PingAuthorize

Creating a policy to check consent and then change the server response

Using the Trust Framework attributes and services we created, we now create a policy for the meme game API to get a user’s answers and change the server response with various statements based on the consent status.

About this task

Here is a snippet of an unedited response. It shows the id, type, and attributes attributes.

{
 	"data": [{
                "id": "1",
                "type": "answers",
                "attributes": {
                        "url": "https: //l.imqflip.com/2fm6x.jpq",
                        "captions": ["Still waiting for the bus to Jennie's"],
                        "rating": null,
                        "created_at": "2020-05-e6T22:25:06-00:00"
                }
        },

Steps

  1. Sign on to the Policy Editor, click Policies in the left pane, and then click Policies along the top.

  2. Select the existing meme-game policies policy. The new policy is created under this policy.

  3. From the menu, select Add Policy.

  4. For the name, replace Untitled with Control user’s response to answers request.

  5. Click next to Applies to.

  6. Click Add definitions and targets, or drag from Components and add the meme-game.user_answers service, which we set up in Getting a path component from the request URL. Also, because we want to control the response to the client, add the outbound-GET action.

  7. Set Combining Algorithm to Unless one decision is deny, the decision will be permit.

  8. Add a rule to include attributes.

    1. Click Add Rule.

      1. For the name, replace Untitled with If consent to share status is accepted then include attributes.

      2. Specify the condition.

        1. Click Comparison.

        2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.

        3. In the second field, select Equals.

        4. In the third field, type accepted.

      3. Specify the statement.

        1. Click Show Statements.

        2. Click next to Statements.

        3. Click Add Statement > Include Attributes.

          Use this statement to be explicit about which attributes to keep, especially when you have a large set of attributes where you only need a small subset in the response.

          For information about this statement, see Include Attributes.

        4. For the name, replace Untitled with Include id and attributes attribute.

        5. In the Code field, enter include-attributes.

        6. From the Applies To list, select Permit.

        7. In the Payload field, enter the following text to include the id attribute and the attributes attribute but not the type attribute.

          ["data[*].id","data[*].attributes.*"]

        8. Click Save changes.

          The following screen shows the rule.

          Screen capture of rule to compare

          With the policy in place, trying the request again gets a response with the type attribute removed, as shown in the following snippet.

          {
           	"data": [{
                          "attributes": {
                                  "url": "https: //l.imqflip.com/2fm6x.jpq",
                                  "captions": ["Still waiting for the bus to Jennie's"],
                                  "rating": null,
                                  "created_at": "2020-05-e6T22:31:06-00:00"
                          "id": "1",
                          }
                  },
  9. Add a rule to exclude attributes.

    1. Click Add Rule.

      1. For the name, replace Untitled with If consent to share status is revoked then exclude attributes.

      2. Specify the condition.

        1. Click Comparison.

        2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.

        3. In the second field, select Equals.

        4. In the third field, type revoked.

      3. Specify the statement.

        1. Click Show Statements.

        2. Click next to Statements.

        3. Click Add Statement > Exclude Attributes.

          Use this statement to be explicit about which attributes to leave out. For example, a third-party client might request banking records; the client does not need account numbers, so give them everything but the account number.

          For information about this statement, see Exclude Attributes.

        4. For the name, replace Untitled with Exclude the id attribute.

        5. In the Code field, enter exclude-attributes.

        6. From the Applies To list, select Anything.

        7. In the Payload field, enter the following text to exclude the id attribute.

          ["data[*].id"]

        8. Click Save changes.

          The following screen shows the rule.

          Screen capture of rule to compare

          With the policy in place, trying the request again gets a response with the id attribute removed, as shown in the following snippet.

          {
           	"data": [{
                          "type": "answers",
                          "attributes": {
                                  "url": "https: //l.imqflip.com/2fm6x.jpq",
                                  "captions": ["Still waiting for the bus to Jennie's"],
                                  "rating": null,
                                  "created_at": "2020-05-e6T22:35:06-00:00"
                          }
                  },

          You can use the Decision Visualiser to see how the decision engine processed the decision. In the Policy Editor, click Policies in the left pane, then click Decision Visualiser along the top, and then click Recent Decisions. Click a decision and follow the green paths to see which policies are executed and which rules are invoked. Click Attributes along the top to see the names and values of attributes that are used in the decision.

  10. Add a rule to modify attributes.

    1. Click Add Rule.

      1. For the name, replace Untitled with If consent to share status is restricted then modify attributes.

      2. Specify the condition.

        1. Click Comparison.

        2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.

        3. In the second field, select Equals.

        4. In the third field, type restricted.

      3. Specify the statement.

        1. Click Show Statements.

        2. Click next to Statements.

        3. Click Add Statement > Modify Attributes.

          Use this statement to change attributes. For example, the client might request health records and require all items from a record, such as a social security number, even if partially or fully hidden.

          For information about this statement, see Modify Attributes.

        4. For the name, replace Untitled with Modify all the values in attributes.

        5. In the Code field, enter modify-attributes.

        6. From the Applies To list, select Permit.

        7. In the Payload field, enter the following text to replace all values in the attributes attribute with three dashes.

          {"data[*].attributes.*":"---"}

        8. Click Save changes.

          The following screen shows the rule.

          Screen capture of rule to compare

          With the policy in place, trying the request now gets a response with the id and type attributes unchanged but all the attributes values changed to dashes, as shown in the following snippet.

          {
           	"data": [{
                          "id": "168",
                          "type": "answers",
                          "attributes": {
                                  "url": "---",
                                  "captions": "---",
                                  "rating": "---",
                                  "created_at": "---"
                          }
                  },

Result

The following image shows what the policy applies to and the three rules.

Screen capture of the user policy with the target and the three rules, configured as specified