Creating a policy to permit or deny the creation of resources - PingAuthorize - 9.1

PingAuthorize

bundle
pingauthorize-91
ft:publication_title
PingAuthorize
Product_Version_ce
PingAuthorize 9.1
category
ContentType
Product
Productdocumentation
paz-91
pingauthorize
ContentType_ce
Product documentation

This policy allows the creation of one resource type but not another. In particular, the policy focuses on the create action and then allows the creation of Device resources but denies the creation of User resources.

  1. In the Policy Editor, go to Policies in the left pane and then click Policies along the top.
  2. From the + menu, select Add Policy.
  3. For the name, replace Untitled with User can only create Device resources.
  4. Click the + next to Applies to.
  5. Click Add definitions and targets, or drag from Components and add the create action.
  6. Set Combining Algorithm to Unless one decision is deny, the decision will be permit.
  7. Add a rule to allow the creation of Device resources.
    1. Click + Add Rule.
    2. For the name, replace Untitled with Permit the creation of Device resources.
    3. Click + Comparison.
    4. In the first field, click the A to toggle to an R and from that field's drop-down list, select Service.
    5. In the second field, select Equals.
    6. In the third field, select the SCIM2.Devices service.
    7. Click Save changes.

      You should have a screen similar to the following one for the policy and this rule.

      Policies tab with first rule showing
  8. Add a rule to deny the creation of User resources.
    1. Click + Add Rule.
    2. For the name, replace Untitled with Deny the creation of User resources.
    3. Set Effect to Deny.
    4. Click + Comparison.
    5. In the first field, click the A to toggle to an R and from that field's drop-down list, select Service.
    6. In the second field, select Equals.
    7. In the third field, select the SCIM2.Users service.
    8. Add advice to provide a custom message.
      1. Within the rule, click Show Advice and Obligations.
      2. Click + next to Advice and Obligations.
      3. Click + Add Advice > Denied Reason.
      4. For the name, specify denied-reason.
      5. Set Applies To to Deny.
      6. In the Payload field:
        • Remove

          Example:

        • Change

          Human-readable error message

          to

          System has restricted the ability to create User resources

    9. Click Save changes.

      You should have a screen similar to the following one for the second rule.

      Policies tab with second rule and its advice showing
  9. Send test requests to the SCIM service and verify data using the Policy Editor's Decision Visualiser.