This tutorial describes how to create the final policy, which is an access-control rule that can base its authorization decision on an attribute of the requesting identity, rather than on an access token claim.
When PingAuthorize Server authorizes a request, an
access token validator resolves the subject of the access token to a SCIM user and
populates a policy request attribute called
TokenOwner with the SCIM
user's attributes. In this scenario, build a policy around the
employeeType attribute, which must be defined in the Trust
- Go to Trust Framework and click the Attributes tab. Click TokenOwner.
- Click + and then Add new Attribute.
- For the name, replace Untitled with employeeType.
- From the Parent list, select TokenOwner.
In the Resolvers section:
- Click + Add Resolver.
- From the Resolver type list, select Attribute and in the Select an Attribute list, specify a value of TokenOwner.
- Click + next to Value Processors and then + Add Processor.
- From the Processor list, select JSON Path and enter the value employeeType.
- Set the Value type to Collection.
In the Value Settings section:
Select the Default Value check box and in the
Enter a default value field, enter the value
An empty array is specified as the default value because not all users have an
employeeTypeattribute. A default value of  ensures that policies can safely use this attribute to define conditions.
- From the Type list, select Collection.
- Select the Default Value check box and in the Enter a default value field, enter the value .
- Click Save changes.
Add a policy that uses the
- Go to .
- Select SCIM Policy Set and click + and then Add Policy.
- For the name, replace Untitled with Restrict Intern Access.
- From the Combining Algorithm list, select Unless one decision is deny, the decision will be permit.
- Click + Add Rule.
- For the name, replace Untitled with Restrict access for interns.
- From the Effect list, select Permit.
- In the Condition section:
- Click + Comparison.
- In the Select an Attribute list, select TokenOwner.employeeType.
- From the middle, comparison-type list, select Contains.
- In the Type in constant value field, enter intern.
- Within the rule, click Show Statements, and then click the + next to Statements.
- Click .
- For the name, replace Untitled with Restrict attributes visible to interns.
- Select the Obligatory check box.
- In the Code field, enter exclude-attributes.
- From the Applies To list, select Permit.
- In the Payload field, enter ["description"].
- Click Save changes.