PingAuthorize

Adding attributes to an allow list

To allow the user to modify a set of attributes limited to an allow list and return an error if the user attempts to modify any attribute outside of the allow list, create a constant in the Trust Framework and then use the constant in a policy.

Steps

  1. Create a constant in the Trust Framework.

    1. Go to Trust Framework and then Attributes.

    2. From the menu, select Add new Attribute.

    3. For the name, replace Untitled with allowlistAttributes.

    4. Verify that in the Parent field, no parent is selected. To remove a parent, click the delete icon to the right of the Parent field.

    5. Click Add Resolver and set the Resolver type to Constant.

    6. Set the value of the constant to a set of square brackets that contains a comma-delimited list of the attributes that can be modified.

      For example, to allow the email or userName attributes to be modified, you would set the value of the constant to [email, userName].

      As another example, to allow the user to modify a property or any of its subproperties, you must explicitly list them. So to allow modification of the name field on the default Users pass-through schema, set the value of the constant to [name, name.formatted, name.givenName, name.familyName].

    7. In the Value Settings section, set Type to Collection.

    8. Click Save changes.

  2. Modify or create a policy to use that constant collection.

    1. Go to Policies.

    2. Select a policy or create a new one.

    3. In the Rules section:

      1. Set the Combining Algorithm to Unless one decision is permit, the decision will be deny.

      2. Click Add Rule.

      3. For the name, replace Untitled with Allow only the email and userName attributes.

      4. Set the Effect to Permit.

      5. Under Condition, click Comparison.

      6. In the comparison, we want to compare the constant collection of permitted attributes to the impactedAttributes collection.

        • For the left field, select the allowlistAttributes attribute, which is the constant collection of permitted attributes defined in the beginning.

          You might see the field as shown below. Click the R immediately above Comparison to toggle to attribute selection.

          Screen capture that shows the Condition section with the R toggle
        • Set the middle field (the operator) to Contains.

        • Set the right field to the impactedAttributes attribute.

          If that field has a C before it, click the C to toggle to attribute selection.

          If impactedAttributes is not available, see Restricting the modification of attributes.

    When applied to two collections, the Contains operator returns true if and only if the right-side collection is a subset of the left-side collection. Thus, the rule only returns permit if the set of impactedAttributes is a subset of the list of allowed attributes in allowlistAttributes.