PingAuthorize

Tutorial 3: Configuring attribute-based access control for API resources

This tutorial describes how to build and test fine-grained access control (FGAC) policies that restrict access to a protected resource based on attributes of both the resource and the caller.

Scenario

In some data use cases, it is necessary to know both the resource being requested and the requesting user. For example, a counselor can only view the records of students in their department. In the scenario of the meme game, users are allowed to invite their friends or family to like or critique their memes. Because some memes are inappropriate for younger audiences, the city of Youngstown, Ohio passes an ordinance that does not allow you to serve its citizens memes rated for ages 13 and older. You must create a policy to enforce this by checking the city of the user’s profile and the age rating of the shared meme.

Obviously, not all Youngstown residents are young. In a more realistic scenario, we might compare the age of the requesting user to the age rating of the meme. However, computing the user’s age from their date of birth adds unnecessary complexity.

Tasks

This tutorial teaches you how to configure attribute-based application programming interface (API) access control rules by walking you through the following tasks:

  1. Configure a proxy for the Meme Game API.

  2. Create a policy blocking all users from viewing shared memes.

  3. Add policy condition logic to allow users not from Youngstown to view shared memes.

  4. Add policy condition logic to allow users from Youngstown to view shared memes rated for ages under 13.

  5. Add a statement to set the API error response when a policy blocks access.

The following sections provide the details for completing these tasks.

Configuring the API security gateway

This tutorial describes how to use the API security gateway to allow requests to a parameterized endpoint.

You will configure https://localhost:7443/meme-game/api/v1/users/{user}/answers to proxy to https://meme-game.com/api/v1/users/{user}/answers, where user can be any username.

Creating a policy based on user credentials

This tutorial describes how to create a policy that acts on information about the user.

Creating a policy based on the API response

This tutorial describes how to create a policy that acts on information about the response received from the API server.

Conclusion

In this tutorial, you allowed users to access the meme game’s shared answers functionality through PingAuthorize. Following a request from government authorities, you blocked users from the town of Youngstown, Ohio from viewing memes intended for audiences aged 13 or older. In doing so, you learned about the PingAuthorize ability to control access to resources based on attributes of both the requesting user and the resource being requested. You also learned how to use statements to modify response bodies.

You also learned:

  • Policies can apply to outbound upstream server API responses before they are sent to the API client.

  • HttpRequest.ResponseBody is the upstream server API response body before it is sent to the client.

  • Attributes that cannot be resolved because of any reason, including processing errors, might impact policy outcomes.

  • PingAuthorize supplies the user profile of the access token subject as the Trust Framework attribute TokenOwner.

  • You must populate the child attributes of the TokenOwner that you want to use in a policy.

  • Many attributes in LDAP are multivalued.

  • Statements are used to modify the API response in some way.

  • In this case, denied-reason was used to set the HTTP status code and message body.