Example Dynamic role PEP

Dynamic role Enforcement Point

Use case example

We want to define a policy to restrict access to the Soffid console user's page (MainMenu > Administration > Resources > Users).

The users who are assigned to the SOFFID_RRHH role (from this point forward: end-users) will have limitations to perform some ~~actions.~~actions:

The end-users only be able to query the information about the users who belong to the same primary group that them.
The end-users only be able to update the users with internal user type.
The end-users could not delete any user record.

Policy set

WeFirst of all, we define a policy ~~set~~set. We need to define the subject, in that ~~will~~case ~~apply to~~ ~~end-~~users with ~~access~~SOFFID_RRHH torole ~~a specific resource who has been assigned a specific role.~~ assigned.

~~That~~Then, ~~policy~~we ~~set~~can ~~has~~create the policies, in that case, we can create three policies, one for each operation that we want to manage.

Policies

We can define a policy for each operation, to permit or deny access.

Also, we can define a variable ~~which~~that contains the end-user primary ~~group.~~group in order to use it when we define the conditions.

Policy1

The ~~policy can permit or deny access to~~ end-users only be able to query ~~users~~the ~~depending~~information onabout the ~~defined~~users ~~rules.~~who belong to the same primary group that them.

We need to define two rules, one to permit access and other to deny.

Rules

&&TODO&& sustituir la imagen cuando se arregle el label de Attribute selector

~~That~~We define the rule that allow to the end-~~users~~ touser query users information who belong to the same primary group that the end-user.