Now that we have confirmed that PingDataGovernance Server is correctly configured to act as a reverse proxy to the Meme Game API, we can define a policy to try out its access control capabilities. This policy will accept or deny a request to create a game based on the identity making the request.
First, we define a service in the Trust Framework. Services have various uses, but at their most basic level, you use them to define a specific API that can be governed by your policies. By defining different services in your Trust Framework, you can target each policy specifically to their applicable APIs.
Then, we define a policy. This policy will reject any requests to start a new meme
game if the user's identifier ends with
@example.com. We will
identify users using the subject of the request's access token.
Define the service.
- Sign on to the Policy Administration GUI using the URL and credentials from Accessing the GUIs.
- Go to Trust Framework and click Services.
- From the + menu, select Add new Service.
For the name, replace Untitled with
Meme Game - Games.
The service name must match the endpoint name. To understand why, see For further consideration: The PingDataGovernance API security gateway, part 2.
Verify that in the Parent field, no parent is
To remove a parent, click the trash can icon to the right of Parent field.
- Click Save changes.
Define the policy.
- In the Policy Administration GUI, go to Policies in the left pane and then click Policies along the top.
- Select Global Decision Point.
- From the + menu, select Add Policy.
- For the name, replace Untitled with Users starting a new game.
- Click + next to Applies to.
- In the upper-right corner of the left pane, click Components. This reveals a tree of items to target the policy and restrict the types of requests to which the policy applies.
- From the Actions list, drag inbound-POST to the Add definitions and targets, or drag from Components box.
From the Services list, drag Meme
Games - Games to the Add definitions and
targets, or drag from Components box.
Using these components restricts the policy to incoming POST requests and the Meme Games - Games service.
- Set the Combining Algorithm to Unless one decision is deny, the decision will be permit.
Click + Add Rule. This reveals an interface to
define a condition. Define the rule as follows.
The following screen shows the rule.
- For the name, replace Untitled with Deny if token subject ends with @example.com.
- For Effect, select Deny.
- Specify the condition.
- Click + Comparison.
- From the Select an Attribute field, select HttpRequest.AccessToken.subject.
- In the second field, select Ends With.
- In the third field, type @example.com.
Click Save changes.
For more information about API security gateway processing, see For further consideration: The PingDataGovernance API security gateway, part 2.