Restricting the creation of purchase orders
In this part of the tutorial, you will be initially restricting the creation of purchase orders to managers and then evolving it to allow employees to create purchase orders up to a maximum of $100.
- You will first need to create a new rule to limit the creation of purchase orders to managers, call it
RestrictCreation. Set the outcome of the rule to deny, and set the condition so that it evaluates to true if the user does not have a role of manager
rule RestrictCreation
{
deny
condition not Subject.Role == 'manager'
}
- To fully implement this rule, you will need to add a
target clauseso that the PDP only evaluates this rule when the user attempts to create a purchase order. You will assume that the system initiating a request to create a purchase order will set theOasis.Attributes.Actionattribute to a value of ‘Create’. Add atarget clauseto this rule that returns true if the Action isCreate.
rule RestrictCreation
{
target clause Action == 'Create'
deny
condition not Subject.Role == 'manager'
}
- Using the 'Add Attributes' area on the right-hand side of the editor window, add a value for the Role attribute set to ‘manager. The context will now have two values for Role, employee, and manager. Add an Action attribute with its value set to ‘Create’. You will now have an editor environment that looks like.
- Re-Run the policy, and you will obtain a permit outcome. Remove the manager value from the Role attribute and re-run you will receive a deny outcome.
IMPORTANT LEARNING POINT
Attributes can contain many values, (known as bags). When using comparison operators between attributes and values, the operators evaluate to true if any combination of values omits true.
- With managers, the only individuals able to create purchase orders, they soon become frustrated and have requested that employees should also have the ability to create purchase orders but up to a limit of $100. To implement this behavior, you will first need to create an attribute to contain the total value of the purchase order. At runtime, it is the Policy Information Point’s (PIP’s) role to deliver attribute values. The PIP has its own notion of how it identifies an attribute; the ALFA definition defines a binding from ALFA name to the PIP name. Add the attribute definition below into the
AcmeCorp.Financenamespace. The definition creates an attribute calledAcmeCorp.Finance.PurchaseOrderTotal, and binds it an attribute identified by a PIP called ‘finance:PurchaseOrderTotal’ inside one of the pre-defined ALFA PIP categories calledactionCat("urn:oasis:names:tc:xacml:3.0:attribute-category:action"). Categories have the same role as namespaces inside the PIP.
attribute PurchaseOrderTotal
{
id = "finance:PurchaseOrderTotal"
type = double
category = actionCat
}
- Now update the
RestrictCreationRuleto allow employees to create purchase orders for less than $100.
rule RestrictCreation
{
target clause Action == 'Create'
deny
condition not Subject.Role == 'manager' or
Subject.Role == 'employee' and PurchaseOrderTotal < 100
}
- Re-run the policy for the following scenarios and verify you get the expected results with the following inputs.
| Action | ResourceType | Roles | PurchaseOrderTotal | Expected Outcome |
|---|---|---|---|---|
| Create | PurchaseOrder | employee | 80 | Permit |
| Create | PurchaseOrder | employee | 101 | Deny |
| Create | PurchaseOrder | employee , manager | 200 | Permit |