Single valued vs multivalued context keys
The difference between single-valued and multivalued context keys lies in the number of values in the request context, not the number of values in the policy condition.
Single-valued condition context keys have at most one value in the request context. Do not use a condition set operator with a single-valued context key.
Multivalued condition context keys can have multiple values in the request context. Multivalued context keys require a condition set operator.
Multivalued context keys require a condition set operator. Do not use condition set operators ForAllValues or ForAnyValue with single-valued context keys.
The Single-valued and Multivalued classifications are included in the description of each condition context key as Value type in the Astran global condition context keys topic. The Service Authorization Reference uses a different value type classification for multivalued context keys, using an ArrayOf prefix followed by the condition operator category type, such as ArrayOfString or ArrayOfARN.
You can use any available single-valued context key as a policy variable, but you cannot use a multivalued context key as a policy variable. For more information about policy variables, see Variables.
Multivalued context keys
To compare your condition context key against a request context key with multiple values, you must use the ForAllValues or ForAnyValue set operators. These set operators are used to compare two sets of values, such as the set of tags in a request and the set of tags in a policy condition.
The ForAllValues and ForAnyValue qualifiers add set-operation functionality to the condition operator, allowing you to test request context keys with multiple values against multiple context key values in a policy condition. Multiple condition key values must be enclosed in brackets like an array, for example, "Key2":["Value2A", "Value2B"].
ForAllValues – This qualifier tests whether the value of every member of the request set is a subset of the condition context key set. The condition returns true if every context key value in the request matches at least one context key value in the policy. It also returns true if there are no context keys in the request or if the context key value resolves to a null dataset, such as an empty string. To prevent missing context keys or context keys with empty values from evaluating to true, you can include the Null condition operator in your policy with a false value to check if the context key exists and its value is not null.
Use caution if you use ForAllValues with an Allow effect, as it can be overly permissive if the presence of missing context keys or context keys with empty values in the request context is unexpected. You can include the Null condition operator in your policy with a false value to check if the context key exists and its value is not null.
ForAnyValue – This qualifier tests whether at least one member of the set of request context key values matches at least one member of the set of context key values in your policy condition. The context key returns true if any one of the context key values in the request matches any one of the context key values in the policy. For no matching context key or a null dataset, the condition returns false.
The difference between single-valued and multivalued context keys depends on the number of values in the request context, not the number of values in the policy condition.