To review, the Meme Game API offers a game creation endpoint that looks like this:

POST /api/v1/games
{
    "data": {
        "type": "game",
        "attributes": {
            "invitees": ["friend@example.com"]
        }
    }
}

The requester specifies one or more invitees using the data.attributes.invitees field. We will update our policy with a second rule that disallows a new game if anybody else is invited to it.

  1. Define a Trust Framework attribute to represent the data.attributes.invitees field.
    1. In the Policy Editor, go to Trust Framework and click Attributes.
    2. From the + menu, select Add new Attribute.
    3. For the name, replace Untitled with Meme Game invitees.
    4. Verify that in the Parent field, no parent is selected.
      To remove a parent, click the trash can icon to the right of Parent field.
    5. Click the + next to Resolvers and click + Add Resolver.
    6. Set Resolver type to Attribute.
    7. Select the attribute HttpRequest.RequestBody.
    8. Click the + next to Value Processors and click + Add Processor.
    9. Set Processor to JSON Path.
    10. Set the value to $.data.attributes.invitees.
    11. Set Value type to Collection.
    12. For Value Settings, select Default value and specify square brackets ([]) to indicate an empty collection.
    13. Set Type to Collection.
    14. Click Save changes.
      The following image shows the new attribute.
      Screen capture of the "Meme Game invitees" attribute

      This Trust Framework attribute introduces resolvers and value processors, which are two important components. To better understand these components, see For further consideration: Resolvers and value processors.

  2. Modify a rule to use the Meme Game invitees attribute we just created.
    1. In the Policy Editor, go to Policies.
    2. Select the Users starting a new game policy.
    3. Rename the Deny if token subject ends with @example.com rule to Deny if token subject ends with @example.com AND request contains invitees.
    4. Expand the rule by clicking its + icon.
    5. For Effect, select Deny.
    6. Specify a second comparison.
      1. Click + Comparison.
      2. From the Select an Attribute field, select Meme Game invitees.
      3. In the second field, select Does Not Equal.
      4. In the third field, type [].
    7. Click Save changes.
      The following image shows the rule.
      Screen capture of the "Deny if token subject ends with @example.com AND request contains invitees" rule
  3. Test the policy.
    As before, you can test your policy from the Policy Editor using its test interface, and you can test the policy by sending an HTTP request. Try testing using the following combinations of inputs:
    • An access token with the subject user.0@example.com and with invitees.

      This should be denied.

    • An access token with the subject user.0@my-company.com and with invitees.

      This should be permitted.

    • An access token with the subject user.0@example.com and no invitee list.

      This should be permitted.

    • An access token with the subject user.0@my-company.com and no invitee list.

      This should be permitted.