PingAuthorize

Creating a policy to dynamically modify a resource based on the SCIM resource type

Given an attribute defined in multiple resource types, modify the attribute differently depending on the resource type. In particular, this policy focuses on the retrieve action and changes the cn attribute to one value for the Users resource type and to another value for the Devices resource type.

Steps

  1. In the Policy Editor, go to Policies in the left pane and then click Policies along the top.

  2. From the menu, select Add Policy.

  3. For the name, replace Untitled with Modify cn attribute based on the resource type.

  4. Click the next to Applies to.

  5. Click Add definitions and targets, or drag from Components and add the retrieve action.

  6. Set Combining Algorithm to Unless one decision is deny, the decision will be permit.

    You should have a screen similar to the following one for the policy so far.

    Screen capture of the Policies tab showing the Modify cn attribute based on the resource type policy, configured as specified
  7. Add a rule for the Users resource.

    1. Click Add Rule.

    2. For the name, replace Untitled with If resource type is Users.

    3. Click Comparison.

    4. From the Select an Attribute list, select the SCIM2.resource.meta.resourceType attribute.

    5. In the second field, select Equals.

    6. In the third field, specify Users as the constant.

    7. Add statements to modify attributes.

      1. Within the rule, click Show Statements.

      2. Click next to Statements.

      3. Click Add Statement → Modify Attributes.

      4. For the name, specify Modify cn for users resource.

      5. Set Applies To to Permit.

      6. Set the Payload field to \{"cn":"USERS_MOD"}.

    8. Click Save changes.

      Your rule should be similar to the following one.

      Screen capture of the rule for the Users resource, configured as specified
  8. Add a rule for the Devices resource.

    1. Click Add Rule.

    2. For the name, replace Untitled with If resource type is Devices.

    3. Click Comparison.

    4. From the Select an Attribute list, select the SCIM2.resource.meta.resourceType attribute.

    5. In the second field, select Equals.

    6. In the third field, specify Devices as the constant.

    7. Add statements to modify attributes.

      1. Within the rule, click Show Statements.

      2. Click next to Statements.

      3. Click Add Statement → Modify Attributes.

      4. For the name, specify Modify cn for devices resource.

      5. Set Applies To to Permit.

      6. Set the Payload field to \{"cn":"DEVICES_MOD"}.

    8. Click Save changes.

      Your rule should be similar to the following one.

      Screen capture of the rule for the Devices resource, configured as specified
  9. Send test requests to the SCIM service, and verify data using the Policy Editor’s Decision Visualiser.