You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/purview/troubleshoot-policy-distribution.md
+29Lines changed: 29 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -112,6 +112,35 @@ Policy specifies decision that should be emitted if the policy is applicable for
112
112
AttributeRule produces derived attributes and add them to request context attributes. Evaluation of AttributeRule triggers evaluation of additional AttributeRules referenced in the AttributeRule.
113
113
114
114
115
+
## Common sub-constructs used in PolicySet, Policy, AttributeRule
116
+
117
+
#### AttributePredicate
118
+
AttributePredicate checks whether predicate specified on an attribute is satisfied. AttributePredicate can specify the following properties:
119
+
- attributeName: specifies attribute name on which attribute predicate needs to be evaluated.
120
+
- matcherId: id of matcher function that is used to compare the attribute value looked up in request context by the attribute name to the attribute value literal specified in the predicate. At present we support 2 matcherId(s): ExactMatcher, GlobMatcher. If matcherId is not specified, it defaults to GlobMatcher.
121
+
- fromRule: optional property specifying id of an AttributeRule that needs to be evaluated to populate the request context with attribute values that would be compared in this predicate.
122
+
- attributeValueIncludes: scalar literal value that should match the request context attribute values.
123
+
- attributeValueIncludedIn: array of literal values that should match the request context attribute values.
124
+
- attributeValueExcluded: scalar literal value that should not match the request context attribute values.
125
+
- attributeValueExcludedIn: array of literal values that should not match the request context attribute values.
126
+
127
+
#### CNFCondition
128
+
Array of array of AttributePredicates that have to be satisfied with the semantic of ANDofORs.
129
+
130
+
#### DNFCondition
131
+
Array of array of AttributePredicates that have to be satisfied with the semantic of ORofANDs.
132
+
133
+
#### PreConditionRule
134
+
- A PreConditionRule can specify at most one each of CNFCondition, DNFConition, Condition.
135
+
- All of the specified CNFCondition, DNFCondition, Condition should evaluate to “true” for the PreConditionRule to be satisfied for the current request.
136
+
- If any of the precondition rules is not satisfied, containing PolicySet or Policy is considered not applicable for the current request and skipped.
137
+
138
+
#### Condition
139
+
- A Condition allows specifying a complex condition of predicates that can nest functions from library of functions.
140
+
- At decision compute time the Condition evaluates to “true” or “false” and also could emit optional Obligation(s).
141
+
- If the Condition evaluates to “false” the containing DecisionRule is considered Not Applicable to the current request.
142
+
143
+
115
144
## Next steps
116
145
117
146
Concept guides for Microsoft Purview access policies:
0 commit comments