=== Conditions in conditional flows As was mentioned in <<_execution-requirements, Execution requirements>>, _Condition_ executions can be only contained in _Conditional_ subflow. If all _Condition_ executions evaluate as true, then the _Conditional_ sub-flow acts as _Required_. You can process the next execution in the _Conditional_ sub-flow. If some executions included in the _Conditional_ sub-flow evaluate as false, then the whole sub-flow is considered as _Disabled_. ==== Available conditions `Condition - User Role`:: This execution has the ability to determine if the user has a role defined by _User role_ field. If the user has the required role, the execution is considered as true and other executions are evaluated. The administrator has to define the following fields: Alias::: Describes a name of the execution, which will be shown in the authentication flow. User role::: Role the user should have to execute this flow. To specify an application role the syntax is `appname.approle` (for example `myapp.myrole`). `Condition - User Configured`:: This checks if the other executions in the flow are configured for the user. The Execution requirements section includes an example of the OTP form. `Condition - User Attribute`:: This checks if the user has set up the required attribute. There is a possibility to negate output, which means the user should not have the attribute. The xref:proc-configuring-user-attributes_{context}[User Attributes] section shows how to add a custom attribute. You can provide these fields: Alias::: Describes a name of the execution, which will be shown in the authentication flow. Attribute name::: Name of the attribute to check. Expected attribute value::: Expected value in the attribute. Negate output::: You can negate the output. In other words, the attribute should not be present. ==== Explicitly deny/allow access in conditional flows You can allow or deny access to resources in a conditional flow. The two authenticators `Deny Access` and `Allow Access` control access to the resources by conditions. `Allow Access`:: Authenticator will always successfully authenticate. This authenticator is not configurable. `Deny Access`:: Access will always be denied. You can define an error message, which will be shown to the user. You can provide these fields: Alias::: Describes a name of the execution, which will be shown in the authentication flow. Error message::: Error message which will be shown to the user. The error message could be provided as a particular message or as a property in order to use it with localization. (i.e "_You do not have the role 'admin'._", _my-property-deny_ in messages properties) Leave blank for the default message defined as property `access-denied`. Here is an example how to deny access to all users who do not have the role `role1` and show an error message defined by a property `deny-role1`. This example includes `Condition - User Role` and `Deny Access` executions. .Browser flow image:images/deny-access-flow.png[Deny access flow] .Condition - user role configuration image:images/deny-access-role-condition.png[Deny access role settings] .Configuration of the `Deny Access` is really easy. You can specify an arbitrary Alias and required message like this: image:images/deny-access-execution-cond.png[Deny access execution settings] The last thing is defining the property with an error message in the login theme `messages_en.properties` (for English): [source] ---- deny-role1 = You do not have required role! ----