The authorization domain
Authorization domains are central to Axiomatics' methodology for defining authorization policies. They serve as comprehensive collections of domain-specific data such as policies, attributes, and attribute connectors, which are essential in evaluating access requests and returning appropriate authorization responses.
Based on requests, the authorization responses are listed in the table below:
| Response | Description |
|---|---|
| Permit | Indicates the access request has been approved, and the subject is authorized to proceed with the action requested. |
| Deny | Means the access request has been rejected, preventing the subject from performing the action they sought authorization for. |
| NotApplicable | Given when the access request doesn't match any policies or scenarios in the domain, meaning there are no relevant rules for decision-making. |
| Indeterminate | Used when the system cannot decide on the access request, possibly due to insufficient information, policy evaluation errors, or system failures. |
The data of the authorization domain, used by Access Decision Service (ADS) to evaluate responses, is stored in a domain configuration file. This file contains a collection of XACML policies and settings, including attribute connectors and cache configurations.
The domain configuration file can be in one of the two following formats:
- XML
- YAML
The formats are mutually exclusive and only one of them can be used at any given time.
Authorization domain file
ADS uses the authorization domain configuration file, or domain file for simplicity, to manage the distribution of policies and attribute source configurations for authorization decisions.
XML domain file
The XML domain file is an older format used by previous versions of Axiomatics Services Manager (ASM) and has several limitations: it is difficult for humans to read and can only be created or exported through the ASM User Interface or Administration API.
With the introduction of the new domain file format (YAML), the XML version is deprecated and is generally referred as Authorization Domain document format version 1 or legacy format. In the ADS deployment.yaml configuration file it is referenced using the legacyXmlConfig property.
Notes on legacy domain file
- To convert your legacy XML-format (or version 1) authorization domain file to YAML-format, you should contact Axiomatics Customer SupportOpens in a new tab, who will assist with the conversion.
Refer to the Axiomatics Services Manager 6.2.x documentation, for information about exporting the authorization domain configuration file using the ASM UI. This documentation is included in the ASM 6.2.x distribution zip file (PDF format only).
Refer to Axiomatics Developer Resources and especially the Javadoc-based content included in the package, for information about retrieving the authorization domain configuration file programmatically using the Admin API. Contact Customer SupportOpens in a new tab for information on available downloads.
YAML domain file
The YAML-format domain file is the newer domain configuration representation (also referenced sometimes as Authorization Domain document format version 2). This format (available from ADS version 1.4) provides a number of improvements compared to the legacy domain format, including the following:
The document is human-readable, which makes it easy to analyze and maintain.
No specialized software tools are required to create the document; editing can be done using a regular text editor, which makes it possible to configure and run ADS without being dependent on ASM for creating the required configuration file.
The document structure follows a concise syntax, and it is easy to embed other text-format data inline in the domain configuration.
The document format is well-suited to source control.
For more information on creating and exporting of YAML-format domain files in ASM, refer to Domain managementOpens in a new tab of the Axiomatics Services Manager documentation.
For more information about deploying each format, see Authorization domain configuration.
Validation
On start-up, ADS validates the domain configuration file against the requirements and constraints as described for each section. If ADS finds an error, it displays an error message and will stop from running.