Skip to main content

Example Dynamic role PEP

Dynamic role Enforcement Point

We want to define a policy to restrict access to the user's page. The users who are assigned to the SOFFID_RRHH role, will have limitations to perform some actions.

  • The RRHH users only be able to query the information about the users who belong to the same primary group that them. 
  • The RRHH users only be able to update the users with internal user type.
  • The RRHH users could not delete any user record.

Policy set

We define a policy set that will apply to users with access to a specific resource who have been assigned a specific role. 

image-1628145441657.png

That policy set has three policies, one for each operation that we want to manage.

image-1628145277766.png

Policies

We can define a policy for each operation, to permit or deny access. Also we can define a variable which contain the end-user primary group.

Policy1

The policy can permit or deny access to end-user to query users depending on the defined rules.

image-1628168453264.png

Rules

&&TODO&& sustituir la imagen cuando se arregle el label de Attribute selector

That rule allow to the end-user to query users who belong to the same primary group that the end-user.

image-1628168609195.png

That rule denies access to query users

image-1628168675390.png

Policy 2

The policy denies access to end-user to delete users.

image-1628168823291.png

Rules

That rule denies access to delete users

image-1628168865703.png

Download XML

You can download a XML file with the example: policy-TestDynamicPEP.xml

Back to top