To allow the user to modify a set of attributes limited to an allow list and return an error if the user attempts to modify any attribute outside of the allow list, create a constant in the Trust Framework and then use the constant in a policy.
Create a constant in the Trust Framework.
- Go to Trust Framework and then Attributes.
- From the + menu, select Add new Attribute.
For the name, replace Untitled with
- Verify that in the Parent field, no parent is selected. To remove a parent, click the trash can icon to the right of the Parent field.
- Click + Add Resolver and set the Resolver type to Constant.
Set the value of the constant to a set of square brackets that contains
a comma-delimited list of the attributes that can be modified.
For example, to allow the
userNameattributes to be modified, you would set the value of the constant to
As another example, to allow the user to modify a property or any of its subproperties, you must explicitly list them. So to allow modification of the
namefield on the default Users pass-through schema, set the value of the constant to
[name, name.formatted, name.givenName, name.familyName].
- In the Value Settings section, set Type to Collection.
- Click Save changes.
Modify or create a policy to use that constant collection.
- Go to Policies.
- Select a policy or create a new one.
In the Rules section:
- Set the Combining Algorithm to Unless one decision is permit, the decision will be deny.
- Click + Add Rule.
- For the name, replace Untitled with Allow only the email and userName attributes.
- Set the Effect to Permit.
- Under Condition, click + Comparison.
- In the comparison, we want to compare the constant collection of permitted attributes to
For the left field, select the
allowlistAttributesattribute, which is the constant collection of permitted attributes defined in the beginning.You might see the field as shown below. Click the R immediately above + Comparison to toggle to attribute selection.
- Set the middle field (the operator) to Contains.
- Set the right field to the
If that field has a C before it, click the C to toggle to attribute selection.Note:
impactedAttributesis not available, see Restricting the attributes that can be modified.
When applied to two collections, the Contains operator returns true if and only if the right-side collection is a subset of the left-side collection. Thus, the rule only returns PERMIT if the set of
impactedAttributesis a subset of the list of allowed attributes in