Skip to main content

Example Dynamic role PEP

Dynamic role Enforcement Point

Use case example

We want to define a policy to restrict access to the Soffid console user's page (MainMenu > Administration > Resources > Users).

The users who are assigned to the SOFFID_RRHH role (from this point forward: end-users) will have limitations to perform some actions.

  • The end-users only be able to query the information about the users who belong to the same primary group that them. 
  • The end-users only be able to update the users with internal user type.
  • The end-users could not delete any user record.

Policy set

We define a policy set that will apply to end-users with access to a specific resource who has been assigned a specific role. 

image-1628145441657.png

That policy set has three policies, one for each operation that we want to manage.

image-1628145277766.png

Policies

We can define a policy for each operation, to permit or deny access. Also, we can define a variable which contains the end-user primary group.

Policy1

The policy can permit or deny access to end-users to query users depending on the defined rules.

image-1628168453264.png

Rules

&&TODO&& sustituir la imagen cuando se arregle el label de Attribute selector

That rule allow to the end-users to query users who belong to the same primary group that the end-user.

image-1628168609195.png

That rule denies access to end-users to query users.

image-1628168675390.png

Policy 2

The policy denies access to end-users to delete users.

image-1628168823291.png

Rules

That rule denies access to end-users to delete users.

image-1628168865703.png

Download XML

You can download a XML file with the example: policy-TestDynamicPEP.xml

Back to top