21.4 Policy Conditions and Rules

Conditions can be specified only within Authorization and Token Issuance policies. Rules define the Allow or Deny specification that determines the overall effect of the policy.

Unless explicitly stated, information on policy Conditions and Rules applies equally to authorization and Token Issuance policies.


Conditions are used in conjunction with Rules that specify Allow or Deny access, based on defined Conditions. Table 21-5 identifies available condition types.

Table 21-5 Condition Types

Type For more information, see ...


"Introduction to Authorization Policy Rules and Conditions".

IP4 Range

"Defining IP4 Range Conditions".


"Defining Temporal Conditions".


"Defining Attribute Conditions".


Effectively "Allow All". Oracle recommends this be used as the default option in cases where you need to let in any authenticated use. In this case, you do not need any particular conditions to be satisfied at authorization time.

This replaces the Use Implied Constraints flag the previous release of Access Manager, which similarly lets policy evaluation complete with an Allow result when no specifically-defined constraints were present.

Each Authorization and Token Issuance policy can contain one or more condition objects. There can be more than one instance of a type of condition in a policy (the previous policy model allowed only one instance of a class in a policy).

Conditions are similar to earlier Access Manager 12c authorization constraints. However, constraints included Allow or Deny specifications and conditions do not.


Rules are new constructs in the policy model. Each Rule defines the Allow or Deny specification that determines the overall effect of the policy. Rules also define how the outcomes of each Condition evaluation is to be combined. Conditions are referenced in rules and declared outside of rules.

Within a Rule, evaluation outcomes can be combined as follows:

  • Simple Mode: Accepts a list of condition names that are combined based on the value of a combiner that allows either All conditions to be met or Any one condition to be met to return "true" for the evaluation. [Previously, ALL allowed constraints while ANY denied them.]

  • Expression mode: Allows the user to specify a Boolean expression to combine conditions using condition names and special characters (comma, vertical bar, ampersand and exclamation point: , |& and !.


A policy in which there are one or more conditions that are not part of either an Allow or Deny Rule is treated as a valid policy.

For more information about Conditions and Rule, see Managing Policies to Protect Resources and Enable SSO.