PingAuthorize

Adding a policy for the Create Game endpoint

Now that we have confirmed that PingAuthorize Server is correctly configured to act as a reverse proxy to the Meme Game API, we can define a policy to try out its access control capabilities. This policy will accept or deny a request to create a game based on the identity making the request.

About this task

First, we define a service in the Trust Framework. Services have various uses, but at their most basic level, you use them to define a specific API that can be governed by your policies. By defining different services in your Trust Framework, you can target each policy specifically to their applicable APIs.

Then, we define a policy. This policy will reject any requests to start a new meme game if the user’s identifier ends with @example.com. We will identify users using the subject of the request’s access token.

Steps

  1. Define the service.

    1. Sign on to the Policy Editor using the URL and credentials from Accessing the GUIs.

    2. Go to Trust Framework and click Services.

    3. From the menu, select Add new Service.

    4. For the name, replace Untitled with Meme Game - Games.

      The service name must match the endpoint name. To understand why, see For further consideration: The PingAuthorize API security gateway, part 2.

    5. Verify that in the Parent field, no parent is selected.

      To remove a parent, click the delete icon to the right of the Parent field.

      Screen capture of the Service definition screen for Meme Game - Games with the Parent field blank
    6. Click Save changes.

  2. Define the policy.

    1. In the Policy Editor, go to Policies in the left pane and then click Policies along the top.

    2. Select Global Decision Point.

    3. From the menu, select Add Policy.

    4. For the name, replace Untitled with Users starting a new game.

    5. Click next to Applies to.

    6. In the upper-right corner of the left pane, click Components. This reveals a tree of items to target the policy and restrict the types of requests to which the policy applies.

    7. From the Actions list, drag inbound-POST to the Add definitions and targets, or drag from Components box.

    8. From the Services list, drag Meme Games - Games to the Add definitions and targets, or drag from Components box.

      Using these components restricts the policy to incoming POST requests and the Meme Games - Games service.

    9. Set the Combining Algorithm to Unless one decision is deny, the decision will be permit.

    10. Click Add Rule. This reveals an interface to define a condition. Define the rule as follows.

      1. For the name, replace Untitled with Deny if token subject ends with @example.com.

      2. For Effect, select Deny.

      3. Specify the condition.

        1. Click Comparison.

        2. From the Select an Attribute list, select HttpRequest.AccessToken.subject.

        3. In the second field, select Ends With.

        4. In the third field, type @example.com.

          The following screen shows the rule.

          Screen capture of the rule definition with a rule condition targeting subjects that end with @example.com
    11. Click Save changes.

      For more information about API security gateway processing, see For further consideration: The PingAuthorize API security gateway, part 2.