Tutorial: Creating a policy for role-based access control - PingAuthorize

Tutorial: Creating a policy for role-based access control - PingAuthorize - 9.2

PingAuthorize

bundle

pingauthorize-92

ft:publication_title

PingAuthorize

Product_Version_ce

PingAuthorize 9.2

category

ContentType

Product

Productdocumentation

paz-92

pingauthorize

ContentType_ce

Product documentation

This tutorial describes how to create the final policy, which is an access-control rule that can base its authorization decision on an attribute of the requesting identity, rather than on an access token claim.

When PingAuthorize Server authorizes a request, an access token validator resolves the subject of the access token to a SCIM user and populates a policy request attribute called TokenOwner with the SCIM user's attributes. In this scenario, build a policy around the employeeType attribute, which must be defined in the Trust Framework.

Go to Trust Framework and click the Attributes tab. Click TokenOwner.
Click + and then Add new Attribute.
For the name, replace Untitled with employeeType.
From the Parent list, select TokenOwner.
In the Resolvers section:
1. Click + Add Resolver.
2. From the Resolver type list, select Attribute and in the Select an Attribute list, specify a value of TokenOwner.
Click + next to Value Processors and then + Add Processor.
From the Processor list, select JSON Path and enter the value employeeType.
Set the Value type to Collection.
In the Value Settings section:
1. Select the Default Value check box and in the Enter a default value field, enter the value [].
  
  Note:
  An empty array is specified as the default value because not all users have an employeeType attribute. A default value of [] ensures that policies can safely use this attribute to define conditions.
2. From the Type list, select Collection.
Click Save changes.

The final attribute configuration should resemble the following image.

A screen capture of the employeeType attribute window with Parent configured as TokenOwner and Resolvers, Value Processors, and Value Settings configured as specified

Add a policy that uses the employeeType attribute.

Go to Policies > Policies.
Highlight SCIM Policy Set and click + and then Add Policy.
For the name, replace Untitled with Restrict Intern Access.
From the Combining Algorithm list, select Unless one decision is deny, the decision will be permit.
Click + Add Rule.
For the name, replace Untitled with Restrict access for interns.
From the Effect list, select Permit.
In the Condition section:
1. Click + Comparison.
2. In the Select an Attribute list, select TokenOwner.employeeType.
3. From the middle, comparison-type list, select Contains.
4. In the Type in constant value field, enter intern.
Within the rule, click Show Advice and Obligations and then click the + next to Advice and Obligations.
Click + Add Advice > Custom Advice.
For the name, replace Untitled with Restrict attributes visible to interns.
Select the Obligatory check box.
In the Code field, enter exclude-attributes.
From the Applies To list, select Permit.
In the Payload field, enter ["description"].
Click Save changes.

A screen capture of the Restrict Intern Access policy window with the Combining Algorithm and one rule with advice, both configured as specified