Filter Response - PingAuthorize

Filter Response - PingAuthorize - 10.0

PingAuthorize 10.0

bundle

pingauthorize-100

ft:publication_title

PingAuthorize 10.0

Product_Version_ce

PingAuthorize 10.0 (Latest)

category

ContentType

Product

Productdocumentation

paz-100

pingauthorize

ContentType_ce

Product documentation

Use filter-response to direct PingAuthorize Server to invoke policy iteratively over each item of a JSON array contained within an API response.

Description Details

Description	Details
Applicable to	PERMIT decisions from the gateway, although you cannot apply Filter Response statements directly to a SCIM search. However, the SCIM service performs similar processing automatically when it handles a search result. For every candidate resource in a search result, the SCIM service makes a policy request for the resource with an Action value of `retrieve`.
Additional information	When presented with a request to permit or deny a multivalued response body, Filter Response statements allow policies to require that a separate policy request be made to determine whether the client can access each individual resource that a JSON array returns. The following list identifies the fields of the JSON object that represents the payload for this statement. `Path` JSONPath to an array within the API's response body. The statement implementation iterates over the nodes in this array and makes a policy request for each node. This field is required. `Action` Value to pass as the `action` parameter on subsequent policy requests. If no value is specified, the action from the parent policy request is used. This field is optional. `Service` Value to pass as the `service` parameter on subsequent policy requests. If no value is specified, the service value from the parent policy request is used. This field is optional. `ResourceType` Type of object contained by each JSON node in the array, selected by the `Path` field. On each subsequent policy request, the contents of a single array element pass to the policy decision point as an attribute with the name that this field specifies. If no value is specified, the resource type of the parent policy request is used. This field is optional. On each policy request, if policy returns a `deny` decision, the relevant array node is removed from the response. If the policy request returns a `permit` decision with additional statements, the statements are fulfilled within the context of the request. For example, this statement allows the policy to decide whether to exclude or obfuscate particular attributes for each array item. For a response object that contains complex data, including arrays of arrays, this statement type can descend through the JSON content of the response. Note: Performance might degrade as the total number of policy requests increases.

Applicable to

PERMIT decisions from the gateway, although you cannot apply Filter Response statements directly to a SCIM search. However, the SCIM service performs similar processing automatically when it handles a search result. For every candidate resource in a search result, the SCIM service makes a policy request for the resource with an Action value of retrieve.

Additional information

When presented with a request to permit or deny a multivalued response body, Filter Response statements allow policies to require that a separate policy request be made to determine whether the client can access each individual resource that a JSON array returns.

The following list identifies the fields of the JSON object that represents the payload for this statement.

Path: JSONPath to an array within the API's response body. The statement implementation iterates over the nodes in this array and makes a policy request for each node. This field is required.
Action: Value to pass as the action parameter on subsequent policy requests. If no value is specified, the action from the parent policy request is used. This field is optional.
Service: Value to pass as the service parameter on subsequent policy requests. If no value is specified, the service value from the parent policy request is used. This field is optional.
ResourceType: Type of object contained by each JSON node in the array, selected by the Path field. On each subsequent policy request, the contents of a single array element pass to the policy decision point as an attribute with the name that this field specifies. If no value is specified, the resource type of the parent policy request is used. This field is optional.

On each policy request, if policy returns a deny decision, the relevant array node is removed from the response. If the policy request returns a permit decision with additional statements, the statements are fulfilled within the context of the request. For example, this statement allows the policy to decide whether to exclude or obfuscate particular attributes for each array item.

For a response object that contains complex data, including arrays of arrays, this statement type can descend through the JSON content of the response.

Note:

Performance might degrade as the total number of policy requests increases.