PingOne

Adding and testing a policy

Learn how to add and test a dynamic authorization policy that uses an attribute.

Adding a policy

About this task

Policies model business requirements into authorization logic. They’re built by business analysts who understand your application requirements and the regulations you’re complying with.

Let’s add a policy that will deny payments over $10,000 USD.

Steps

  1. Go to Authorization → Policies.

    On the Policies tab, you’ll see the default policy set called Policies. Policy sets are like folders that you can use to group and organize policies. You’re going to add your policy to the default policy set.

    Screen capture of the Policies policy set on the Policies tab.
  2. Select the root policy set Policies, then click the icon and select Add Policy.

  3. For the policy Name, enter Payment checks.

    The red dot on the right indicates that there are unsaved changes in the policy.

    Screen capture of the policy name showing the red dot indicating unsaved changes.

    Now you need a rule that defines the policy logic.

  4. Click Add Rule.

    To keep things simple, leave out the description for now. When you develop your own policies, you can enter a description to document the underlying business case for the rule or the specific business policy the rule is enforcing.

  5. For the rule Name, enter Deny payments over 10000 USD.

  6. Because you want to deny certain payments, select Deny for the Effect.

    Let’s make a comparison to determine if the payment amount is over $10,000 USD.

  7. Click the hamburger menu next to the Name field and select Add "Applies When".

    1. In the Applies When section, click Comparison.

    2. In Select an attribute, select Amount, which is the attribute that you added to the Trust Framework.

    3. For the comparator, select Greater Than Or Equal.

    4. For the constant value, enter 10000.

      Result:

      Your rule looks like this.

      Screen capture of the Deny payments over 10000 USD rule showing the comparison to determine if the payment amount is over 10000.
  8. Click Save changes.

    Result:

    Your new policy is displayed in the default policy set.

    Screen capture of the Payment checks policy nested under the default Policies policy set.

Testing the policy

About this task

Next you’ll test your policy to make sure it does what you expect.

Steps

  1. Go to Authorization → Policies, then select the Payment checks policy and click the Test tab.

  2. In the Request section, in the Attributes list, select the Amount attribute and enter 10900 as the attribute value.

    Screen capture of the Testing Scenario tab showing a request with the Amount attribute set to a value of 10900.
  3. Click Execute.

    Result:

    The Visualization tab shows a deny result, as you’d expect, because the amount is over 10000. The policy is working.

    Screen capture showing the visualization flow of the deny result.

    Now let’s test a value less than 10,000 to see if the policy handles it.

  4. Click the Testing Scenario tab, enter 9900 as the attribute value, and click Execute.

    Screen capture of the Testing Scenario tab showing a request with the Amount attribute set to a value of 9900.

    Result:

    A second Test Results tab is displayed that shows a result that’s not applicable. Your rule only applies to amounts greater than or equal to 10000, so right now the rule doesn’t apply to amounts less than 10000. This neutral decision indicates that the policy doesn’t apply in this situation.

    Screen capture showing the visualization flow of the not applicable result.

    You have more work to do with your policy to account for amounts less than $10,000 USD.

Next steps

You used the amount attribute to build a basic policy with a rule that denies payments over $10,000 USD. Then you tested your policy and found that it doesn’t account for payments less than $10,000 USD.