To perform conditional URL evaluation (where there are arguments in the URL that will change and impact the policy decision), a custom policy evaluation plugins needs implementing - http://docs.forgerock.org/en/openam/11.0.0/dev-guide/index/chap-policy-spi.html Use Case URL to contain all information required to make a policy decision, but components of the URL vary adding context. Eg – http://app.example.com/orgs/*/users/*?action=patch In this example an organisation number prefixs users, whilst the user number suffixes users. A condition should exist where only users who are managers AND managers of the same organisation of the user they're accessing should be allowed. Manager1, org=123 – http://app.example.com/orgs/123/user/456?action=patch ALLOW Manager2, org=124 - http://app.example.com/orgs/123/user/456?action=patch DENY Manager2, org=123 - http://app.example.com/orgs/124/user/567?action=patch ALLOW Manager1, org=123 - http://app.example.com/orgs/124/user/567?action=pat
Recipes for Digital Identity & Security