Skip to main content

The most recent patch for this version is 26.1.1.  Learn more  

Version: 26.1

Using the domain file

tip

To understand the structure of the domain file and see a detailed analysis of its sections, first read the Authorization domain file analysis section of the Authorization Domain Manager (ADM) documentationOpens in a new tab.

Validation

On startup, ADS validates the domain configuration file against the requirements and constraints defined for each section. Validation failures trigger error messages and ADS fails to run. More specifically:

SectionDetails
IdentityADS cannot initialize if the identity property is not set.
MetadataADS ignores the content of this section, validating only its structural integrity.
PolicyADS will not start if the domain configuration file lacks a policy.
AttributesDuplicate attribute identifiers and duplicate XACML quadruples are not allowed.
Attribute connectorsConfiguration data is passed directly to the connector during initialization. ADS does not verify whether the configurationString value is functional.

Decision parameters section

Enabling this property means that ADS will attempt to perform multiple-request optimization. In some cases this can improve the performance of ADS. In some special cases it may have a negative impact on performance. The actual improvement depends on several factors, for example, the structure of the request and the structure of the policy.

decisionParameters:     ## Marks the start of the Decision Parameters section of the domain configuration file.
  partialEvaluationThreshold: 2

Decision Parameters section example

partialEvaluationThreshold:

This property indicates how many individual requests a multiple-decision request should contain before ADS attempts to optimize that specific multiple request. It must adhere to the following constraints:

  • the value must be an integer

  • the value must be 2 or higher

If the threshold value is set too low, it may reduce performance. If the threshold value is set too high, it is less likely that it will be reached. The correct number cannot be determined without testing.

Authorization domain file deployment

After creating an authorization domain configuration file, it must be made available for deployment in Access Decision Service. This is done by setting a file retrieval reference to the YAML-format file using the domain property in the deployment configuration file.

See Authorization domain configuration for more information.