PingAuthorize

Use case: Using a SCIM resource type or a policy request action to control behavior

SCIM (System for Cross-domain Identity Management) resource types define a class of resources, such as users or devices. The PingAuthorize Server SCIM service provides a REST API for data stored in external datastores that are based on the SCIM 2.0 standard.

The SCIM service translates each SCIM request or response into one or more policy requests to the policy decision point (PDP).

These policy requests have an action value that you can reference in the policies you write to deny or permit the action.

For more background information, see About the SCIM service.

For more information about actions, see SCIM policy requests.

This feature is useful for:

  • Data control

  • Information security

  • Resource management

Example scenarios include:

  • A bank that wants to prevent delete operations of their client profiles

  • A health care system that should only allow the creation of new patient records and should not allow the modification of existing patient records

  • A university system that only allows the retrieval of student information from the student’s defined department; the system can modify the information differently based on the department

In this use case, we define services in the Trust Framework. We then create policies that use those services or policy request actions to control various operations. The following topics cover these tasks.

  1. Getting the SCIM resource type and the action being executed

  2. Creating a policy to permit or deny the creation of resources

  3. Creating a policy to control the set of actions for a specific resource

  4. Creating a policy to restrict the ability to delete based on resource type

  5. Creating a policy to dynamically modify a resource based on the SCIM resource type