Example Role centric PEP
Role centric Enforcement Point
Use case example
We want to define a policy to restrict access to the Soffid console role's page ( > > > Roles).
The users who belong to the "enterprise" group as primary group (from this point forward: end-users) will have limitations to perform some actions on the Soffid console roles page.
- The end-users could query all the roles information.
- The end-users could update any role in the information systems "ERP RRHH"
- The end-users could not create any role.
- The end-users could not delete any role.
First of all, we define a policy set. We need to define the subject, in that case users who belong to "enterprise" as primary group.
Then, we can define a policy to manage the different actions that the end-users could perform.
The policy will apply to an only one user. That policy will be to protect the role resource.
The end-users could query all the roles information.
We define the rule that allow to the end-users to query all the roles information.
The end-users could update any role in the information systems "ERP RRHH"
The end-users could not create any role.
The end-users could not delete any role.
You can download a XML file with the example: policy-TestRoleCentricPEP.xml