For a given resource, control the outcomes (deny or permit) of actions on the resource. In particular, the policy focuses on the Users resource, and then denies deletes but permits retrieves.
- In the Policy Editor, go to Policies in the left pane and then click Policies along the top.
- From the + menu, select Add Policy.
- For the name, replace Untitled with Control actions for the User resource.
- Click the + next to Applies to.
- Click Add definitions and targets, or drag from Components and add the SCIM2.Users service.
-
Set Combining Algorithm to Unless one
decision is deny, the decision will be permit.
You should have a screen similar to the following one for the policy so far.
-
Add a rule to deny the deletion of User resources.
- Click + Add Rule.
- For the name, replace Untitled with Action: delete.
- Set Effect to Deny.
- Click + Comparison.
- In the first field, click the A to toggle to an R and from that field's drop-down list, select Action.
- In the second field, select Equals.
- In the third field, select the delete action.
-
Add advice to provide a custom message.
- Within the rule, click Show Advice and Obligations.
- Click + next to Advice and Obligations.
- Click + Add Advice > Denied Reason.
- For the name, specify denied-reason.
- Set Applies To to Deny.
- In the Payload field:
-
Remove
Example:
-
Change
Human-readable error message
to
System has restricted the ability to delete User resources
-
-
Click Save changes.
Your rule should be similar to the following one.
-
Add a rule to permit the retrieval of User resources.
- Click + Add Rule.
- For the name, replace Untitled with Action: retrieve.
- Click + Comparison.
- In the first field, click the A to toggle to an R and from that field's drop-down list, select Action.
- In the second field, select Equals.
- In the third field, select the retrieve action.
-
Click Save changes.
Your rule should be similar to the following one.
- Send test requests to the SCIM service and verify data using the Policy Editor's Decision Visualiser.