PingAuthorize

Tutorial: Creating the policy tree

This tutorial describes how to create a tree structure and ensure that your policies apply only to SCIM requests.

About this task

The default policies include the policy named Token Validation. In the PingAuthorize Policy Editor, you can find this policy under Global Decision Point. This policy denies any request using an access token if the token’s active flag is set to false. This policy is augmented with a set of scope-based access control policies.

Steps

  1. To create the tree structure, perform the following steps:

    1. Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.

    2. Click Policies.

    3. Select Global Decision Point.

    4. From the menu, select Add Policy Set.

    5. For the name, replace Untitled with SCIM Policy Set.

    6. In the Policies section, set the Combining algorithm to A single deny will override any permit decisions.

      A combining algorithm determines the manner in which the policy set resolves potentially contending decisions from child policies.

    7. Click Applies to.

    8. Click Components.

    9. From the Services list, drag SCIM2 to the Add definitions and targets, or drag from Components box.

      This step ensures that policies in the SCIM policy set apply only to SCIM requests.

    10. Click Save changes.

      Result:

      You should have a screen like the following.

      scim policy set progress
  2. To add a branch under the SCIM policy set to hold SCIM-specific access token policies, go from Components to Policies and perform the following steps:

    1. Select SCIM Policy Set.

    2. From the menu, select Add Policy Set.

    3. For the name, replace Untitled with Token Policies.

    4. In the Policies section, set the Combining algorithm to A single deny will override any permit decisions.

    5. Click Save changes.

  3. To add another branch that holds a policy specific to access token scopes, perform the following steps:

    1. Select Token Policies.

    2. From the menu, select Add Policy Set.

    3. For the name, replace Untitled with Scope Policies.

    4. In the Policies section, set the Combining algorithm to Unless one decision is permit, the decision will be deny.

    5. Click Save changes.

      Result:

      After creating the new branches, they should look like the following.

      Screen capture of the Scope Policies policy set with the Combining Algorithm configured as specified