Skip to main content

Bind PeopleFinder to the new ABAC policy

Update Netlify environment variables

In order for the deployed PeopleFinder application to point the new policy, open your Netlify site's settings and open the Build & deploy tab:

netlify-site-settings

Then, scroll down to the Environment variables section and click edit variables:

netlify-environment

Update the POLICY_INSTANCE_NAME and POLICY_INSTANCE_LABEL environment variables in Netlify to peoplefinder-abac.

Finally, you'll have to trigger a redeploy of the Netlify application. Navigate to the Deploys tab:

netlify-deploys

The click the dropdown "Trigger deploy" and select "Deploy site".

netlify-deploy-trigger

Examine the application behavior

Open the PeopleFinder application, and select Euan from the profile switcher. Then, select a user from the People directory.

euan-as-sales

As you can see, right now, Euan can't update the title or department of another user - the Update button is disabled for him.

Next, use the profile switcher and select Kris. As a member of the "Operations" department, Kris is allowed to update other user's title and department. From the People list, select Euan and bring up his user card.

euan-and-kris-pre-update

Now, update Euan's department to be "Operations".

euan-and-kris-mid-update

and hit save.

We'll use the profile switcher again to select Euan and then select any user from the People directory. With his department updated, Euan can now update any user's title and department.

euan-as-operations

If we were using an RBAC model, we would have had to explicitly give Euan the role of admin or editor to give him permissions to perform this action. Using the ABAC model we were able to modify the value of an existing attribute (department) to grant him this permission dynamically.

Summary

In this section we learned how powerful of an authorization model ABAC is, and how it can be used to create a dynamic authorization behavior - based on user attributes. We saw how it lets us define more granular authorization models that can take into account an arbitrary number of properties. In some cases, using RBAC will not be enough to address all the complex scenarios present in the application. In those cases, we can rely on ABAC to provide us with a more granular and dynamic authorization model.

Next steps

Next, you can explore how to use the Aserto OneBox to set up a local development environment.