Skip to main content

Example Dynamic role PEP

Dynamic role Enforcement Point

Use case example

We want to define a policy to restrict access to the Soffid console user's page (MainMenu > Administration > Resources > Users).

The users who are assigned to the SOFFID_RRHH role (from this point forward: end-users) will have limitations to perform some actions:

  1. The end-users only be able to query the information about the users who belong to the same primary group that them. 
  2. The end-users only be able to update the users with internal user type.
  3. The end-users could not delete any user record.

XACML Editor

Policy set

First of all, we define a policy set. We need to define the subject, in that case users with SOFFID_RRHH role assigned.

image-1628145441657.png

Then, we can create the policies, in that case, we can create three policies, one for each operation that we want to manage.

image-1628145277766.png

Policies

We can define a policy for each operation, to permit or deny access.

Also, we can define a variable that contains the end-user primary group in order to use it when we define the conditions.

Policy1

The end-users only be able to query the information about the users who belong to the same primary group that them. 

We need to define two rules, one to permit and other to deny access.

image-1628168453264.png

Rules

&&TODO&& sustituir la imagen cuando se arregle el label de Attribute selector

We define the rule that allow to the end-user query users information who belong to the same primary group that the end-user.

image-1628168609195.png

Then, we define the rule that denies access to end-users to query users information.

image-1628168675390.png

Policy 2

The end-users only be able to update the users with internal user type.

We need to define two rules, one to permit and other to deny access.

image-1628172954729.png

Rules

We define the rule that allow to the end-user update users information who are internal users.

image-1628173008077.png

Then, we define the rule that denies access to end-users to update users information.

image-1628173030804.png

Policy 3

The end-users could not delete any user record.

We need to define only one rule to deny access.

image-1628168823291.png

Rules

We define the rule that deny to the end-user delete any user.

image-1628168865703.png

Download XML

You can download a XML file with the example: policy-TestDynamicPEP.xml

 

 

 

Configure PEP

image-1628174107934.png