To perform conditional URL evaluation (where there are arguments in the URL that will change and impact the policy decision), a custom policy evaluation plugins needs implementing - http://docs.forgerock.org/en/openam/11.0.0/dev-guide/index/chap-policy-spi.html
Use Case
URL to contain all information required to make a policy decision, but components of the URL vary adding context.
In this example an organisation number prefixs users, whilst the user number suffixes users. A condition should exist where only users who are managers AND managers of the same organisation of the user they're accessing should be allowed.
Manager1, org=123 – http://app.example.com/orgs/123/user/456?action=patchALLOW
Manager2, org=124 - http://app.example.com/orgs/123/user/456?action=patchDENY
Manager2, org=123 - http://app.example.com/orgs/124/user/567?action=patchALLOW
Manager1, org=123 - http://app.example.com/orgs/124/user/567?action=patchDENY
Implementation
Either build out a specific policy plugin, or use the existing community contributed ScriptedCondition plugin which allows for the use of Javascript to build out the condition evaluation. ScriptedCondition is available from the OpenAM trunk source - http://sources.forgerock.org/browse/openam/trunk/community/extensions/ScriptedCondition/README.txt?hb=true
Build the ScriptedCondition.java plugin and compile against the OpenAM core and shared libraries, and add to a policy-plugins.jar, before dropping into the ../openam/WEB-INF/lib directory.
Extensions to the OpenAM services schema are needed to allow for the selection of the new condition type. Follow instructions in the ScriptedCondition README. A restart of Tomcat will result in the ScriptedCondition being available in policy edit screens.
So the above Javascript basically does a compare of the org value that is split from the URL and a session attribute that holds the users organisation value, before returning a true or false back to the condition decision method.