Learn how to add and test a fine-grained policy that uses API attributes.
It’s time to put the previous steps together into a policy that addresses your business requirements. So far, you’ve defined an API operation that matches API requests used to start a new game, and you’ve created attributes in the Trust Framework for the authenticated user’s email address and the invitee list of other game players. Now, you’ll create and test a policy that compares these three components to authorize the specific conditions under which a user can start a game.
Your business requirements:
- A user from a generic domain cannot invite others to play with them.
- A user from a generic domain can play the game alone, to see how it works.
- A user from a non-generic domain can play with or without inviting other players.
Your policy codifies requirements for the conditions under which a user can start a new game using rules that compare the user’s email address to the invitee list of other game players.
Next, you’ll test the end-to-end use case for starting new games by using Postman to simulate API requests from the game application.