PingAuthorize

Tutorial: Creating a policy for role-based access control

This tutorial describes how to create the final policy, which is an access-control rule that can base its authorization decision on an attribute of the requesting identity, rather than on an access token claim.

About this task

When PingAuthorize Server authorizes a request, an access token validator resolves the subject of the access token to a SCIM user and populates a policy request attribute called TokenOwner with the SCIM user’s attributes. In this scenario, build a policy around the employeeType attribute, which must be defined in the Trust Framework.

Steps

  1. Go to Trust Framework and click the Attributes tab. Click TokenOwner.

  2. Click and then Add new Attribute.

  3. For the name, replace Untitled with employeeType.

  4. From the Parent list, select TokenOwner.

  5. In the Resolvers section:

    1. Click Add Resolver.

    2. From the Resolver type list, select Attribute and in the Select an Attribute list, specify a value of TokenOwner.

  6. Click next to Value Processors and then Add Processor.

  7. From the Processor list, select JSON Path and enter the value employeeType.

  8. Set the Value type to Collection.

  9. In the Value Settings section:

    1. Select the Default Value check box and in the Enter a default value field, enter the value [].

      An empty array is specified as the default value because not all users have an employeeType attribute. A default value of [] ensures that policies can safely use this attribute to define conditions.

    2. From the Type list, select Collection.

  10. Click Save changes.

Result

The final attribute configuration should resemble the following image.

A screen capture of the employeeType attribute window with Parent configured as TokenOwner and Resolvers, Value Processors, and Value Settings configured as specified

Next steps

Add a policy that uses the employeeType attribute.

  1. Go to Policies → Policies.

  2. Highlight SCIM Policy Set and click and then Add Policy.

  3. For the name, replace Untitled with Restrict Intern Access.

  4. From the Combining Algorithm list, select Unless one decision is deny, the decision will be permit.

  5. Click Add Rule.

  6. For the name, replace Untitled with Restrict access for interns.

  7. From the Effect list, select Permit.

  8. In the Condition section:

    1. Click Comparison.

    2. In the Select an Attribute list, select TokenOwner.employeeType.

    3. From the middle, comparison-type list, select Contains.

    4. In the Type in constant value field, enter intern.

  9. Within the rule, click Show Advice and Obligations and then click the next to Advice and Obligations.

  10. Click Add Advice → Custom Advice.

  11. For the name, replace Untitled with Restrict attributes visible to interns.

  12. Select the Obligatory check box.

  13. In the Code field, enter exclude-attributes.

  14. From the Applies To list, select Permit.

  15. In the Payload field, enter ["description"].

  16. Click Save changes.

A screen capture of the Restrict Intern Access policy window with the Combining Algorithm and one rule with advice, both configured as specified