Tutorial 2: Controlling access to specific API operations
Learn how to configure API Access Management in PingOne Authorize to provide protection and access control for specific API operations.
Suppose there are two kinds of users in the Meme Game and they have different permissions:
-
Game players compete with their friends to craft the funniest meme.
-
Game administrators can review memes submitted by any user when they’re flagged as inappropriate.
You need to allow administrators to review memes, but not allow players to review them. To do this, you’ll configure users in PingOne, then define an API service operation to control permissions, and finally sign on as different users to demonstrate controlled access.
Before you begin, make sure you complete Tutorial 1: Controlling access to APIs managed by an API service to set up the environment you need for this tutorial.
What you’ll learn
You’ll learn how to:
-
Configure users and groups in PingOne
-
Protect API operations and control user permissions for privileged actions
-
Demonstrate that only authorized users can perform protected actions
What you’ll do
Follow these steps to complete the tutorial:
-
Set up users and a group in PingOne.
-
Define an API service operation and create a rule that gives only administrators access to the protected action.
-
Sign on and review memes as an authorized administrator. Then sign on as an unauthorized player, demonstrating that players are prevented from reviewing memes.