AZN Use cases

AZN Use cases

The following use cases illustrate how to use rule suites to handle various scenarios. The Script interface to the authorization service details the structure of the input document.

Use case 1: Authorization based on context attributes and resource, with the resource attributes in context

Example

John Doe wants to use SMS Authentication but SMS Authentication is only allowed for users in the company TrustBuilder and SecurIT. He also must have a Belgian phone number.

Input

{
    "transactionId": 1234,
    "resource": "test/SMS_Authentication",
    "document": {
        "user": {
            "principal": “jdoe”,
            "attributes": {
                "userid": “jdoe”,
                "firstname": “John”,
                "lastname": “Doe”,
                "displayname": “John Doe”,
                "company": “Acme Corp”,
                "email": “jdoe@acme.org”,
                "phone": “0123456789”,
            }
        },
        "target": {
            "attributes": {
                "allowedCompanies": [“SecurIT”, “TrustBuilder”]
            }
        }
    }
}

Rule suite

<rulesuite name="check_sms_auth">
    <resources>
        <resource>test/SMS_Authentication</resource>
    </resources>
    <rulesets>
        <ruleset name="Check allowed companies" global="true">
            <rules>
                <rule name="Rule 1" weight="1" variable="rule1">
                    <condition>
                        <test>
                            <function>startsWith:</function>
                            <param>$in.user.attributes.phone</param>
                            <param>"+32"</param>
                        </test>
                    </condition>
                    <assert>
                        <test>
                            <function>isNotEmpty</function>
                            <param>$in.user.attributes.company</param>
                        </test>
                        <test>
                            <function>contains:</function>
                            <param>$in.target.attributes.allowedCompanies</param>
                            <param>$in.user.attributes.company</param>
                        </test>
                    </assert>
                    <hint>
                        <output>
                            <value>{ "message":"Not Allowed"}</value>
                        </output>
                        <output>
                            <condition>
                                <test>
                                    <function>=</function>>
                                    <param>$rule1</param>
                                    <param>0</param>
                                </test>
                            </condition>
                            <value>{ "company": "$in.target.attributes.allowedCompanies" }</value>
                        </output>
                    </hint>
                </rule>
            </rules>
        </ruleset>
    </rulesets>
</rulesuite>

Result

{
    error : 0,
    score: 0,
    hints: [
        {
            "message": "Not Allowed"
        },
        {
            "company": ["SecurIT", "TrustBuilder"]
        }]
}

Use case 2: Authorization based on context attributes and resource, with the resource attributes retrieved from Policy Information Point

Example

John Doe wants to use SMS Authentication but SMS Authentication is only allowed for users in the company TrustBuilder and SecurIT. He also must have a Belgian phone number.

Input

{
    "transactionId": 1234,
    "resource": "test/SMS_Authentication",
    "document": {
        "user": {
            "principal": “jdoe”,
            "attributes": {
                "userid": “jdoe”,
                "firstname": “John”,
                "lastname": “Doe”,
                "displayname": “John Doe”,
                "company": “SecurIT”,
                "email": “jdoe@acme.org”,
                "phone": “+323456789”,
            }
        }
    }
}

Rule suite

<rulesuite name="check_sms_auth">
    <resources>
        <resource>test/SMS_Authentication</resource>
    </resources>
    <rulesets>
        <ruleset name="Check allowed companies" global="true">
            <variables>
                <variable name="r_attr">
                    <request>authmechs</request>
                    <payload>{"type": "sms", id: "SMS_Authentication"}</payload>
                </variable>
            </variables>
            <rules>
                <rule name="Rule 1" weight="1" variable="rule1">
                    <condition>
                        <test>
                            <function>startsWith:</function>
                            <param>$in.user.attributes.phone</param>
                            <param>"+32"</param>
                    </condition>
                    <assert>
                        <test>
                            <function>isNotEmpty</function>
                            <param>$in.user.attributes.company</param>
                        </test>
                        <test>
                            <function>contains:</function>
                            <param>$r_attr.allowedCompanies</param>
                            <param>$in.user.attributes.company</param>
                        </test>
                    </assert>
                    <hint>
                        <output>
                            <value>{"message":"Not Allowed"}</value>
                        </output>
                        <output>
                            <condition>
                                <test>
                                    <function>=</function>>
                                    <param>$rule1</param>
                                    <param>0</param>
                                </test>
                            </condition>
                            <value>{"company": "$r_attr.allowedCompanies"}</value>
                        </output>
                    </hint>
                </rule>
            </rules>
        </ruleset>
    </rulesets>
</rulesuite>

Result

{
    "error": 0,
    "score": 1
}
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.