Keywords
Keywords
The following are the keywords supported in NGL:
Hierarchical
with-attribute
Usage: with-attribute
keyword is used with nested objects(json).
Syntax: property1 with-attribute { property2 = value2}
Example:
GoogleWorkspace GroupSetting should-have entry with-attribute { enableCollaborativeInbox = false }
with-element
Usage: with-element
keyword is used to specify a hierarchical (or parent-child) relationship between its preceding and succeeding properties, where the parent properties is a list and child property is a member.
Syntax: property1 with-element [ property2 = value2]
Example:
microsoft365 sharingpolicy should-have sharingenabled = false or domains with-element [ sharingalloweddetails = "ContactsSharing" ]
with-any-element
Usage: with-any-element
keyword is used to specify a condition where any of the parent list properties’ members matches the condition following it.
Syntax: property1 with-any-element [ ip = “0.0.0.0” ]
Example:
AzureAD User should-not-have userRegistrationDetails with-attribute { methodsRegistered with-any-element [ "mobilePhone" ] }
exists
Usage: exists
keyword checks the presence of an property.
Syntax: property1 exists
Example:
Okta User should-have profile with-attribute { mobilePhone exists }
not-exists
Usage: not-exists
keyword checks the absence of an property.
Syntax: property1 not-exists
Example:
AzureAD AuthorizationPolicy should-have defaultUserRolePermissions with-attribute { permissionGrantPoliciesAssigned not-exists }
Utility
any . . as
Usage: any
keyword is used for a resource type which has a relationship to the resource type mentioned prior to an expression.
as
keyword is used for specifying an alias for the resource type whose value can be later used in a conditional statement. Aliases are occasionally required when a value is derived in an earlier part of the rule, and referenced in a later part of the rule. In such conditions, the latter part of the rule refers to the derived value using an alias. It is equivalent to storing a value in a variable. It is used along with any
keyword which compares all the available resources assigned by the alias to match the condition. If the condition matches, the true is returned.
Syntax: any resource as a with-attribute {a.attribute1 = “value“}
Example:
servicenow SysProperties should-have any SystemProperty as s with-attribute {s.name = "glide.authenticate.api.user.reset_password.mandatory" and s.value = "true"}
###
Usage: ###
keyword is used to indicate that the subsequent text between two such keywords is a comment string, and will be ignored by the system.
Syntax: ### This is a comment ###
Example:
microsoft365 malwarefilterpolicy should-have len(FileTypes) > 0 ### comment here ###
Common Errors
This section outlines errors that may occur due to use of incorrect property type with the keyword.
Error Scenario | Incorrect NGL Example | Sample Error Message | Steps to fix the error |
---|---|---|---|
Property is not a list | AzureAD User should-have jobTitle with-element[2] | Error: with-element/with-any-element/with-no-element only supports a property of data type 'list', got 'jobTitle' of type 'string' | Use property that uses list data type. For example: AzureAD User should-have proxyAddresses with-element["2"] |
Property is a list, but the element of the list can not be compared to the primitive type | AzureAD User should-have proxyAddresses with-element[2] | Error: 'proxyAddresses' of type 'list | Property must be matched against a value with the same data type. For example: AzureAD User should-have proxyAddresses with-element["0.0.0.0"] |
with-attribute is used for non object or an unlinked resource type | AzureAD User should-have displayName with-attribute {1 = 1} | Error: with-attribute should be used only with a property of type 'object' or a linked resource type, got 'displayName' of type 'string' | Use property of object data type or linked resource. For example: AzureAD User should-have passwordProfile with-attribute {forceChangePasswordNextSignIn = true} |