Moving beyond Identity-based Authorization
In this part of the tutorial, you will modify the policies to consider values from the initiating request, not just Identity. You will change the RestrictCreation rule so that employees can create purchase orders up to $100, but still granting managers no limit.
- Define an attribute in the ALFA to represent PurchaseOrderTotal from the inbound request, and place it in finance.alfa, just inside the AcmeCorp.Finance namespace.
attribute PurchaseOrderTotal
{
id = "PurchaseOrderTotal"
category = actionCat
type = double
}
- Now update the
RestrictCreationrule to allow employees to raise purchase orders to a maximum of $100.
rule RestrictEmployees
{
deny
condition not ( Subject.Role == 'manager' or
(Subject.Role == 'employee' and PurchaseOrderTotal < 100))
}
- With the policy all built, all that is remaining is to bind the purchase order total from the inbound request to the attribute. When using the EnforcerAuthorization attribute to perform the authorization, you can take advantage of attribute binding. Add a PolicyAttributeValue attribute to the property on the inbound request; this will have the effect of adding a PurchaseOrderTotal attribute to the authorization evaluation context with a value from the Amount property.
public class PurchaseOrderRequest
{
[PolicyAttributeValue(PolicyAttributeCategories.Action, "PurchaseOrderTotal",
Sensitivity = PolicyAttributeSensitivity.NonSensitive)]
public double? Amount { get; set; }
public string Description { get; set; }
}
- Now re-run the application and verify that Bob can create purchase orders up to $100 and no more. Verify that Sally and Alice have no limit.