# Example Role centric PEP

## Role centric Enforcement Point

### Use case example

We want to define a policy to restrict access to the Soffid console role's page (<span class="link" id="bkmrk-mainmenu">MainMenu</span><span id="bkmrk-%C2%A0%3E%C2%A0"> &gt; </span><span class="link" id="bkmrk-administration">Administration</span><span id="bkmrk-%C2%A0%3E%C2%A0-0"> &gt; </span><span class="link" id="bkmrk-resources">Resources</span><span id="bkmrk-%C2%A0%3E%C2%A0-1"> &gt; Roles</span><span id="bkmrk-users%29">)</span>.

The users who belong to the "enterprise" group as primary group (from this point forward: *end-users*) will have limitations to perform some actions on the Soffid console roles page.

1. The *end-users* could query all the roles information.
2. The *end-users* could update any role in the information systems "ERP RRHH"
3. The *end-users* could not create any role.
4. The *end-users* could not delete any role.

### XACML Editor

#### Policy set

First of all, we define a policy set. We need to define the subject, in that case users who belong to "enterprise" as primary group.

[![image-1628238451051.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238451051.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238451051.png)

Then, we can define a policy to manage the different actions that the *end-users* could perform.

[![image-1628238488177.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238488177.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238488177.png)

#### Policy

The policy will apply to an only one user. That policy will be to protect the role resource.

[![image-1628238516436.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238516436.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238516436.png)

##### Rule 1

> The *end-users* could query all the roles information.

We define the rule that allow to the end-users to query all the roles information.

[![image-1628238550714.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238550714.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238550714.png)

##### Rule 2

> The *end-users* could update any role in the information systems "ERP RRHH"

[![image-1628238577406.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238577406.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238577406.png)

##### Rule 3

> The *end-users* could not create any role.

[![image-1628238610498.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238610498.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238610498.png)

##### Rule 4

> The *end-users* could not delete any role.

[![image-1628238769335.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238769335.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238769335.png)

### Download XML

<p class="callout info">You can download a XML file with the example: [policy-TestRoleCentricPEP.xml](https://bookstack.soffid.com/attachments/21)</p>

## Configure PEP

[![image-1628238733004.png](https://bookstack.soffid.com/uploads/images/gallery/2021-08/scaled-1680-/image-1628238733004.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-08/image-1628238733004.png)