Authorizing the Viewing and Creation of Purchase Orders
In this part of the tutorial, you will add policies to control access to viewing and creating purchase orders. You will add EnforcerAuthorization Attributes to the appropriate controller and its methods to guard access to the functionality.
- Open the PurchaseOrdersController.cs and locate the class definition. You will now protect this resource with the EnforcerAuthorization Attribute.
[Authorize]
[EnforcerAuthorization(ResourceType = "PurchaseOrder")]
public class PurchaseOrdersController : Controller
Details on how to use the EnforcerAuthorization attribute can be found here.
- Run the project and attempt to access the PurchaseOrder area. You will receive an exception stating that the PDP cannot find
AcmeCorp.Globalpolicy from the policy store. Add a global.alfa file under the policies folder you created in part 1.
namespace AcmeCorp
{
policyset Global
{
apply firstApplicable
}
}
- Note you don't need to recompile or re-run the application; the Policy Access Store will detect the change and re-load. Just refresh the web page. With Policy Enforcement Point (PEP) bias configured to deny and the policy evaluation resulting in neither permit or deny, the final result will be deny, hence the 403 Forbidden.
- Now create a purchaseOrder policy to allow access to the list of purchase orders. Place this policy in a file called Finance.alfa inside the policies folder.
namespace AcmeCorp.Finance
{
import Oasis.Attributes
policy PurchaseOrders
{
apply permitUnlessDeny
target clause ResourceType == 'PurchaseOrder'
}
}
- Update the global.alfa policy to reference the PurchaseOrders policy.
namespace AcmeCorp
{
import AcmeCorp.Finance
policyset Global
{
apply firstApplicable
policy PurchaseOrders
}
}
- Recompile and re-run the application; you will now be able to access the Purchase Order area.
- Add a new rule to the PurchaseOrder policy so to only allow access to purchase orders for users who have the employee role. The user charlie@acme.com is not an employee. Now login as Charlie and confirm that Charlie does not have access to the Purchase Order area.
policy PurchaseOrders
{
apply permitUnlessDeny
target clause ResourceType == 'PurchaseOrder'
rule RestrictToEmployees
{
deny
condition not (Subject.Role == 'employee')
}
}
- You will now restrict the creation of purchase orders to managers. To add a new rule to the PurchaseOrders policy that only allows users with the manager role to create purchase orders. Note that the PDP only considers this new rule if the action is Create
rule RestrictCreation
{
target clause Action == 'Create'
deny
condition not (Subject.Role == 'manager')
}
- To provide this finer grain of access control, you will need to decorate the CreatePurchaseOrder method inside the PurchaseOrdersController with the EnforcerAttribute. Note this time; you will be assigning the Action.
[EnforcerAuthorization(ResourceType = "PurchaseOrder",Action="Create")]
public IActionResult CreatePurchaseOrder(PurchaseOrderRequest request)
- Recompile and run, and verify that only managers can create purchase orders. Alice and Sally are managers, but Bob is not.