Tutorial: Creating a policy for role-based access control
This tutorial describes how to create the final policy, which is an access-control rule that can base its authorization decision on an attribute of the requesting identity, rather than on an access token claim.
About this task
When PingAuthorize Server authorizes a request, an access token validator resolves the subject of the access token to a SCIM user and populates a policy request attribute called TokenOwner
with the SCIM user’s attributes. In this scenario, build a policy around the employeeType
attribute, which must be defined in the Trust Framework.
Steps
-
Go to Trust Framework and click the Attributes tab. Click TokenOwner.
-
Click and then Add new Attribute.
-
For the name, replace Untitled with
employeeType
. -
From the Parent list, select
TokenOwner
. -
In the Resolvers section:
-
Click Add Resolver.
-
From the Resolver type list, select
Attribute
and in the Select an Attribute list, specify a value ofTokenOwner
.
-
-
Click next to Value Processors and then Add Processor.
-
From the Processor list, select
JSON Path
and enter the valueemployeeType
. -
Set the Value type to
Collection
. -
In the Value Settings section:
-
Select the Default Value check box and in the Enter a default value field, enter the value
[]
.An empty array is specified as the default value because not all users have an
employeeType
attribute. A default value of[]
ensures that policies can safely use this attribute to define conditions. -
From the Type list, select
Collection
.
-
-
Click Save changes.
Result
The final attribute configuration should resemble the following image.
Next steps
Add a policy that uses the employeeType
attribute.
-
Go to Policies → Policies.
-
Highlight SCIM Policy Set and click and then Add Policy.
-
For the name, replace Untitled with
Restrict Intern Access
. -
From the Combining Algorithm list, select Unless one decision is deny, the decision will be permit.
-
Click Add Rule.
-
For the name, replace Untitled with
Restrict access for interns
. -
From the Effect list, select
Permit
. -
In the Condition section:
-
Click Comparison.
-
In the Select an Attribute list, select
TokenOwner.employeeType
. -
From the middle, comparison-type list, select
Contains
. -
In the Type in constant value field, enter
intern
.
-
-
Within the rule, click Show Advice and Obligations and then click the next to Advice and Obligations.
-
Click Add Advice → Custom Advice.
-
For the name, replace Untitled with
Restrict attributes visible to interns
. -
Select the Obligatory check box.
-
In the Code field, enter
exclude-attributes
. -
From the Applies To list, select
Permit
. -
In the Payload field, enter
["description"]
. -
Click Save changes.