--- title: Adding attributes to an allow list description: To allow the user to modify a set of attributes limited to an allow list and return an error if the user attempts to modify any attribute outside of the allow list, create a constant in the Trust Framework and then use the constant in a policy. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_policy_administration_guide:paz_whitelisting_attrs canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_policy_administration_guide/paz_whitelisting_attrs.html revdate: July 10, 2023 section_ids: steps: Steps --- # Adding attributes to an allow list To allow the user to modify a set of attributes limited to an allow list and return an error if the user attempts to modify any attribute outside of the allow list, create a constant in the Trust Framework and then use the constant in a policy. ## Steps 1. Create a constant in the Trust Framework. 1. Go to **Trust Framework** and then **Attributes**. 2. From the **[icon: plus, set=fa]**menu, select **Add new Attribute**. 3. For the name, replace **Untitled** with `allowlistAttributes`. 4. Verify that in the **Parent** field, no parent is selected. To remove a parent, click the delete icon to the right of the **Parent** field. 5. Click **[icon: plus, set=fa]Add Resolver** and set the **Resolver type** to **Constant**. 6. Set the value of the constant to a set of square brackets that contains a comma-delimited list of the attributes that can be modified. For example, to allow the `email` or `userName` attributes to be modified, you would set the value of the constant to `[email, userName]`. As another example, to allow the user to modify a property or any of its subproperties, you must explicitly list them. So to allow modification of the `name` field on the default Users pass-through schema, set the value of the constant to `[name, name.formatted, name.givenName, name.familyName]`. 1. In the **Value Settings** section, set **Type** to **Collection**. 2. Click **Save changes**. 2. Modify or create a policy to use that constant collection. 1. Go to **Policies**. 2. Select a policy or create a new one. 3. In the **Rules** section: 1. Set the **Combining Algorithm** to **Unless one decision is permit, the decision will be deny**. 2. Click **[icon: plus, set=fa]Add Rule**. 3. For the name, replace **Untitled** with `Allow only the email and userName attributes`. 4. Set the **Effect** to **Permit.** 5. Under **Condition**, click **[icon: plus, set=fa]Comparison**. 6. In the comparison, we want to compare the constant collection of permitted attributes to the `impactedAttributes` collection. * For the left field, select the `allowlistAttributes` attribute, which is the constant collection of permitted attributes defined in the beginning. You might see the field as shown below. Click the **R** immediately above **[icon: plus, set=fa]Comparison** to toggle to attribute selection. ![Screen capture that shows the Condition section with the R toggle](_images/zwg1585841925352.png) * Set the middle field (the operator) to **Contains**. * Set the right field to the `impactedAttributes` attribute. If that field has a **C** before it, click the **C** to toggle to attribute selection. | | | | - | ------------------------------------------------------------------------------------------------------------------------ | | | If `impactedAttributes` is not available, see [Restricting the modification of attributes](paz_restrict_attrs_mod.html). | When applied to two collections, the **Contains** operator returns true if and only if the right-side collection is a subset of the left-side collection. Thus, the rule only returns `permit` if the set of `impactedAttributes` is a subset of the list of allowed attributes in `allowlistAttributes`.