Example Dynamic role PEP
Dynamic role Enforcement Point
Use case example
We want to define a policy to restrict access to the Soffid console user's page ( > Administration > Resources > Users).
The users who are assigned to the SOFFID_RRHH role (from this point forward: end-users) will have limitations to perform some actions:actions on the Soffid console users page:
- The end-users only be able to query the information about the users who belong to the same primary group that them.
- The end-users only be able to update the users with internal user type.
- The end-users could not delete any user record.
XACML Editor
Policy set
First of all, we define a policy set. We need to define the subject, in that case users with SOFFID_RRHH role assigned.
Then, we can create the policies, in that case, we can create three policies, one for each operation that we want to manage.
Policies
We can define a policy for each operation, to permit or deny access.
Also, we can define a variable that contains the end-user primary group in order to use it when we define the conditions.
Policy1
The end-users only be able to query the information about the users who belong to the same primary group that them.
We need to define two rules, one to permit and other to deny access.
Rules
&&TODO&& sustituir la imagen cuando se arregle el label de Attribute selector
We define the rule that allow to the end-user query users information who belong to the same primary group that the end-user.
Then, we define the rule that denies access to end-users to query users information.
Policy 2
The end-users only be able to update the users with internal user type.
We need to define two rules, one to permit and other to deny access.
Rules
We define the rule that allow to the end-user update users information who are internal users.
Then, we define the rule that denies access to end-users to update users information.
Policy 3
The end-users could not delete any user record.
We need to define only one rule to deny access.
Rules
We define the rule that deny to the end-user delete any user.
Download XML
You can download a XML file with the example: policy-TestDynamicPEP.xml
Configure PEP