For a given resource type, restrict the ability to delete. In particular, the policy
focuses on the delete action and then denies the action when the resource type is
Devices.
-
In the Policy Editor, go to Policies in
the left pane and then click Policies along the
top.
-
From the + menu, select Add
Policy.
-
For the name, replace Untitled with User
cannot delete a Device resource.
-
Click the + next to Applies
to.
-
Click Add definitions and targets, or drag from
Components and add the delete
action.
-
Set Combining Algorithm to Unless one
decision is deny, the decision will be permit.
You should have a screen similar to the following one for the policy so
far.
-
Add a rule to deny the deletion of Device resources.
-
Click + Add Rule.
-
For the name, replace Untitled with
If the SCIM resource type is Device, then
deny.
-
Set Effect to Deny.
-
Click + Comparison.
-
In the Select an Attribute list, select the
SCIM2.resource.meta.resourceType
attribute.
-
In the second field, select Equals.
-
In the third field, specify Devices as the
constant.
-
Add advice to provide a custom message.
- Within the rule, click Show Advice and
Obligations.
- Click + next to Advice and
Obligations.
- Click .
- For the name, specify denied-reason.
- Set Applies To to
Deny.
- In the Payload field:
-
Click Save changes.
Your rule should be similar to the following one.
-
Send test requests to the SCIM service and verify data using the Policy Editor's Decision Visualiser.