Creating a policy to check consent and then change the server response - PingAuthorize

Creating a policy to check consent and then change the server response - PingAuthorize - 9.0

PingAuthorize

bundle

pingauthorize-90

ft:publication_title

PingAuthorize

Product_Version_ce

PingAuthorize 9.0

category

ContentType

Product

Productdocumentation

paz-90

pingauthorize

ContentType_ce

Product documentation

Page created: 26 Jul 2021 |

Page updated: 17 Feb 2022

| 6 min read

Content Type Product documentation 9.0 PingAuthorize Product Administration

Using the Trust Framework attributes and services we created, we now create a policy for the meme game API to get a user's answers and change the server response with various advices based on the consent status.

Here is a snippet of an unedited response. It shows the id, type, and attributes attributes.

{
 	"data": [{
                "id": "1",
                "type": "answers",
                "attributes": {
                        "url": "https: //l.imqflip.com/2fm6x.jpq",
                        "captions": ["Still waiting for the bus to Jennie's"],
                        "rating": null,
                        "created_at": "2020-05-e6T22:25:06-00:00"
                }
        },

Sign on to the Policy Editor, click Policies in the left pane and then click Policies along the top.
Select the existing meme-game policies policy. The new policy is created under this policy.
From the + menu, select Add Policy.
For the name, replace Untitled with Control user's response to answers request.
Click + next to Applies to.
Click Add definitions and targets, or drag from Components and add the meme-game.user_answers service, which we set up in Getting a path component from the request URL. Also, because we want to control the response to the client, add the outbound-GET action.
Set Combining Algorithm to Unless one decision is deny, the decision will be permit.
Add a rule to include attributes.
1. Click + Add Rule.
  1. For the name, replace Untitled with If consent to share status is accepted then include attributes.
  2. Specify the condition.
    1. Click + Comparison.
    2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.
    3. In the second field, select Equals.
    4. In the third field, type accepted.
  3. Specify the advice.
    1. Click Show Advice and Obligations.
    2. Click + next to Advice and Obligations.
    3. Click + Add Advice > Include Attributes.
      
      Use this advice to be explicit about what attributes to keep, especially when you have a large set of attributes where you only need a small subset in the response.
      
      For information about this advice, see Include Attributes.
    4. For the name, replace Untitled with Include id and attributes attribute.
    5. In the Code field, enter include-attributes.
    6. From the Applies To list, select Permit.
    7. In the Payload field, enter the following text to include the id attribute and the attributes attribute but not the type attribute.
      
      ["data[*].id","data[*].attributes.*"]
    8. Click Save changes.
  The following screen shows the rule.
  
  With the policy in place, trying the request again gets a response with the type attribute removed, as shown in the following snippet.
```
{
 	"data": [{
                "attributes": {
                        "url": "https: //l.imqflip.com/2fm6x.jpq",
                        "captions": ["Still waiting for the bus to Jennie's"],
                        "rating": null,
                        "created_at": "2020-05-e6T22:31:06-00:00"
                "id": "1",
                }
        },
```
Add a rule to exclude attributes.
1. Click + Add Rule.
  1. For the name, replace Untitled with If consent to share status is revoked then exclude attributes.
  2. Specify the condition.
    1. Click + Comparison.
    2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.
    3. In the second field, select Equals.
    4. In the third field, type revoked.
  3. Specify the advice.
    1. Click Show Advice and Obligations.
    2. Click + next to Advice and Obligations.
    3. Click + Add Advice > Exclude Attributes.
      
      Use this advice to be explicit about what attributes to leave out. For example, a third-party client might request banking records; the client does not need account numbers, so give them everything but the account number.
      
      For information about this advice, see Exclude Attributes.
    4. For the name, replace Untitled with Exclude the id attribute.
    5. In the Code field, enter exclude-attributes.
    6. From the Applies To list, select Anything.
    7. In the Payload field, enter the following text to exclude the id attribute.
      
      ["data[*].id"]
    8. Click Save changes.
  The following screen shows the rule.
  
  With the policy in place, trying the request again gets a response with the type attribute removed, as shown in the following snippet.
```
{
 	"data": [{
                "type": "answers",
                "attributes": {
                        "url": "https: //l.imqflip.com/2fm6x.jpq",
                        "captions": ["Still waiting for the bus to Jennie's"],
                        "rating": null,
                        "created_at": "2020-05-e6T22:35:06-00:00"
                }
        },
```
  You can use the Decision Visualiser to see how the decision engine processed the decision. In the Policy Editor, click Policies in the left pane, then click Decision Visualiser along the top, and then click Recent Decisions. Click a decision and follow the green paths to see what polices are executed and which rules are invoked. Click Attributes along the top to see the names and values of attributes that are used in the decision.
Add a rule to modify attributes.
1. Click + Add Rule.
  1. For the name, replace Untitled with If consent to share status is restricted then modify attributes.
  2. Specify the condition.
    1. Click + Comparison.
    2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.
    3. In the second field, select Equals.
    4. In the third field, type restricted.
  3. Specify the advice.
    1. Click Show Advice and Obligations.
    2. Click + next to Advice and Obligations.
    3. Click + Add Advice > Modify Attributes.
      
      Use this advice to change attributes. For example, the client might request health records and require all items from a record, such as a social security number, even if partially or fully hidden.
      
      For information about this advice, see Modify Attributes.
    4. For the name, replace Untitled with Modify all the values in attributes.
    5. In the Code field, enter modify-attributes.
    6. From the Applies To list, select Permit.
    7. In the Payload field, enter the following text to replace all values in the attributes attribute with three dashes.
      
      {"data[*].attributes.*":"---"}
    8. Click Save changes.
  The following screen shows the rule.
  
  With the policy in place, trying the request now gets a response with the id and type attributes unchanged but all the attributes values changed to dashes, as shown in the following snippet.
```
{
 	"data": [{
                "id": "168",
                "type": "answers",
                "attributes": {
                        "url": "---",
                        "captions": "---",
                        "rating": "---",
                        "created_at": "---"
                }
        },
```

The following image shows the what policy applies to and the three rules.
Screen capture of policy with the three rules