# Example Dynamic role PEP

## Dynamic role Enforcement Point

### Use case example

We want to define a policy to restrict access to the Soffid console user's page (<span class="link" id="bkmrk-mainmenu">MainMenu</span><span id="bkmrk-%C2%A0%3E%C2%A0"> &gt; </span><span class="link" id="bkmrk-administration">Administration</span><span id="bkmrk-%C2%A0%3E%C2%A0-0"> &gt; </span><span class="link" id="bkmrk-resources">Resources</span><span id="bkmrk-%C2%A0%3E%C2%A0-1"> &gt; </span><span id="bkmrk-users%29">Users)</span>.

The users who are assigned to the SOFFID\_RRHH role (from this point forward: *end-users*) will have limitations to perform some actions on the Soffid console users page:

1. The *end-users* only be able to query the information about the users who belong to the same primary group that them.
2. The *end-users* only be able to update the users with internal user type.
3. The *end-users* could not delete any user record.

### XACML Editor

#### Policy set

First of all, we define a policy set. We need to define the subject, in that case users with SOFFID\_RRHH role assigned.

[![image-1628231702828.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628231702828.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628231702828.png)

Then, we can create the policies, in that case, we can create three policies, one for each operation that we want to manage.

[![image-1628238915331.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238915331.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238915331.png)

#### Policies

We can define a policy for each operation, to permit or deny access.

Also, we can define a variable that contains the *end-user* primary group in order to use it when we define the conditions.

##### Policy1

> The *end-users* only be able to query the information about the users who belong to the same primary group that them.

We need to define two rules, one to permit and other to deny access.

[![image-1628238946431.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238946431.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238946431.png)

##### Rules

We define the rule that allow to the *end-user* to query users information who belong to the same primary group that the end-user.

[![image-1628238975450.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238975450.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238975450.png)

Then, we define the rule that denies access to *end-users* to query users information.

[![image-1628239000393.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628239000393.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628239000393.png)

##### Policy 2

> The *end-users* only be able to update the users with internal user type.

We need to define two rules, one to permit and other to deny access.

[![image-1628239036221.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628239036221.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628239036221.png)

##### Rules

We define the rule that allow to the *end-users to* update users information who are internal users.

[![image-1628239076738.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628239076738.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628239076738.png)

Then, we define the rule that denies access to *end-users* to update users information.

[![image-1628239102464.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628239102464.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628239102464.png)

##### Policy 3

> The *end-users* could not delete any user record.

We need to define only one rule to deny access.

[![image-1628239130798.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628239130798.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628239130798.png)

##### Rules

We define the rule that deny to the *end-user* delete any user.

[![image-1628239173903.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628239173903.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628239173903.png)

### Download XML

<p class="callout info">You can download a XML file with the example: [policy-TestDynamicPEP.xml](https://bookstack.soffid.com/attachments/20)</p>

## Configure PEP

[![image-1628238841651.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238841651.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238841651.png)