Adding attributes to an allow list
To allow the user to modify a set of attributes limited to an allow list and return an error if the user attempts to modify any attribute outside of the allow list, create a constant in the Trust Framework and then use the constant in a policy.
Steps
-
Create a constant in the Trust Framework.
-
Go to Trust Framework and then Attributes.
-
From the menu, select Add new Attribute.
-
For the name, replace Untitled with
allowlistAttributes
. -
Verify that in the Parent field, no parent is selected. To remove a parent, click the delete icon to the right of the Parent field.
-
Click Add Resolver and set the Resolver type to Constant.
-
Set the value of the constant to a set of square brackets that contains a comma-delimited list of the attributes that can be modified.
For example, to allow the
email
oruserName
attributes to be modified, you would set the value of the constant to[email, userName]
.As another example, to allow the user to modify a property or any of its subproperties, you must explicitly list them. So to allow modification of the
name
field on the default Users pass-through schema, set the value of the constant to[name, name.formatted, name.givenName, name.familyName]
. -
In the Value Settings section, set Type to Collection.
-
Click Save changes.
-
-
Modify or create a policy to use that constant collection.
-
Go to Policies.
-
Select a policy or create a new one.
-
In the Rules section:
-
Set the Combining Algorithm to Unless one decision is permit, the decision will be deny.
-
Click Add Rule.
-
For the name, replace Untitled with
Allow only the email and userName attributes
. -
Set the Effect to Permit.
-
Under Condition, click Comparison.
-
In the comparison, we want to compare the constant collection of permitted attributes to the
impactedAttributes
collection.-
For the left field, select the
allowlistAttributes
attribute, which is the constant collection of permitted attributes defined in the beginning.You might see the field as shown below. Click the R immediately above Comparison to toggle to attribute selection.
-
Set the middle field (the operator) to Contains.
-
Set the right field to the
impactedAttributes
attribute.If that field has a C before it, click the C to toggle to attribute selection.
If
impactedAttributes
is not available, see Restricting the modification of attributes.
-
-
When applied to two collections, the Contains operator returns true if and only if the right-side collection is a subset of the left-side collection. Thus, the rule only returns
permit
if the set ofimpactedAttributes
is a subset of the list of allowed attributes inallowlistAttributes
. -