Conditional expressions are the logic engine behind policies and data protection rules in Agen for SaaS. They define when a rule is triggered by evaluating request attributes against specified conditions.
Conditional expressions are used in two places:
- Policies — To determine when a deny, step-up, or approval action should be enforced.
- Data protection — To determine when data masking should be applied.
Each conditional expression follows the format:
IF [Attribute] [Operator] [Value]
Multiple conditions can be chained using + and (AND logic). All conditions must evaluate to true for the expression to match.
The attribute is the request property being evaluated. This is a free-text field, allowing you to reference any attribute available in the request context.
Common attributes include:
| Attribute | Description | Example values |
|---|---|---|
IP | The IP address of the request origin. | 192.168.1.1, 10.0.0.0 |
amount | A numeric parameter from the tool call. | 500, 10000 |
country | The country of the requesting user or session. | United States, Germany |
Country | Alias for country (case-sensitive field names). | US, DE |
user_role | The role from the user's JWT. | admin, viewer |
tenant | The tenant identifier from the JWT. | acme-inc, org-123 |
region | The geographic region. | US, EU, APAC |
The operator defines how the attribute is compared to the value. Available operators include:
| Operator | Description | Example |
|---|---|---|
| Contains | The attribute contains the specified substring. | IP Contains 192.168 |
| In | The attribute matches one of the specified values (multi-select). | Country In United States, Germany |
| Equals | The attribute exactly matches the value. | user_role Equals admin |
| Greater than | The attribute is numerically greater than the value. | amount Greater than 10000 |
| Less than | The attribute is numerically less than the value. | amount Less than 100 |
| In list | The attribute matches one of the values in a predefined list. | country in_list US |
The value is what the attribute is compared against. Depending on the operator:
- Single value — For operators like
Contains,Equals,Greater than,Less than. Enter a single text or numeric value. - Multiple values — For operators like
InandIn list. Selected values appear as chips with X buttons to remove them (e.g.,United States ×).
Click + and to add additional conditions to an expression. All conditions use AND logic — every condition must evaluate to true for the overall expression to match.
Example with multiple conditions:
IF IP Contains 192.168
AND amount Greater than 5000
AND country In United StatesThis expression matches only when all three conditions are true simultaneously.
To remove a condition, click the minus icon next to it.
IF IP Contains 192.168Action: Deny — Blocks tool calls from IPs containing 192.168.
IF amount Greater than 10000Action: Step up — Requires additional authentication for transactions exceeding 10,000.
IF Country In United StatesTargeting: Apply PII masking to tool responses when the user is in the United States.
IF region Equals EU
AND amount Greater than 5000Action: Request approval — Routes to an approval flow when both conditions are met.
| Feature | Field name | Purpose |
|---|---|---|
| Policies | Policy attributes: definition and function | Determines when the policy action (deny, step-up, approval) is triggered. |
| Data protection | Policy targeting | Determines when data masking is applied to tool responses. |
Both features use the same expression builder interface with identical attribute, operator, and value components.