Creating a policy to check consent and then change the server response - PingAuthorize - 9.3

PingAuthorize 9.3

bundle
pingauthorize-93
ft:publication_title
PingAuthorize 9.3
Product_Version_ce
PingAuthorize 9.3
category
ContentType
Product
Productdocumentation
paz-93
pingauthorize
ContentType_ce
Product documentation

Using the Trust Framework attributes and services we created, we now create a policy for the meme game API to get a user's answers and change the server response with various statements based on the consent status.

Here is a snippet of an unedited response. It shows the id, type, and attributes attributes.

{
 	"data": [{
                "id": "1",
                "type": "answers",
                "attributes": {
                        "url": "https: //l.imqflip.com/2fm6x.jpq",
                        "captions": ["Still waiting for the bus to Jennie's"],
                        "rating": null,
                        "created_at": "2020-05-e6T22:25:06-00:00"
                }
        },
  1. Sign on to the Policy Editor, click Policies in the left pane, and then click Policies along the top.
  2. Select the existing meme-game policies policy. The new policy is created under this policy.
  3. From the + menu, select Add Policy.
  4. For the name, replace Untitled with Control user's response to answers request.
  5. Click + next to Applies to.
  6. Click Add definitions and targets, or drag from Components and add the meme-game.user_answers service, which we set up in Getting a path component from the request URL. Also, because we want to control the response to the client, add the outbound-GET action.
  7. Set Combining Algorithm to Unless one decision is deny, the decision will be permit.
  8. Add a rule to include attributes.
    1. Click + Add Rule.
      1. For the name, replace Untitled with If consent to share status is accepted then include attributes.
      2. Specify the condition.
        1. Click + Comparison.
        2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.
        3. In the second field, select Equals.
        4. In the third field, type accepted.
      3. Specify the statement.
        1. Click Show Statements.
        2. Click + next to Statements.
        3. Click + Add Statement > Include Attributes.

          Use this statement to be explicit about which attributes to keep, especially when you have a large set of attributes where you only need a small subset in the response.

          For information about this statement, see Include Attributes.

        4. For the name, replace Untitled with Include id and attributes attribute.
        5. In the Code field, enter include-attributes.
        6. From the Applies To list, select Permit.
        7. In the Payload field, enter the following text to include the id attribute and the attributes attribute but not the type attribute.

          ["data[*].id","data[*].attributes.*"]

        8. Click Save changes.
      The following screen shows the rule.
      Screen capture of rule to compare "Sharing consent status" attribute to accepted

      With the policy in place, trying the request again gets a response with the type attribute removed, as shown in the following snippet.

      {
       	"data": [{
                      "attributes": {
                              "url": "https: //l.imqflip.com/2fm6x.jpq",
                              "captions": ["Still waiting for the bus to Jennie's"],
                              "rating": null,
                              "created_at": "2020-05-e6T22:31:06-00:00"
                      "id": "1",
                      }
              },
  9. Add a rule to exclude attributes.
    1. Click + Add Rule.
      1. For the name, replace Untitled with If consent to share status is revoked then exclude attributes.
      2. Specify the condition.
        1. Click + Comparison.
        2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.
        3. In the second field, select Equals.
        4. In the third field, type revoked.
      3. Specify the statement.
        1. Click Show Statements.
        2. Click + next to Statements.
        3. Click + Add Statement > Exclude Attributes.

          Use this statement to be explicit about which attributes to leave out. For example, a third-party client might request banking records; the client does not need account numbers, so give them everything but the account number.

          For information about this statement, see Exclude Attributes.

        4. For the name, replace Untitled with Exclude the id attribute.
        5. In the Code field, enter exclude-attributes.
        6. From the Applies To list, select Anything.
        7. In the Payload field, enter the following text to exclude the id attribute.

          ["data[*].id"]

        8. Click Save changes.
      The following screen shows the rule.
      Screen capture of rule to compare "Sharing consent status" attribute to revoked

      With the policy in place, trying the request again gets a response with the id attribute removed, as shown in the following snippet.

      {
       	"data": [{
                      "type": "answers",
                      "attributes": {
                              "url": "https: //l.imqflip.com/2fm6x.jpq",
                              "captions": ["Still waiting for the bus to Jennie's"],
                              "rating": null,
                              "created_at": "2020-05-e6T22:35:06-00:00"
                      }
              },

      You can use the Decision Visualiser to see how the decision engine processed the decision. In the Policy Editor, click Policies in the left pane, then click Decision Visualiser along the top, and then click Recent Decisions. Click a decision and follow the green paths to see which policies are executed and which rules are invoked. Click Attributes along the top to see the names and values of attributes that are used in the decision.

  10. Add a rule to modify attributes.
    1. Click + Add Rule.
      1. For the name, replace Untitled with If consent to share status is restricted then modify attributes.
      2. Specify the condition.
        1. Click + Comparison.
        2. From the Select an Attribute list, select Sharing consent status, which we created in Getting consent status from the consent record.
        3. In the second field, select Equals.
        4. In the third field, type restricted.
      3. Specify the statement.
        1. Click Show Statements.
        2. Click + next to Statements.
        3. Click + Add Statement > Modify Attributes.

          Use this statement to change attributes. For example, the client might request health records and require all items from a record, such as a social security number, even if partially or fully hidden.

          For information about this statement, see Modify Attributes.

        4. For the name, replace Untitled with Modify all the values in attributes.
        5. In the Code field, enter modify-attributes.
        6. From the Applies To list, select Permit.
        7. In the Payload field, enter the following text to replace all values in the attributes attribute with three dashes.

          {"data[*].attributes.*":"---"}

        8. Click Save changes.
      The following screen shows the rule.
      Screen capture of rule to compare "Sharing consent status" attribute to restricted, configured as specified

      With the policy in place, trying the request now gets a response with the id and type attributes unchanged but all the attributes values changed to dashes, as shown in the following snippet.

      {
       	"data": [{
                      "id": "168",
                      "type": "answers",
                      "attributes": {
                              "url": "---",
                              "captions": "---",
                              "rating": "---",
                              "created_at": "---"
                      }
              },
The following image shows what the policy applies to and the three rules.

Screen capture of the user policy with the target and the three rules, configured as specified