Skip to main content

Example Dynamic role PEP

Dynamic role Enforcement Point

Use case example

We want to define a policy to restrict access to the Soffid console user's page (MainMenu > Administration > Resources > Users).

The users who are assigned to the SOFFID_RRHH role (from this point forward: end-users) will have limitations to perform some actions:

  1. The end-users only be able to query the information about the users who belong to the same primary group that them. 
  2. The end-users only be able to update the users with internal user type.
  3. The end-users could not delete any user record.

Policy set

First of all, we define a policy set. We need to define the subject, in that case users with SOFFID_RRHH role assigned.

image-1628145441657.png

Then, we can create the policies, in that case, we can create three policies, one for each operation that we want to manage.

image-1628145277766.png

Policies

We can define a policy for each operation, to permit or deny access.

Also, we can define a variable that contains the end-user primary group in order to use it when we define the conditions.

Policy1

The end-users only be able to query the information about the users who belong to the same primary group that them. 

We need to define two rules, one to permit access and other to deny.deny access.

image-1628168453264.png

Rules

&&TODO&& sustituir la imagen cuando se arregle el label de Attribute selector

We define the rule that allow to the end-user query users information who belong to the same primary group that the end-user.

image-1628168609195.png

Then, we define the rule that denies access to end-users to query users information.

image-1628168675390.png

Policy 2

The end-users only be able to update the users with internal user type.

We need to define two rules, one to permit access and other to deny.deny access.

image-1628172954729.png

Rules

 We define the rule that allow to the end-user update users information who are internal users.

image-1628173008077.png

 Then, we define the rule that denies access to end-users to update users information.

image-1628173030804.png

 

 

Policy 3

The end-users could not delete any user record.

We need to define only one rule to deny access.

image-1628168823291.png

Rules

ThatWe define the rule deniesthat accessdeny to the end-usersuser to delete users.any user.

image-1628168865703.png

 

 

Download XML

You can download a XML file with the example: policy-TestDynamicPEP.xml