This tutorial describes how to build and test fine-grained access control (FGAC) policies that restrict access to a protected resource based on attributes of both the resource and the caller.
Scenario
In some data use cases, it is necessary to know both the resource being requested and the requesting user. For example, a counselor can only view the records of students in their department. In the scenario of the meme game, users are allowed to invite their friends or family to like or critique their memes. Because some memes are inappropriate for younger audiences, the city of Youngstown, Ohio passes an ordinance that does not allow you to serve its citizens memes rated for ages 13 and older. You must create a policy to enforce this by checking the city of the user's profile and the age rating of the shared meme.
Obviously, not all Youngstown residents are young. In a more realistic scenario, we might compare the age of the requesting user to the age rating of the meme. However, computing the user's age from their date of birth adds unnecessary complexity.
Tasks
This tutorial teaches you how to configure attribute-based API access control rules by walking you through the following tasks:
- Configure a proxy for the Meme Game API.
- Create a policy blocking all users from viewing shared memes.
- Add policy condition logic to allow users not from Youngstown to view shared memes.
- Add policy condition logic to allow users from Youngstown to view shared memes rated under 13.
- Add advice to set the API error response when policy blocks access.
The following sections provide the details for completing these tasks.