Sample domain
This sample (with notes on the content) is intended to give a comprehensive overview of the components of an authorization domain configuration file.
# Identifier for the domain. Since it is printed in the audit log, it is a good practice to keep it unique and update it every time the domain changes.
identity: domain_id
# Metadata for tooling and domain management workflow processes.
metadata:
status: under development
createdBy: Bob
approvedBy: Alice
policy:
# Identifier for the main policy. Locate it in the XML attributes PolicyId or PolicySetId in one of the policies in the list below.
mainPolicyId: sample-policy
# A list of policies and/or policy sets. Policy sets may reference policies and other policy sets in the list.
xacmlSpecifications:
- |
<Policy xmlns='urn:oasis:names:tc:xacml:3.0:core:schema:wd-17' Version='1.0' RuleCombiningAlgId='urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides' PolicyId='sample-policy'>
<Description>Control access to resources</Description>
<PolicyDefaults>
<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
</PolicyDefaults>
<Target/>
<Rule RuleId='sample-rule' Effect='Permit'>
<Description>Give permit if role is manager</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId='urn:oasis:names:tc:xacml:1.0:function:string-equal'>
<AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>manager</AttributeValue>
<AttributeDesignator Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' AttributeId='com.acme.user.role' MustBePresent='false' DataType='http://www.w3.org/2001/XMLSchema#string'/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
# A catalog of attributes.
attributes:
# ALFA identifier for the attribute. Must be unique within the domain.
role:
# XACML id / attribute id
xacmlId: com.acme.user.role
# Attribute category
category: AccessSubject
# Attribute datatype
datatype: string
# Attribute issuer
issuer: Acme Inc.
resourceId:
xacmlId: com.acme.user.resourceId
category: Resource
datatype: string
# Configuration of attribute connectors.
attributeConnectors:
employee_database#1:
className: com.axiomatics.acs.plugin.pips.sql.SqlPipModule # The class name of the attribute connector.
# Define what attributes this attribute connector is expected to provide. Configuration is optional but must be present for caching.
provides:
- role
- resourceId
# Configuration of the attribute connector.
configurationString: |
<cfg:configuration xmlns:cfg='http://www.axiomatics.com/jdbc.config' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation=''>
<cfg:connnection>
<!-- Environment variable substitution with default value. -->
<cfg:url>${MY_DB_URL:-jdbc:h2:mem:ac1}</cfg:url>
<cfg:driver>${MY_DB_DRIVER:-org.h2.Driver}</cfg:driver>
</cfg:connnection>
<cfg:mapping>
<cfg:xacmlAttribute AttributeId='com.acme.user.role' Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' DataType='http://www.w3.org/2001/XMLSchema#string' Issuer='Acme Inc.'/>
<cfg:nativeAttribute>
<cfg:sqlType>2004</cfg:sqlType>
<cfg:query>SELECT ROLE FROM EMPLOYEES WHERE EMPLOYEE_ID = ?</cfg:query>
<cfg:key allowMultiple='false' sqlType='12'>
<cfg:xacmlAttribute AttributeId='com.acme.user.employeeId' Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' DataType='http://www.w3.org/2001/XMLSchema#string' Issuer=''/>
</cfg:key>
</cfg:nativeAttribute>
<cfg:uId>region_0</cfg:uId>
</cfg:mapping>
</cfg:configuration>
# Configuration of attribute cache
attributeCache:
# ALFA name. Must be present in the attributes section, and must be provided by an attribute connector.
role:
# After an attribute has been resolved, keep it in the cache for this long.
timeToLive: 1 day
# Limit the cache to this number of values per attribute.
maxItems: 1000
resourceId:
timeToLive: 15 minutes
maxItems: 1000
# Configuration of evaluation engine.
decisionParameters:
# The threshold indicates how many individual requests a multiple-decision request should contain before ADS attempts to optimize that specific multiple request.
partialEvaluationThreshold: 3