In order for the deployed PeopleFinder application to point the new policy, open your Netlify site's settings and open the Build & deploy tab:
Then, scroll down to the Environment variables section and click edit variables:
To retrieve the new Policy ID, open the Policies tab in the Aserto console and click the
peoplefinder-abac instance. Then, click on
POLICY_ID environment variable in Netlify to the Policy ID of the policy associated with the
Finally, you'll have to trigger a redeploy of the Netlify application. Navigate to the Deploys tab:
The click the dropdown "Trigger deploy" and select "Deploy site".
Open the PeopleFinder application, and select Euan from the profile switcher. Then, select a user from the People directory.
As you can see, right now, Euan can't update the title or department of another user - the Update button is disabled for him.
Next, use the profile switcher and select Kris. As a member of the "Operations" department, Kris is allowed to update other user's title and department. From the People list, select Euan and bring up his user card.
Now, update Euan's department to be "Operations".
and hit save.
We'll use the profile switcher again to select Euan and then select any user from the People directory. With his department updated, Euan can now update any user's title and department.
If we were using an RBAC model, we would have had to explicitly give Euan the role of
editor to give him permissions to perform this action. Using the ABAC model we were able to modify the value of an existing attribute (
department) to grant him this permission dynamically.
In this section we learned how powerful of an authorization model ABAC is, and how it can be used to create a dynamic authorization behavior - based on user attributes. We saw how it lets us define more granular authorization models that can take into account an arbitrary number of attributes. In some cases, using RBAC will not be enough to address all the complex scenarios present in the application. In those cases, we can rely on ABAC to provide us with a more granular and dynamic authorization model.
Next, you can explore how to use your own identity provider instead of our demo Acmecorp IDP.