To act as a user, you’ll use Postman’s built-in ability to do OpenID Connect (OIDC) sign-on. Sign on as the game administrator and get an access token to allow Postman to act as the administrator. Then, repeat this for the game player. You’ll demonstrate access control by sending a request to review submitted memes as the administrator and then as the player.

  1. In Postman, go to Collections and click PingOne Authorize: API Access Management Tutorials to open the collection.
    Screen capture of the PingOne Authorize: API Access Management Tutorials collection in Postman showing the Authorization tab.
  2. At the bottom of the Authorization tab, click Clear cookies.
  3. Click Get New Access Token.

    Postman launches the sign-on flow. You’ll sign on as the gameadmin user with the password you saved earlier.

    Screen capture of the Authenticate via Browser window in Postman showing the PingOne sign-on window.
  4. For the Username, enter gameadmin.
  5. For the Password, enter the password you saved earlier. Click Sign On.

    Now you’ll change the password for the gameadmin user.

  6. For Current Password, enter the one-time password (OTP) again.
  7. Enter a New Password, and then enter it again in Verify New Password.

    Copy the password to a convenient location. You'll need it to sign on later.

  8. Click Save.
  9. When authentication is complete, click Proceed or wait for the confirmation box to time out.
  10. In Manage Access Tokens, click the Pencil icon and change the Token Name to gameadmin. Press Enter.

    This makes it easier to keep track of which user the token is for.

    Screen capture of the Manage Access Tokens window in Postman showing the Token Name.
  11. Click Use Token.

    Now Postman has an access token to act as the gameadmin user.

    Screen capture of the Current Token in Postman showing access token settings.

    Try the request to review submitted memes as the administrator.

  12. Select the User gets memes of another user request and click Send.

    Success! You get a 200 OK response with data in the response body.

    Now you’ll get an access token to allow Postman to act as the gameplayer user.

  13. To get an access token for the gameplayer user, repeat steps 1-11, with the following changes:
    1. In step 4, enter gameplayer for the Username.
    2. In step 10, change the Token Name to gameplayer.

    Now you have an access token that allows Postman to act as the gameplayer user.

    Repeat the request to see if the player can review submitted memes

  14. Select the User gets memes of another user request and click Send.

    You get a 403 Forbidden response. This demonstrates that the player can’t review another user’s submitted memes.

    Tip:

    Because you have both tokens, you can have Postman act as the administrator or the player by selecting the corresponding token in the Access Token list on the Authorization tab.

    Screen capture of the Authorization tab in Postman showing available tokens.

    Congratulations! You’ve demonstrated that only administrators can review submitted memes.

    Not getting the right results? See Viewing API Access Management events in your PingOne environment audit log.

In this tutorial, you configured group-based access control for a protected API operation and demonstrated that only authorized users can perform the privileged action.