# Controlling Access with Conditions and Actions This tutorial presents a fictional scenario that guides you through configuring a rate table and setting up conditions and actions that determine whether a user is permitted to access a certain line item. ## Scenario Your customer has purchased **200** tokens in a single line item with activation ID **abc123**. They want to allow access to the line item **only if** the requester is from the **Engineering**, **Product Management**, or **Product Marketing** departments. They also want to allocate **150** tokens to Engineering, and **50** tokens to Product Management and Product Marketing combined. Nobody else should be able to consume tokens from this line item. ### Steps in This Section - [Step 1: Check the line item](#step-1-check-the-line-item) - [Step 2: Set Up a Rate Table](#step-2-set-up-a-rate-table) - [Step 3: Define Conditions](#step-3-define-conditions) - [Step 4: Create Actions Based on the Conditions](#step-4-create-actions-based-on-the-conditions) - [Step 5: Verify the Setup](#step-5-verify-the-setup) - [Step 6: Check Enforcement of Allocations](#step-6-check-enforcement-of-allocations) - [Optional: Retrieve Actions to Verify Token Consumption](#optional-retrieve-actions-to-verify-token-consumption) - [Optional: Further Exercise](#optional-further-exercise) - [Optional: Clean Up](#optional-clean-up) ### Step 1: Check the line item Call `/v1.0/instances/{instanceId}/line-items` using GET to view the line item that your customer has purchased. Take a note of the activation ID and quantity in the response. Further reading: - [Map a line item to an instance](/apis/openapispec/line-items/addactivation) (API Reference). - [Get a list of line items](/apis/openapispec/line-items/getactivationsforinstance) (API Reference). - [Line Items](/guides/elastic-access-concepts-for-all-back-office-types#line-items) (User Guide). **Authorization**: administration token or client token **API Call** **Example Response** The response includes details about the line item. Note the activation ID **abc123** and quantity of **200**. ```json [ { "activationId": "abc123", "state": "DEPLOYED", "start": 1695772800000, "end": 1790467199999, "quantity": 200, "used": 0, "attributes": { "elastic": true, "rateTableSeries": "1" } } ] ``` ### Step 2: Set Up a Rate Table POST to `/v1.0/rate-tables` to create a rate table. Ensure that the rate table has an item that can be requested by requesters. Further reading: - [Creating a Rate Table](/tutorials/managing-rate-tables-and-access-requests#creating-a-rate-table) (Tutorial). - [Create a rate table](/apis/openapispec/rate-tables/postratetables) (API Reference). - [Rate Tables](/guides/elastic-access-concepts-for-all-back-office-types#rate-tables) (User Guide). **Authorization**: administration token **API Call** ### Step 3: Define Conditions Create conditions that check: - if the requester's `department` attribute is set to `Engineering`. - if the requester's `department` attribute is set to `ProductManagement` or `ProductMarketing`. The response will return two condition objects, each with a generated ID. Note the first ID associated with the `Engineering` department, as it will be needed in the next step. Further reading: - [Create conditions](/apis/openapispec/rules-of-access/postconditionsofaccess) (API Reference). - [What Are Conditions](/guides/rules-of-access#what-are-conditions) (User Guide). **Authorization**: administration token or client token **API Call** **Request Body Example** ```json [ { "operator": "IN", "property": "department", "values": [ "Engineering" ] }, { "operator": "IN", "property": "department", "values": [ "ProductManagement", "ProductMarketing" ] } ] ``` **Example Response** ```json [ { "operator": "IN", "property": "department", "values": [ "Engineering" ], "id": "673cd8ee-d4d4-48ba-a4cc-235e61c96516" }, { "operator": "IN", "property": "department", "values": [ "ProductManagement", "ProductMarketing" ], "id": "8077bc18-c3f7-4d9d-a560-637d5b118d0b" } ] ``` ### Step 4: Create Actions Based on the Conditions Now, define actions that use the conditions to allow access and allocate the tokens. Replace the `conditionId` with the generated ID received in your conditions response. Add a final condition that denies requests from anything not matching one of the conditions. This prevents tokens being consumed, which have been allocated to the two groups. Further reading: - [Create conditions](/apis/openapispec/rules-of-access/postconditionsofaccess) (API Reference). - [Create a list of actions and allocations for a line item](/apis/openapispec/rules-of-access/createactions) (API Reference). - [What Are Conditions](/guides/rules-of-access#what-are-conditions) (User Guide). **Authorization**: administration token or client token **API Call** **Request Body Example** ```json [ { "name": "Engineering allocation", "conditionId": "673cd8ee-d4d4-48ba-a4cc-235e61c96516", "action": "ALLOW", "allocation": 100 }, { "name": "PM & PMM allocation", "conditionId": "8077bc18-c3f7-4d9d-a560-637d5b118d0b", "action": "ALLOW", "allocation": 150 }, { "name": "default", "conditionId": "", "action":"DENY" } ] ``` **Response Example** ```json [ { "name": "Engineering allocation", "conditionId": "673cd8ee-d4d4-48ba-a4cc-235e61c96516", "action": "ALLOW", "allocation": 100, "id": "6e8d23b0-8e7c-4962-8963-74ef1de693e2" }, { "name": "PM & PMM allocation", "conditionId": "8077bc18-c3f7-4d9d-a560-637d5b118d0b", "action": "ALLOW", "allocation": 150, "id": "d8a9e55e-ad56-4b89-849f-c08eae92feb8" }, { "name": "default", "conditionId": "", "action":"DENY", "id": "7fdf0258-3350-4d94-868f-f5c8e821a616" } ] ``` ### Step 5: Verify the Setup Call **/conditions** and **/actions** to confirm everything is configured correctly. Further reading: - [Create conditions](/apis/openapispec/rules-of-access/postconditionsofaccess) (API Reference). - [Create a list of actions and allocations for a line item](/apis/openapispec/rules-of-access/createactions) (API Reference). - [What Are Conditions](/guides/rules-of-access#what-are-conditions) (User Guide). - [What Are Actions](/guides/rules-of-access#what-are-actions) (User Guide). - [How Actions and Conditions Work Together](/guides/rules-of-access#how-actions-and-conditions-work-together) (User Guide). **Authorization**: administration token or client token **API Call to Check Conditions** **API Call to Check Actions** ### Step 6: Check Enforcement of Allocations Verify that the item was successfully accessed. The response should indicate which action was used. Further reading: - [Access request for elastic tokens](/apis/openapispec/non-session-access-request/postaccessrequest) (API Reference). - [Access Requests](/guides/elastic-access-concepts-for-all-back-office-types#access-requests) (User Guide). **Authorization**: administration token or client token **API Call** **Request Body Example** ```json { "requester": { "type": "user", "value": "alice", "dictionary": {"department":"engineering"} }, "requestedItems": [ { "item": "string", "version": "string", "count": 7, "metaData": {} } ] } ``` **Response Example** ```json { "correlationId": "f36d6ceb-7f83-4838-ae5a-933e6ced4e12", "requester": { "type": "user", "value": "alice",", "dictionary": {"department":"engineering"} }, "requestedItems": [ { "item": "string", "version": "string", "count": 7, "status": { "code": "101", "description": "Successfully checked out" }, "totalTokensCharged": 21, "lineItems": [ { "rate": 3.0, "actionId": "6e8d23b0-8e7c-4962-8963-74ef1de693e2", "activationId": "abc123", "tokensCharged": 21 } ] } ] } ``` ### Optional: Retrieve Actions to Verify Token Consumption You can verify that the tokens were consumed from the line item by retrieving the actions again using `/v1.0/instances/{instanceId}/line-items/{lineItemId}/actions`. Further reading: - [Get actions and allocations for a line item](/apis/openapispec/rules-of-access/getactions) (API Reference). - [Tokens](/guides/elastic-access-concepts-for-all-back-office-types#tokens) (User Guide). - [What Are Actions](/guides/rules-of-access#what-are-actions) (User Guide). - [How Actions and Conditions Work Together](/guides/rules-of-access#how-actions-and-conditions-work-together) (User Guide). **Authorization**: administration token or client token **API Call** **Response Example** ```json [ { "name": "Engineering allocation", "conditionId": "673cd8ee-d4d4-48ba-a4cc-235e61c96516", "action": "ALLOW", "allocation": 100, "id": "6e8d23b0-8e7c-4962-8963-74ef1de693e2", "used": 21 }, { "name": "PM & PMM allocation", "conditionId": "8077bc18-c3f7-4d9d-a560-637d5b118d0b", "action": "ALLOW", "allocation": 150, "id": "d8a9e55e-ad56-4b89-849f-c08eae92feb8" }, { "name": "default", "conditionId": "", "action":"DENY", "id": "7fdf0258-3350-4d94-868f-f5c8e821a616" } ] ``` ### Optional: Further Exercise As a further exercise, you could: - Create a request that can access tokens by somebody from Product Management. - Try a request by somebody from the Customer Success team, and check that it is denied. ### Optional: Clean Up To remove the configuration, use the following API calls: - **Delete Actions**: DELETE `/v1.0/instances/{instanceId}/line-items/{lineItemId}/actions` - **Delete Conditions**: DELETE `/v1.0/instances/{instanceId}/conditions`