Skip to main content

Bind PeopleFinder to the new ABAC policy

Update Netlify environment variables#

In order for the deployed PeopleFinder application to point the new policy, open your Netlify site's settings and open the Build & deploy tab:

netlify-site-settings

Then, scroll down to the Environment variables section and click edit variables:

netlify-environment

Update the POLICY_ID variable to the Policy ID of the policy you just created and save your changes. To find the policy ID, open your policy settings tab in the Aserto console:

policy-settings-abac

Finally, you'll have to trigger a redeploy of the Netlify application. Navigate to the Deploys tab:

netlify-deploys

The click the dropdown "Trigger deploy" and select "Deploy site".

netlify-deploy-trigger

Examine the application behavior#

Open the PeopleFinder application, and select Euan from the profile switcher. Then, select a user from the People directory.

euan-as-sales

As you can see, right now, Euan can't update the title or department of another user - the Update button is disabled for him.

Next, use the profile switcher and select Kris. As a member of the "Operations" department, Kris is allowed to update other user's title and department. From the People list, select Euan and bring up his user card.

euan-and-kris-pre-update

Now, update Euan's department to be "Operations".

euan-and-kris-mid-update

and hit save.

We'll use the profile switcher again to select Euan and then select any user from the People directory. With his department updated, Euan can now update any user's title and department.

euan-as-operations

If we were using an RBAC model, we would have had to explicitly give Euan the role of admin or editor to give him permissions to perform this action. Using the ABAC model we were able to modify the value of an existing attribute (department) to grant him this permission dynamically.

Summary#

In this section we learned how powerful of an authorization model ABAC is, and how it can be used to create a dynamic authorization behavior - based on user attributes. We saw how it lets us define more granular authorization models that can take into account an arbitrary number of attributes. In some cases, using RBAC will not be enough to address all the complex scenarios present in the application. In those cases, we can rely on ABAC to provide us with a more granular and dynamic authorization model.

Next steps#

Next, you can explore how to use your own identity provider instead of our demo Acmecorp IDP.