AZN Use cases
The following use cases illustrate how to use rule suites to handle various scenarios. The Script interface to the authorization service details the structure of the input document.
Use case 1: Authorization based on context attributes and resource, with the resource attributes in context
Example
John Doe wants to use SMS Authentication but SMS Authentication is only allowed for users in the company TrustBuilder and SecurIT. He also must have a Belgian phone number.
Input
CODE
{
"transactionId": 1234,
"resource": "test/SMS_Authentication",
"document": {
"user": {
"principal": “jdoe”,
"attributes": {
"userid": “jdoe”,
"firstname": “John”,
"lastname": “Doe”,
"displayname": “John Doe”,
"company": “Acme Corp”,
"email": “jdoe@acme.org”,
"phone": “0123456789”,
}
},
"target": {
"attributes": {
"allowedCompanies": [“SecurIT”, “TrustBuilder”]
}
}
}
}Rule suite
CODE
<rulesuite name="check_sms_auth">
<resources>
<resource>test/SMS_Authentication</resource>
</resources>
<rulesets>
<ruleset name="Check allowed companies" global="true">
<rules>
<rule name="Rule 1" weight="1" variable="rule1">
<condition>
<test>
<function>startsWith:</function>
<param>$in.user.attributes.phone</param>
<param>"+32"</param>
</test>
</condition>
<assert>
<test>
<function>isNotEmpty</function>
<param>$in.user.attributes.company</param>
</test>
<test>
<function>contains:</function>
<param>$in.target.attributes.allowedCompanies</param>
<param>$in.user.attributes.company</param>
</test>
</assert>
<hint>
<output>
<value>{ "message":"Not Allowed"}</value>
</output>
<output>
<condition>
<test>
<function>=</function>>
<param>$rule1</param>
<param>0</param>
</test>
</condition>
<value>{ "company": "$in.target.attributes.allowedCompanies" }</value>
</output>
</hint>
</rule>
</rules>
</ruleset>
</rulesets>
</rulesuite>Result
CODE
{
error : 0,
score: 0,
hints: [
{
"message": "Not Allowed"
},
{
"company": ["SecurIT", "TrustBuilder"]
}]
}Use case 2: Authorization based on context attributes and resource, with the resource attributes retrieved from Policy Information Point
Example
John Doe wants to use SMS Authentication but SMS Authentication is only allowed for users in the company TrustBuilder and SecurIT. He also must have a Belgian phone number.
Input
CODE
{
"transactionId": 1234,
"resource": "test/SMS_Authentication",
"document": {
"user": {
"principal": “jdoe”,
"attributes": {
"userid": “jdoe”,
"firstname": “John”,
"lastname": “Doe”,
"displayname": “John Doe”,
"company": “SecurIT”,
"email": “jdoe@acme.org”,
"phone": “+323456789”,
}
}
}
}Rule suite
CODE
<rulesuite name="check_sms_auth">
<resources>
<resource>test/SMS_Authentication</resource>
</resources>
<rulesets>
<ruleset name="Check allowed companies" global="true">
<variables>
<variable name="r_attr">
<request>authmechs</request>
<payload>{"type": "sms", id: "SMS_Authentication"}</payload>
</variable>
</variables>
<rules>
<rule name="Rule 1" weight="1" variable="rule1">
<condition>
<test>
<function>startsWith:</function>
<param>$in.user.attributes.phone</param>
<param>"+32"</param>
</condition>
<assert>
<test>
<function>isNotEmpty</function>
<param>$in.user.attributes.company</param>
</test>
<test>
<function>contains:</function>
<param>$r_attr.allowedCompanies</param>
<param>$in.user.attributes.company</param>
</test>
</assert>
<hint>
<output>
<value>{"message":"Not Allowed"}</value>
</output>
<output>
<condition>
<test>
<function>=</function>>
<param>$rule1</param>
<param>0</param>
</test>
</condition>
<value>{"company": "$r_attr.allowedCompanies"}</value>
</output>
</hint>
</rule>
</rules>
</ruleset>
</rulesets>
</rulesuite>Result
CODE
{
"error": 0,
"score": 1
}