PingAuthorize

Creating a policy to restrict the ability to delete based on resource type

For a given resource type, restrict the ability to delete. In particular, the policy focuses on the delete action and then denies the action when the resource type is Devices.

Steps

  1. In the Policy Editor, go to Policies in the left pane and then click Policies along the top.

  2. From the menu, select Add Policy.

  3. For the name, replace Untitled with User cannot delete a Device resource.

  4. Click the next to Applies to.

  5. Click Add definitions and targets, or drag from Components and add the delete action.

  6. Set Combining Algorithm to Unless one decision is deny, the decision will be permit.

    You should have a screen similar to the following one for the policy so far.

    Screen capture of the Policies tab showing the User cannot delete a Device resource policy, configured as specified
  7. Add a rule to deny the deletion of Device resources.

    1. Click Add Rule.

    2. For the name, replace Untitled with If the SCIM resource type is Device, then deny.

    3. Set Effect to Deny.

    4. Click Comparison.

    5. In the Select an Attribute list, select the SCIM2.resource.meta.resourceType attribute.

    6. In the second field, select Equals.

    7. In the third field, specify Devices as the constant.

    8. Add advice to provide a custom message.

      1. Within the rule, click Show Advice and Obligations.

      2. Click next to Advice and Obligations.

      3. Click Add Advice → Denied Reason.

      4. For the name, specify denied-reason.

      5. Set Applies To to Deny.

      6. In the Payload field:

        • Remove

          Example:

        • Change

          Human-readable error message

          to

          System has restricted the ability to delete Device resources

    9. Click Save changes.

      Your rule should be similar to the following one.

      Screen capture of the rule to deny the deletion of Device resources, configured as specified
  8. Send test requests to the SCIM service and verify data using the Policy Editor’s Decision Visualiser.