To understand the grammar of claim rules, you must first understand attestation policy claims.
Claim
A claim is a set of properties grouped together to provide relevant information. For Azure Attestation, a claim contains the following properties:
type: A string value that represents type of the claim.
value: A Boolean, integer, or string value that represents value of the claim.
valueType: The data type of the information stored in the value property. Supported types are String, Integer, and Boolean. If not defined, the default value is "String".
issuer: Information regarding the issuer of the claim. The issuer is one of the following types.
AttestationService: Certain claims are made available to the policy author by Azure Attestation, which the attestation policy author can use to craft the appropriate policy.
AttestationPolicy: The policy (as defined by the administrator) itself can add claims to the incoming evidence during processing. The issuer in this case is set to "AttestationPolicy".
CustomClaim: The attestor (client) can also add more claims to the attestation evidence. The issuer in this case is set to "CustomClaim".
If not defined, the default value is "CustomClaim".
Claim Rule
The incoming claim set is used by the policy engine to compute the attestation result. A claim rule is a set of conditions used to validate the incoming claims and take the defined action.
Conditions list => Action (Claim)
Azure Attestation evaluation of a claim rule involves following steps:
If conditions list is not present, execute the action with specified claim. Otherwise, evaluate the conditions from the conditions list.
If the conditions list evaluates to false, stop. Otherwise, proceed.
The conditions in a claim rule are used to determine whether the action needs to be executed. Conditions list is a sequence of conditions that are separated by "&&" operator.
The conditions list is composed of individual conditions on various properties of a claim. A condition can have an optional identifier, which can be used to refer the claim/s that satisfy the condition. This reference can be used in the other conditions or the action of the same rule.
The following are the operators that can be used to check conditions:
Valuetype
Operations Supported
Integer
== (equals), != (not equal), <= (less than or equal), < (less than), >= (greater than or equal), > (greater than)
String
== (equals), != (not equal)
Boolean
== (equals), != (not equal)
Evaluation of conditions list:
The presence of "&&" operator implies that a conditions list is evaluated as true only if all the conditions from the list are evaluated to true.
A condition represents filtering criteria on the set of claims. The condition itself is said to evaluate to true if there is at least one claim is found that satisfies the condition.
A claim is said to satisfy the filtering criterion represented by the condition if each of its properties satisfies the corresponding claim property conditions present in the condition.
The set of actions that are allowed in a policy:
Action Verb
Description
Policy sections to which these apply
permit()
The incoming claim set can be used to compute issuancerules. Does not take any claim as a parameter.
authorizationrules
deny()
The incoming claim set should not be used to compute issuancerules Does not take any claim as a parameter
authorizationrules
add(claim)
Adds the claim to the incoming claims set. Any claim added to the incoming claims set is available for the subsequent claim rules.
authorizationrules, issuancerules
issue(claim)
Adds the claim to the incoming and outgoing claims set.
issuancerules
issueproperty(claim)
Adds the claim to the incoming and property claims set.
Azure Policy initiatives are a collection of Azure policy definitions that are grouped together toward a specific goal or purpose. By consolidating multiple Azure policies into a single item, Azure Policy initiatives allow centralized control and enforcement of configurations across Azure resources.