Example Role centric PEP

Role centric Enforcement Point 

 Use case example 

 We want to define a policy to restrict access to the Soffid console role's page ( MainMenu  >  Administration  >  Resources > Roles ) . 

 The users who belong to the "enterprise" group as primary group (from this point forward:  end-users ) will have limitations to perform some actions on the Soffid console roles page. 

 

 The end-users could query all the roles information. 

 The

 end-users  could update any role in the information systems "ERP RRHH" 

 The

 end-users  could not create any role. 

 The

 end-users  could not delete any role. 

 

 XACML Editor 

 Policy set 

 First of all, we define a policy set. We need to define the subject, in that case users who belong to "enterprise" as primary group. 

 

 Then, we can define a policy to manage the different actions that the end-users could perform. 

 

 Policy 

 The policy will apply to an only one user. That policy will be to protect the role resource. 

 

 Rule 1 

 

 The end-users could query all the roles information. 

 

 We define the rule that allow to the end-users to query all the roles information. 

 

 Rule 2 

 

 The  end-users  could update any role in the information systems "ERP RRHH" 

 

 

 Rule 3 

 

 The

 end-users  could not create any role. 

 

 

 Rule 4 

 

 The

 end-users  could not delete any role. 

 

 

 Download XML 

 You can download a XML file with the example: policy-TestRoleCentricPEP.xml 

 Configure PEP