## Conditional expressions Conditional expressions are the logic engine behind policies and data protection rules in Agen for SaaS. They define **when** a rule is triggered by evaluating request attributes against specified conditions. Conditional expressions are used in two places: - **Policies** — To determine when a deny, step-up, or approval action should be enforced. - **Data protection** — To determine when data masking should be applied. ### Expression structure Each conditional expression follows the format: **IF** `[Attribute]` `[Operator]` `[Value]` Multiple conditions can be chained using **+ and** (AND logic). All conditions must evaluate to true for the expression to match. ### Components #### Attribute The attribute is the request property being evaluated. This is a free-text field, allowing you to reference any attribute available in the request context. Common attributes include: | Attribute | Description | Example values | | --- | --- | --- | | `IP` | The IP address of the request origin. | `192.168.1.1`, `10.0.0.0` | | `amount` | A numeric parameter from the tool call. | `500`, `10000` | | `country` | The country of the requesting user or session. | `United States`, `Germany` | | `Country` | Alias for country (case-sensitive field names). | `US`, `DE` | | `user_role` | The role from the user's JWT. | `admin`, `viewer` | | `tenant` | The tenant identifier from the JWT. | `acme-inc`, `org-123` | | `region` | The geographic region. | `US`, `EU`, `APAC` | #### Operator The operator defines how the attribute is compared to the value. Available operators include: | Operator | Description | Example | | --- | --- | --- | | **Contains** | The attribute contains the specified substring. | `IP` `Contains` `192.168` | | **In** | The attribute matches one of the specified values (multi-select). | `Country` `In` `United States, Germany` | | **Equals** | The attribute exactly matches the value. | `user_role` `Equals` `admin` | | **Greater than** | The attribute is numerically greater than the value. | `amount` `Greater than` `10000` | | **Less than** | The attribute is numerically less than the value. | `amount` `Less than` `100` | | **In list** | The attribute matches one of the values in a predefined list. | `country` `in_list` `US` | #### Value The value is what the attribute is compared against. Depending on the operator: - **Single value** — For operators like `Contains`, `Equals`, `Greater than`, `Less than`. Enter a single text or numeric value. - **Multiple values** — For operators like `In` and `In list`. Selected values appear as chips with X buttons to remove them (e.g., `United States ×`). ### Combining conditions Click **+ and** to add additional conditions to an expression. All conditions use AND logic — every condition must evaluate to true for the overall expression to match. Example with multiple conditions: ``` IF IP Contains 192.168 AND amount Greater than 5000 AND country In United States ``` This expression matches only when all three conditions are true simultaneously. To remove a condition, click the minus icon next to it. ### Expression examples #### Policy: Block external IP access ``` IF IP Contains 192.168 ``` **Action:** Deny — Blocks tool calls from IPs containing `192.168`. #### Policy: Step-up for high-value transactions ``` IF amount Greater than 10000 ``` **Action:** Step up — Requires additional authentication for transactions exceeding 10,000. #### Data protection: Mask PII for US users ``` IF Country In United States ``` **Targeting:** Apply PII masking to tool responses when the user is in the United States. #### Policy: Approval for sensitive operations from specific region ``` IF region Equals EU AND amount Greater than 5000 ``` **Action:** Request approval — Routes to an approval flow when both conditions are met. ### Where conditional expressions are used | Feature | Field name | Purpose | | --- | --- | --- | | **Policies** | Policy attributes: definition and function | Determines when the policy action (deny, step-up, approval) is triggered. | | **Data protection** | Policy targeting | Determines when data masking is applied to tool responses. | Both features use the same expression builder interface with identical attribute, operator, and value components. ### Related topics - [Creating policies](/agen-for-saas/policies/creating-policies) - [Data protection](/agen-for-saas/data-protection/overview) - [Policies overview](/agen-for-saas/policies/overview)