When PingDataGovernance Server authorizes a request, an access token validator resolves the subject of the access token to a System for Cross-domain Identity Management (SCIM) user and populates a policy request attribute called TokenOwner with the SCIM user's attributes. In this scenario, build a policy around the employeeType attribute, which must be defined in the Trust Framework.

  1. Go to Trust Framework and click the Attributes tab. Click TokenOwner.
  2. Click +.
  3. Click Add new Attribute.
  4. For the name, replace Untitled with employeeType.
  5. From the Parent list, select TokenOwner.
  6. In the Resolvers section:
    1. Click + Add Resolver.
    2. From the Resolver type list, select Attribute and in the Select an Attribute list, specify a value of TokenOwner.
  7. Click + next to Value Processors and then + Add Processor.
  8. From the Processor list, select JSON Path and enter the value employeeType.
  9. Set the Value type to Collection.
  10. In the Value Settings section:
    1. Select the Default Value check box and in the Enter a default value field, enter the value [].

      An empty array is specified as the default value because not all users have an employeeType attribute. A default value of [] ensures that policies can safely use this attribute to define conditions.

    2. From the Type list, select Collection.
  11. Click Save changes.
The final policy configuration should resemble the following image.

A screen capture of the employeeType configuration window

Add a policy that uses the employeeType attribute.

  1. Go to Policies, highlight SCIM Policy Set and click +.
  2. Click Add Policy.
  3. For the name, replace Untitled with Restrict Intern Access.
  4. From the Combining Algorithm list, select Unless one decision is deny, the decision will be permit.
  5. Click + Add Rule.
  6. For the name, replace Untitled with Restrict access for interns.
  7. From the Effect list, select Permit.
  8. In the Condition section:
    1. Click + Comparison.
    2. In the Select an Attribute field, select TokenOwner.employeeType.
    3. From the middle, comparison-type list, select Contains.
    4. In the Type in constant value field, enter intern.
  9. Within the rule, click Show Advice and Obligations and then click the + next to Advice and Obligations.
  10. Click + Add Advice > Custom Advice.
  11. For the name, replace Untitled with Restrict attributes visible to interns.
  12. Select the Obligatory check box.
  13. In the Code field, enter exclude-attributes.
  14. From the Applies To list, select Permit.
  15. In the Payload field, enter ["description"].
  16. Click Save Changes.

A screen capture of the Restrict Intern Access configuration