First, we define a service in the Trust Framework. Services have various uses, but at their most basic level, you use them to define a specific API that can be governed by your policies. By defining different services in your Trust Framework, you can target each policy specifically to their applicable APIs.

Then, we define a policy. This policy will reject any requests to start a new meme game if the user's identifier ends with @example.com. We will identify users using the subject of the request's access token.

  1. Define the service.
    1. Sign on to the Policy Editor using the URL and credentials from Accessing the GUIs.
    2. Go to Trust Framework and click Services.
    3. From the + menu, select Add new Service.
    4. For the name, replace Untitled with Meme Game - Games.

      The service name must match the endpoint name. To understand why, see For further consideration: The PingAuthorize API security gateway, part 2.

    5. Verify that in the Parent field, no parent is selected.
      To remove a parent, click the trash can icon to the right of Parent field.
      Screen capture of the Service definition screen
    6. Click Save changes.
  2. Define the policy.
    1. In the Policy Editor, go to Policies in the left pane and then click Policies along the top.
    2. Select Global Decision Point.
    3. From the + menu, select Add Policy.
    4. For the name, replace Untitled with Users starting a new game.
    5. Click + next to Applies to.
    6. In the upper-right corner of the left pane, click Components. This reveals a tree of items to target the policy and restrict the types of requests to which the policy applies.
    7. From the Actions list, drag inbound-POST to the Add definitions and targets, or drag from Components box.
    8. From the Services list, drag Meme Games - Games to the Add definitions and targets, or drag from Components box.
      Using these components restricts the policy to incoming POST requests and the Meme Games - Games service.
    9. Set the Combining Algorithm to Unless one decision is deny, the decision will be permit.
    10. Click + Add Rule. This reveals an interface to define a condition. Define the rule as follows.
      1. For the name, replace Untitled with Deny if token subject ends with @example.com.
      2. For Effect, select Deny.
      3. Specify the condition.
        1. Click + Comparison.
        2. From the Select an Attribute list, select HttpRequest.AccessToken.subject.
        3. In the second field, select Ends With.
        4. In the third field, type @example.com.
      The following screen shows the rule.
      Screen capture of the rule definition
    11. Click Save changes.

      For more information about API security gateway processing, see For further consideration: The PingAuthorize API security gateway, part 2.