PingAuthorize

Filter Response

Use filter-response to direct PingAuthorize Server to invoke policy iteratively over each item of a JSON array contained within an API response.

Description Details

Applicable to

PERMIT decisions from the gateway, although you cannot apply Filter Response statements directly to a SCIM search. However, the SCIM service performs similar processing automatically when it handles a search result. For every candidate resource in a search result, the SCIM service makes a policy request for the resource with an Action value of retrieve.

Additional information

When presented with a request to permit or deny a multivalued response body, Filter Response statements allow policies to require that a separate policy request be made to determine whether the client can access each individual resource that a JSON array returns.

The following list identifies the fields of the JSON object that represents the payload for this statement.

Path

JSONPath to an array within the API’s response body. The statement implementation iterates over the nodes in this array and makes a policy request for each node. This field is required.

Action

Value to pass as the action parameter on subsequent policy requests. If no value is specified, the action from the parent policy request is used. This field is optional.

Service

Value to pass as the service parameter on subsequent policy requests. If no value is specified, the service value from the parent policy request is used. This field is optional.

ResourceType

Type of object contained by each JSON node in the array, selected by the Path field. On each subsequent policy request, the contents of a single array element pass to the policy decision point as an attribute with the name that this field specifies. If no value is specified, the resource type of the parent policy request is used. This field is optional.

On each policy request, if policy returns a deny decision, the relevant array node is removed from the response. If the policy request returns a permit decision with additional statements, the statements are fulfilled within the context of the request. For example, this statement allows the policy to decide whether to exclude or obfuscate particular attributes for each array item.

For a response object that contains complex data, including arrays of arrays, this statement type can descend through the JSON content of the response.

Performance might degrade as the total number of policy requests increases.