This tutorial describes how to create the final policy, which is an access-control rule that can base its authorization decision on an attribute of the requesting identity, rather than on an access token claim.
When PingAuthorize Server authorizes a request, an
access token validator resolves the subject of the access token to a SCIM user and
populates a policy request attribute called TokenOwner
with the SCIM
user's attributes. In this scenario, build a policy around the
employeeType
attribute, which must be defined in the Trust
Framework.
- Go to Trust Framework and click the Attributes tab. Click TokenOwner.
- Click + and then Add new Attribute.
- For the name, replace Untitled with employeeType.
- From the Parent list, select TokenOwner.
-
In the Resolvers section:
- Click + Add Resolver.
- From the Resolver type list, select Attribute and in the Select an Attribute list, specify a value of TokenOwner.
- Click + next to Value Processors and then + Add Processor.
- From the Processor list, select JSON Path and enter the value employeeType.
- Set the Value type to Collection.
-
In the Value Settings section:
- Click Save changes.
Add a policy that uses the employeeType
attribute.
- Go to .
- Select SCIM Policy Set and click + and then Add Policy.
- For the name, replace Untitled with Restrict Intern Access.
- From the Combining Algorithm list, select Unless one decision is deny, the decision will be permit.
- Click + Add Rule.
- For the name, replace Untitled with Restrict access for interns.
- From the Effect list, select Permit.
- In the Condition section:
- Click + Comparison.
- In the Select an Attribute list, select TokenOwner.employeeType.
- From the middle, comparison-type list, select Contains.
- In the Type in constant value field, enter intern.
- Within the rule, click Show Statements, and then click the + next to Statements.
- Click .
- For the name, replace Untitled with Restrict attributes visible to interns.
- Select the Obligatory check box.
- In the Code field, enter exclude-attributes.
- From the Applies To list, select Permit.
- In the Payload field, enter ["description"].
- Click Save changes.