To review, the Meme Game API offers a game creation endpoint that looks like this:

POST /api/v1/games
{
    "data": {
        "type": "game",
        "attributes": {
            "invitees": ["friend@example.com"]
        }
    }
}

The requester specifies one or more invitees using the data.attributes.invitees field. We will update our policy with a second rule that disallows a new game if anybody else is invited to it.

  1. Define a Trust Framework attribute to represent the data.attributes.invitees field.
    1. In the Policy Editor, go to Trust Framework and click Attributes.
    2. From the + menu, select Add new Attribute.
    3. For the name, replace Untitled with Meme Game invitees.
    4. Verify that in the Parent field, no parent is selected.
      To remove a parent, click the delete icon to the right of the Parent field.
    5. Click the + next to Resolvers and click + Add Resolver.
    6. Set Resolver type to Attribute.
    7. Select the attribute HttpRequest.RequestBody.
    8. Click the + next to Value Processors and click + Add Processor.
    9. Set Processor to JSON Path.
    10. Set the value to $.data.attributes.invitees.
    11. Set Value type to Collection.
    12. For Value Settings, select Default value and specify square brackets ([]) to indicate an empty collection.
    13. Set Type to Collection.
    14. Click Save changes.
      The following image shows the new attribute.
      Screen capture of the "Meme Game invitees" attribute with a configured Resolver, Value Processor, and Value Setting

      This Trust Framework attribute introduces resolvers and value processors, which are two important components. To better understand these components, see For further consideration: Resolvers and value processors.

  2. Modify a rule to use the Meme Game invitees attribute we just created.
    1. In the Policy Editor, go to Policies.
    2. Select the Users starting a new game policy.
    3. Rename the Deny if token subject ends with @example.com rule to Deny if token subject ends with @example.com AND request contains invitees.
    4. Expand the rule by clicking its + icon.
    5. For Effect, select Deny.
    6. Specify a second comparison.
      1. Click + Comparison.
      2. From the Select an Attribute list, select Meme Game invitees.
      3. In the second field, select Does Not Equal.
      4. In the third field, type [].
    7. Click Save changes.
      The following image shows the rule.
      Screen capture of the "Deny if token subject ends with @example.com AND request contains invitees" rule with two comparison conditions set
  3. Test the policy.
    As before, you can test your policy by sending an HTTP request or using the Policy Editor test interface. Try testing using the following combinations of inputs:
    • An access token with the subject user.0@example.com and with invitees.

      This should be denied.

    • An access token with the subject user.0@my-company.com and with invitees.

      This should be permitted.

    • An access token with the subject user.0@example.com and no invitee list.

      This should be permitted.

    • An access token with the subject user.0@my-company.com and no invitee list.

      This should be permitted.