Creating a policy to control the set of actions for a specific resource
For a given resource, control the outcomes (deny or permit) of actions on the resource. In particular, the policy focuses on the Users resource and then denies deletes but permits retrieves.
Steps
-
In the Policy Editor, go to Policies in the left pane and then click Policies along the top.
-
From the menu, select Add Policy.
-
For the name, replace Untitled with
Control actions for the User resource
. -
Click the next to Applies to.
-
Click Add definitions and targets, or drag from Components and add the SCIM2.Users service.
-
Set Combining Algorithm to Unless one decision is deny, the decision will be permit.
You should have a screen similar to the following one for the policy so far.
-
Add a rule to deny the deletion of User resources.
-
Click Add Rule.
-
For the name, replace Untitled with
Action: delete
. -
Set Effect to Deny.
-
Click Comparison.
-
In the first field, click the A to toggle to an R, and from that field’s drop-down list, select Action.
-
In the second field, select Equals.
-
In the third field, select the delete action.
-
Add a statement to provide a custom message.
-
Within the rule, click Show Statements.
-
Click next to Statements.
-
Click Add Statement → Denied Reason.
-
For the name, specify
denied-reason
. -
Set Applies To to Deny.
-
In the Payload field:
-
Remove
Example:
-
Change
Human-readable error message
to
System has restricted the ability to delete User resources
-
-
-
Click Save changes.
Your rule should be similar to the following one.
-
-
Add a rule to permit the retrieval of User resources.
-
Click Add Rule.
-
For the name, replace Untitled with
Action: retrieve
. -
Set Effect to Permit.
-
Click Comparison.
-
In the first field, click the A to toggle to an R, and from that field’s drop-down list, select Action.
-
In the second field, select Equals.
-
In the third field, select the retrieve action.
-
Click Save changes.
Your rule should be similar to the following one.
-
-
Send test requests to the SCIM service, and verify data using the Policy Editor’s Decision Visualiser.