Adding attributes to an allow list - PingAuthorize

Adding attributes to an allow list - PingAuthorize - 9.0

PingAuthorize

bundle

pingauthorize-90

ft:publication_title

PingAuthorize

Product_Version_ce

PingAuthorize 9.0

category

ContentType

Product

Productdocumentation

paz-90

pingauthorize

ContentType_ce

Product documentation

Page created: 26 Jul 2021 |

Page updated: 17 Feb 2022

| 2 min read

Content Type Product documentation 9.0 PingAuthorize Product Administration User task

To allow the user to modify a set of attributes limited to an allow list and return an error if the user attempts to modify any attribute outside of the allow list, create a constant in the Trust Framework and then use the constant in a policy.

Create a constant in the Trust Framework.
1. Go to Trust Framework and then Attributes.
2. From the + menu, select Add new Attribute.
3. For the name, replace Untitled with allowlistAttributes.
4. Verify that in the Parent field, no parent is selected. To remove a parent, click the trash can icon to the right of the Parent field.
5. Click + Add Resolver and set the Resolver type to Constant.
6. Set the value of the constant to a set of square brackets that contains a comma-delimited list of the attributes that can be modified.
  
  For example, to allow the email or userName attributes to be modified, you would set the value of the constant to [email, userName].
  
  As another example, to allow the user to modify a property or any of its subproperties, you must explicitly list them. So to allow modification of the name field on the default Users pass-through schema, set the value of the constant to [name, name.formatted, name.givenName, name.familyName].
7. In the Value Settings section, set Type to Collection.
8. Click Save changes.
Modify or create a policy to use that constant collection.
1. Go to Policies.
2. Select a policy or create a new one.
3. In the Rules section:
  1. Set the Combining Algorithm to Unless one decision is permit, the decision will be deny.
  2. Click + Add Rule.
  3. For the name, replace Untitled with Allow only the email and userName attributes.
  4. Set the Effect to Permit.
  5. Under Condition, click + Comparison.
  6. In the comparison, we want to compare the constant collection of permitted attributes to the impactedAttributes collection.
    - For the left field, select the allowlistAttributes attribute, which is the constant collection of permitted attributes defined in the beginning.
      
      You might see the field as shown below. Click the R immediately above + Comparison to toggle to attribute selection.
    - Set the middle field (the operator) to Contains.
    - Set the right field to the impactedAttributes attribute.
      If that field has a C before it, click the C to toggle to attribute selection.
      Note:
      If impactedAttributes is not available, see Restricting the attributes that can be modified.
    When applied to two collections, the Contains operator returns true if and only if the right-side collection is a subset of the left-side collection. Thus, the rule only returns PERMIT if the set of impactedAttributes is a subset of the list of allowed attributes in allowlistAttributes.