Bind PeopleFinder to the new ABAC policy
#
Update Netlify environment variablesIn order for the deployed PeopleFinder application to point the new policy, open your Netlify site's settings and open the Build & deploy tab:
Then, scroll down to the Environment variables section and click edit variables:
To retrieve the new Policy ID, open the Policies tab in the Aserto console and click the peoplefinder-abac
instance. Then, click on Policy Settings
:
Update the POLICY_ID
environment variable in Netlify to the Policy ID of the policy associated with the peoplefinder-abac
instance.
Finally, you'll have to trigger a redeploy of the Netlify application. Navigate to the Deploys tab:
The click the dropdown "Trigger deploy" and select "Deploy site".
#
Examine the application behaviorOpen the PeopleFinder application, and select Euan from the profile switcher. Then, select a user from the People directory.
As you can see, right now, Euan can't update the title or department of another user - the Update button is disabled for him.
Next, use the profile switcher and select Kris. As a member of the "Operations" department, Kris is allowed to update other user's title and department. From the People list, select Euan and bring up his user card.
Now, update Euan's department to be "Operations".
and hit save.
We'll use the profile switcher again to select Euan and then select any user from the People directory. With his department updated, Euan can now update any user's title and department.
If we were using an RBAC model, we would have had to explicitly give Euan the role of admin
or editor
to give him permissions to perform this action. Using the ABAC model we were able to modify the value of an existing attribute (department
) to grant him this permission dynamically.
#
SummaryIn this section we learned how powerful of an authorization model ABAC is, and how it can be used to create a dynamic authorization behavior - based on user attributes. We saw how it lets us define more granular authorization models that can take into account an arbitrary number of attributes. In some cases, using RBAC will not be enough to address all the complex scenarios present in the application. In those cases, we can rely on ABAC to provide us with a more granular and dynamic authorization model.
#
Next stepsNext, you can explore how to use your own identity provider instead of our demo Acmecorp IDP.