When PingAuthorize Server authorizes a request, an access token validator resolves the subject of the access token to a SCIM user and populates a policy request attribute called TokenOwner with the SCIM user's attributes. In this scenario, build a policy around the employeeType attribute, which must be defined in the Trust Framework.

  1. Go to Trust Framework and click the Attributes tab. Click TokenOwner.
  2. Click + and then Add new Attribute.
  3. For the name, replace Untitled with employeeType.
  4. From the Parent list, select TokenOwner.
  5. In the Resolvers section:
    1. Click + Add Resolver.
    2. From the Resolver type list, select Attribute and in the Select an Attribute list, specify a value of TokenOwner.
  6. Click + next to Value Processors and then + Add Processor.
  7. From the Processor list, select JSON Path and enter the value employeeType.
  8. Set the Value type to Collection.
  9. In the Value Settings section:
    1. Select the Default Value check box and in the Enter a default value field, enter the value [].

      An empty array is specified as the default value because not all users have an employeeType attribute. A default value of [] ensures that policies can safely use this attribute to define conditions.

    2. From the Type list, select Collection.
  10. Click Save changes.
The final attribute configuration should resemble the following image.

A screen capture of the employeeType attribute window with Parent configured as TokenOwner and Resolvers, Value Processors, and Value Settings configured as specified

Add a policy that uses the employeeType attribute.

  1. Go to Policies > Policies.
  2. Select SCIM Policy Set and click + and then Add Policy.
  3. For the name, replace Untitled with Restrict Intern Access.
  4. From the Combining Algorithm list, select Unless one decision is deny, the decision will be permit.
  5. Click + Add Rule.
  6. For the name, replace Untitled with Restrict access for interns.
  7. From the Effect list, select Permit.
  8. In the Condition section:
    1. Click + Comparison.
    2. In the Select an Attribute list, select TokenOwner.employeeType.
    3. From the middle, comparison-type list, select Contains.
    4. In the Type in constant value field, enter intern.
  9. Within the rule, click Show Statements, and then click the + next to Statements.
  10. Click + Add Statement > Custom Advice.
  11. For the name, replace Untitled with Restrict attributes visible to interns.
  12. Select the Obligatory check box.
  13. In the Code field, enter exclude-attributes.
  14. From the Applies To list, select Permit.
  15. In the Payload field, enter ["description"].
  16. Click Save changes.
A screen capture of the Restrict Intern Access policy window with the Combining Algorithm and one rule with a statement, both configured as specified