.

    The List format makes it easier to retrieve values because you can access values directly without converting the return objects.

    identity

    Attribute values are now returned as a List so that you can access values directly.

    You must now explicitly call store() to persist changes to attribute values.

environment

Use the environment binding to get data from the client making the authorization request.

Learn more in Access environment data.

Legacy Next-generation 
var ipSet = environment.get("IP");          1

var userIP = ipSet.iterator().next();       2
 
var ipList = environment.get("IP");         1

var userIP = ipList[0];                     2

1 The environment binding now returns Map<String, List<String>> instead of Map<String, Set<String>>.
2 No need to convert objects by calling toArray()[1] or iterator().next(). Instead you can access values directly, for example, environment.get("KEY")[0].

identity

Use the identity binding to get data about the subject of the authorization request.

The following actions are available to the identity binding:

  • Get attribute values

  • Set attribute values

  • Add attribute values

Legacy Next-generation 
 // Returns all values as a set,
 // for example: [test@example.com,user@example.com]
identity.getAttribute("mail").toString();   1

 // Returns the first value
 // for example: test@example.com
identity.getAttribute("mail")
    .iterator().next();                     2

 // persists data
identity.setAttribute("mail",
    ["new@example.com"]);                   3

identity.addAttribute("mail", "user@example.com");
 
 // Returns all values as an array,
 // for example: ["test@example.com", "user@example.com"]
identity.getAttributeValues("mail");        1

 // Returns the first value, for example: test@example.com
identity.getAttributeValues("mail")[0];     2

 // Does NOT automatically persist data
identity.setAttribute("mail",
    ["new@example.com"]);                   3

 // Does NOT automatically persist data
identity.addAttribute("mail", "user@example.com");

 // persists data (throws an exception if add/setAttribute failed)
try {
    identity.store();                       4
} catch(e) {
    logger.error("Unable to persist attribute. " + e);
}

1 The identity object is now a ScriptedIdentityScriptWrapper, which returns a List instead of a Set.
2 No need to convert objects by calling toArray()[1] or iterator().next(). Instead, you can access values directly, for example, identity.getAttributeValues("KEY")[0].
3 Adding or setting attributes on the identity object does not persist data.
4 You must explicitly persist changes by calling the store method.

Learn more about the identity binding in Access profile data.