To allow the user to modify a set of attributes limited to an allow list and return an error if the user attempts to modify any attribute outside of the allow list, create a constant in the Trust Framework and then use the constant in a policy.
-
Create a constant in the Trust Framework.
- Go to Trust Framework and then Attributes.
- From the + menu, select Add new Attribute.
-
For the name, replace Untitled with
allowlistAttributes
. - Verify that in the Parent field, no parent is selected. To remove a parent, click the delete icon to the right of the Parent field.
- Click + Add Resolver and set the Resolver type to Constant.
-
Set the value of the constant to a set of square brackets that contains
a comma-delimited list of the attributes that can be modified.
For example, to allow the
email
oruserName
attributes to be modified, you would set the value of the constant to[email, userName]
.As another example, to allow the user to modify a property or any of its subproperties, you must explicitly list them. So to allow modification of the
name
field on the default Users pass-through schema, set the value of the constant to[name, name.formatted, name.givenName, name.familyName]
. - In the Value Settings section, set Type to Collection.
- Click Save changes.
-
Modify or create a policy to use that constant collection.
- Go to Policies.
- Select a policy or create a new one.
-
In the Rules section:
- Set the Combining Algorithm to Unless one decision is permit, the decision will be deny.
- Click + Add Rule.
- For the name, replace Untitled with Allow only the email and userName attributes.
- Set the Effect to Permit.
- Under Condition, click + Comparison.
- In the comparison, we want to compare the constant collection of permitted attributes to
the
impactedAttributes
collection.-
For the left field, select the
allowlistAttributes
attribute, which is the constant collection of permitted attributes defined in the beginning.You might see the field as shown below. Click the R immediately above + Comparison to toggle to attribute selection. - Set the middle field (the operator) to Contains.
- Set the right field to the
impactedAttributes
attribute.If that field has a C before it, click the C to toggle to attribute selection.
Note:If
impactedAttributes
is not available, see Restricting the modification of attributes.
When applied to two collections, the Contains operator returns true if and only if the right-side collection is a subset of the left-side collection. Thus, the rule only returns
permit
if the set ofimpactedAttributes
is a subset of the list of allowed attributes inallowlistAttributes
. -