Additional domain properties
The Access Decision Service (ADS) requires a valid authorization domain to evaluate access requests and produce authorization decisions. The domain can be retrieved from local files or external sources such as Axiomatics Services Manager (ASM), Authorization Domain Manager (ADM), or other remote endpoints.
Configuration properties
Configure the authorization domain using the following properties:
| Properties | Description |
|---|---|
domain | The authorization domain configuration section. |
├─ path | Location of the authorization domain configuration file (local path or HTTP/HTTPS URL). |
├─ refreshInterval | Interval for refreshing the domain during runtime. Format: integer + time unit ( s, second, seconds, m, min, mins, minute, minutes, h, hour, hours, d, day, days)Read more in the Runtime updating of domain configurations section below. |
├─ reportNotReadyOnDomainRefreshError | When true, ADS reports as not ready if domain refresh fails.Default: false For details, refer to the Healthcheck report on failed domain updates section below. |
└─ startup | Configuration section related to domain retrieval at startup. |
├─ maxRetries | The number of retry attempts when loading the domain at startup. |
├─ retryInterval | Wait time between startup retry attempts. Format: integer + time unit. Minimum: 1 second |
domain:
path: <path_to_file>/domain.yaml
refreshInterval: 5 seconds
reportNotReadyOnDomainRefreshError: true
startup:
maxRetries: 5
retryInterval: 5 seconds
Domain configuration sample
Startup Behavior
By default, ADS attempts to load the authorization domain once during startup. If this fails, the service will not start.
Retry mechanism
Configure startup retries to handle temporary connection issues or delayed availability of domain sources. ADS will attempt to load the domain up to maxRetries times, waiting retryInterval between each attempt.
The retry mechanism times out when the total duration (maxRetries × retryInterval) is reached. To prevent premature timeout, set retryInterval higher than your network's typical timeout duration.
Example
maxRetries: 5retryInterval: 5 seconds
ADS will retry for up to 25 seconds before failing.
Runtime domain updates
Enable runtime updates to refresh domain configurations without restarting ADS. This is particularly useful during policy development and testing.
When refreshInterval is configured, ADS polls the domain source at the specified interval. The service checks for changes and reloads the domain only when content has changed.
- Zero downtime during updates
- Requests continue processing during reconfiguration
- Each request uses the most recent working configuration
- When a domain configuration updates, in-progress requests are not halted or retried.
- Domains reload only if the content has changed
- Dynamic cache management clears cache only when necessary
Domain refresh and runtime domain updates are enabled only after the domain is successfully initialized at startup.
Healthcheck report on failed domain updates
Configure the readiness probe to report service health based on domain refresh success. Set reportNotReadyOnDomainRefreshError to true, in order for ADS to return a 503 - Service Unavailable error if domain refresh fails.
- The probe returns
503during initial domain loading until initialization completes. - This property has no effect if Runtime domain updates (
refreshInterval) are not configured.