Description Details

Applicable to

PERMIT decisions from Gateway, although you cannot apply Filter Response advice directly to a System for Cross-domain Identity Management (SCIM) search. However, the SCIM service performs similar processing automatically when it handles a search result. For every candidate resource in a search result, the SCIM service makes a policy request for the resource with an Action value of retrieve.

Additional information

When presented with a request to permit or deny a multivalued response body, Filter Response advice allows policies to require that a separate policy request be made to determine whether the client can access each individual resource that a JSON array returns.

The following table identifies the fields of the JSON object that represents the payload for this advice.

Field Required Description
Path Yes JSONPath to an array within the API's response body. The advice implementation iterates over the nodes in this array and makes a policy request for each node.
Action No Value to pass as the action parameter on subsequent policy requests. If no value is specified, the action from the parent policy request is used.
Service No Value to pass as the service parameter on subsequent policy requests. If no value is specified, the service value from the parent policy request is used.
ResourceType No Type of object contained by each JSON node in the array, selected by the Path field. On each subsequent policy request, the contents of a single array element pass to the policy decision point as an attribute with the name that this field specifies. If no value is specified, the resource type of the parent policy request is used.

On each policy request, if policy returns a deny decision, the relevant array node is removed from the response. If the policy request returns a permit decision with additional advice, the advice is fulfilled within the context of the request. For example, this advice allows policy to decide whether to exclude or obfuscate particular attributes for each array item.

For a response object that contains complex data, including arrays of arrays, this advice type can descend through the JSON content of the response.

Note:

Performance might degrade as the total number of policy requests increases.