Skip to main content

The most recent patch for this version is 1.15.1.  Learn more  

Version: 1.15

Sample domain

This sample (with notes on the content) is intended to give a comprehensive overview of the components of an authorization domain configuration file.

# Identifier for the domain. Since it is printed in the audit log, it is a good practice to keep it unique and update it every time the domain changes.
identity: domain_id

# Metadata for tooling and domain management workflow processes.
metadata:
  status: under development
  createdBy: Bob
  approvedBy: Alice

policy:
  # Identifier for the main policy. Locate it in the XML attributes PolicyId or PolicySetId in one of the policies in the list below.
  mainPolicyId: sample-policy
  # A list of policies and/or policy sets. Policy sets may reference policies and other policy sets in the list.
  xacmlSpecifications:
    - |
      <Policy xmlns='urn:oasis:names:tc:xacml:3.0:core:schema:wd-17' Version='1.0' RuleCombiningAlgId='urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides' PolicyId='sample-policy'>
        <Description>Control access to resources</Description>
        <PolicyDefaults>
          <XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
        </PolicyDefaults>
        <Target/>
        <Rule RuleId='sample-rule' Effect='Permit'>
          <Description>Give permit if role is manager</Description>
          <Target>
            <AnyOf>
              <AllOf>
                <Match MatchId='urn:oasis:names:tc:xacml:1.0:function:string-equal'>
                  <AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>manager</AttributeValue>
                  <AttributeDesignator Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' AttributeId='com.acme.user.role' MustBePresent='false' DataType='http://www.w3.org/2001/XMLSchema#string'/>
                </Match>
              </AllOf>
            </AnyOf>
          </Target>
        </Rule>
      </Policy>

# A catalog of attributes.
attributes:
  # ALFA identifier for the attribute. Must be unique within the domain.
  role:
    # XACML id / attribute id
    xacmlId: com.acme.user.role
    # Attribute category
    category: AccessSubject
    # Attribute datatype
    datatype: string
    # Attribute issuer
    issuer: Acme Inc.
  resourceId:
    xacmlId: com.acme.user.resourceId
    category: Resource
    datatype: string

# Configuration of attribute connectors.
attributeConnectors:
  employee_database#1:
    className: com.axiomatics.acs.plugin.pips.sql.SqlPipModule # The class name of the attribute connector.
    # Define what attributes this attribute connector is expected to provide. Configuration is optional but must be present for caching.
    provides:
      - role
      - resourceId
    # Configuration of the attribute connector.
    configurationString: |
      <cfg:configuration xmlns:cfg='http://www.axiomatics.com/jdbc.config' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation=''>
        <cfg:connnection>
          <!-- Environment variable substitution with default value. -->
          <cfg:url>${MY_DB_URL:-jdbc:h2:mem:ac1}</cfg:url>
          <cfg:driver>${MY_DB_DRIVER:-org.h2.Driver}</cfg:driver>
        </cfg:connnection>
        <cfg:mapping>
          <cfg:xacmlAttribute AttributeId='com.acme.user.role' Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' DataType='http://www.w3.org/2001/XMLSchema#string' Issuer='Acme Inc.'/>
          <cfg:nativeAttribute>
            <cfg:sqlType>2004</cfg:sqlType>
            <cfg:query>SELECT ROLE FROM EMPLOYEES WHERE EMPLOYEE_ID = ?</cfg:query>
            <cfg:key allowMultiple='false' sqlType='12'>
              <cfg:xacmlAttribute AttributeId='com.acme.user.employeeId' Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' DataType='http://www.w3.org/2001/XMLSchema#string' Issuer=''/>
            </cfg:key>
          </cfg:nativeAttribute>
          <cfg:uId>region_0</cfg:uId>
        </cfg:mapping>
      </cfg:configuration>

# Configuration of attribute cache
attributeCache:
  # ALFA name. Must be present in the attributes section, and must be provided by an attribute connector.
  role:
    # After an attribute has been resolved, keep it in the cache for this long.
    timeToLive: 1 day
    # Limit the cache to this number of values per attribute.
    maxItems: 1000
  resourceId:
    timeToLive: 15 minutes
    maxItems: 1000

# Configuration of evaluation engine.
decisionParameters:
  # The threshold indicates how many individual requests a multiple-decision request should contain before ADS attempts to optimize that specific multiple request.
  partialEvaluationThreshold: 3