To perform conditional URL evaluation (where there are arguments in the URL that will change and impact the policy decision), a custom policy evaluation plugins needs implementing - http://docs.forgerock.org/en/openam/11.0.0/dev-guide/index/chap-policy-spi.html
URL to contain all information required to make a policy decision, but components of the URL vary adding context.
In this example an organisation number prefixs users, whilst the user number suffixes users. A condition should exist where only users who are managers AND managers of the same organisation of the user they're accessing should be allowed.
Manager1, org=123 – http://app.example.com/orgs/123/user/456?action=patch ALLOW
Manager2, org=124 - http://app.example.com/orgs/123/user/456?action=patch DENY
Manager2, org=123 - http://app.example.com/orgs/124/user/567?action=patch ALLOW
Manager1, org=123 - http://app.example.com/orgs/124/user/567?action=patch DENY
Build the ScriptedCondition.java plugin and compile against the OpenAM core and shared libraries, and add to a policy-plugins.jar, before dropping into the ../openam/WEB-INF/lib directory.
Extensions to the OpenAM services schema are needed to allow for the selection of the new condition type. Follow instructions in the ScriptedCondition README. A restart of Tomcat will result in the ScriptedCondition being available in policy edit screens.