Skip to main content
Version: 1.11

Authorization decisions

Below are some examples of requests and responses for the four possible decisions, as well as the results returned in certain error conditions:

Decision or error conditionWhenHTTP
PermitThe access request has been permitted.HTTP 200 OK
DenyThe access request has been denied.HTTP 200 OK
NotApplicableThe policy is not applicable to the access request.HTTP 200 OK
IndeterminateThere has been an error processing the request.HTTP 200 OK
Syntax errorSyntactical errors in the request.HTTP 400 Bad Request
Technical errorFor example, when an attribute connector cannot connect to its policy information point.HTTP 500 Internal Server Error

Authorization decisions

Profile specifications

More information about requests and responses are available in the XACML REST, XACML JSON, and XACML Core profile specifications ,respectively.

note

The deprecated authorization endpoint /asm-pdp/authorize is compatible with JSON Profile of XACML 3.0 Version 1.0 and XACML REST Profile Version 1.0. It is not compatible with JSON Profile of XACML 3.0 Version 1.1 or XACML REST Profile Version 1.1.

Example

The following is an example using curl (see https://curl.haxx.se/).

Preconditions

  • Access Decision Service is running on localhost, port 8080

  • TLS is not used

  • The Authentication property is set to Basic (that is, turned on)

  • The domain property is configured with a file reference to the YAML-format configuration file provided in the appendix Authorization decisions domain file.

note

The YAML-format authorization domain file mentioned above must be used when running the requests described below. Otherwise the sample responses listed below will not match the corresponding request.

Request

curl --data @request_permit.json -H content-type:application/xacml+json http://localhost:8080/authorize -u ads-user:secret

Explanation

The content-type header tells Access Decision Service that the request will contain a XACML request in JSON format.

The --data flag indicates that content is stored in a file called request_permit.json.

Permit

Request

A sample (request_permit.json) containing a request message body for Permit is available in the appendix JSON-format request samples. It will produce the response given below.

Response

{
  "Response": [
    {
      "Decision": "Permit"
    }
  ]
}

Deny

Request

A sample (request_deny.json) containing a request message body for Permit is available in the appendix JSON-format request samples. It will produce the response given below.

Response

{
  "Response": [
    {
      "Decision": "Deny"
    }
  ]
}

NotApplicable

Request

A sample (request_notapplicable.json) containing a request message body for Permit is available in the appendix JSON-format request samples. It will produce the response given below.

Response

{
  "Response": [
    {
      "Decision": "NotApplicable"
    }
  ]
}

Indeterminate

Request

A sample (request_indeterminate.json) containing a request message body for Permit is available in the appendix JSON-format request samples. It will produce the response given below.

Response

{
  "Response": [
    {
      "Decision": "Indeterminate",
      "Status": {
        "StatusMessage": "urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only
        expects a bag that contains a single element,got a bag with 0 elements",
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:processing-error"
        }
      }
    }
  ]
}

XML

XML versions of the request message body samples are available in the appendix XML-format request samples.