Mapping configuration
This is the second part of the configuration, where the attribute-specific configuration is managed.
| Element or attribute | Description | Supported format |
|---|---|---|
xacmlAttribute | The XACML attribute to be fetched from this attribute source. | A valid XACML-format attribute contains XML attributes for AttributeId, Category, DataType, and Issuer. |
attributeName | The identifier of the ALFA attribute to be fetched from this attribute source. NOTE: Only available in JSON and YAML configurations. | A valid ALFA attribute name that begins with a letter or underscore and includes only letters, numbers, and underscores. |
sqlType | The integer value of the SQL datatype used for the attribute or key. | See the "SQL datatypes" table below for a reference listing of the constants and values. |
query | The SQL query or stored procedure needed to fetch the attribute value from the database. | See the sections on SQL queries and stored procedures below. |
key | Other XACML attributes and their corresponding column names in the specified table that act as keys to the target attribute. | Any valid JDBC database column name. The exact format may depend on the database used. |
uId | An identifier used to distinguish otherwise identical mappings for the purpose of caching. | The element is required, but can contain an arbitrary value. |
The attribute allowMultiple is deprecated and does not have any functionality. It remains in the configuration for reasons of compatibility.
- XML
- JSON
- YAML
This is an extract from the sample XML-format configuration file supplied in the Configuration appendix.
<cfg:mapping>
<cfg:xacmlAttribute Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<cfg:nativeAttribute outputIndex="0">
<cfg:sqlType>2004</cfg:sqlType>
<cfg:query>select employee_role from employee_details where employee_name=?</cfg:query>
<cfg:key allowMultiple="false" sqlType="12" inputType="IN">
<cfg:xacmlAttribute Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="name" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</cfg:key>
</cfg:nativeAttribute>
<cfg:uId>a34a514e-a5d8-4860-9dfd-71af8b7e7998</cfg:uId>
</cfg:mapping>
Mapping configuration example in XML format
Several key attributes can be specified for a given target attribute that is to be looked up with a composite key.
The following are extracts from the sample JSON-format configuration files supplied in the Configuration appendix.
- XACML
- ALFA
"mappings": [
{
"xacmlAttribute": {
"category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"attributeId": "role",
"datatype": "http://www.w3.org/2001/XMLSchema#string",
"issuer": null
},
"nativeAttribute": {
"outputIndex": 0,
"sqlType": 2004,
"query": "select employee_role from employee_details where employee_name=?",
"keys": [
{
"allowMultiple": false,
"sqlType": 12,
"inputType": "IN",
"xacmlAttribute": {
"category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"attributeId": "name",
"datatype": "http://www.w3.org/2001/XMLSchema#string",
"issuer": null
}
}
]
},
"uId": "a34a514e-a5d8-4860-9dfd-71af8b7e7998"
}
]
Mapping configuration example in JSON format with XACML attribute mappings
"mappings": [
{
"attributeName": "role",
"nativeAttribute": {
"outputIndex": 0,
"sqlType": 2004,
"query": "select employee_role from employee_details where employee_name=?",
"keys": [
{
"attributeName": "name",
"allowMultiple": false,
"sqlType": 12,
"inputType": "IN"
}
]
},
"uId": "a34a514e-a5d8-4860-9dfd-71af8b7e7998"
}
]
Mapping configuration example in JSON format with ALFA attribute names
When using ALFA, you must also include the dictionary (attributes section) in the authorization domain configuration. See the Configuration appendix for details.
The following are extracts from the sample YAML-format configuration files supplied in the Configuration appendix.
- XACML
- ALFA
mappings:
- xacmlAttribute:
category: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
attributeId: "role"
datatype: "http://www.w3.org/2001/XMLSchema#string"
issuer: null
nativeAttribute:
outputIndex: 0
sqlType: 2004
query: "select employee_role from employee_details where employee_name=?"
keys:
- allowMultiple: false
sqlType: 12
inputType: "IN"
xacmlAttribute:
category: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
attributeId: "name"
datatype: "http://www.w3.org/2001/XMLSchema#string"
issuer: null
uId: "a34a514e-a5d8-4860-9dfd-71af8b7e7998"
Mapping configuration example in YAML format with XACML attribute mappings
mappings:
- attributeName: "role"
nativeAttribute:
outputIndex: 0
sqlType: 2004
query: "select employee_role from employee_details where employee_name=?"
keys:
- attributeName: "name"
sqlType: 12
inputType: "IN"
allowMultiple: false
uId: "a34a514e-a5d8-4860-9dfd-71af8b7e7998"
Mapping configuration example in YAML format with ALFA attribute names
When using ALFA, you must also include the dictionary (attributes section) in the authorization domain configuration. See the Configuration appendix for details.
SQL datatypes
| Constant | Value | Constant | Value | Constant | Value |
|---|---|---|---|---|---|
| ARRAY | 2003 | FLOAT | 6 | REF | 2006 |
| BIGINT | -5 | INTEGER | 4 | REF_CURSOR | 2012 |
| BINARY | -2 | JAVA_OBJECT | 2000 | ROWID | -8 |
| BIT | -7 | LONGNVARCHAR | -4 | SMALLINT | 5 |
| BLOB | 2004 | LONGVARBINARY | -4 | SQLXML | 2009 |
| BOOLEAN | 16 | LONGVARCHAR | -1 | STRUCT | 2002 |
| CHAR | 1 | NCHAR | -15 | TIME | 92 |
| CLOB | 2005 | NCLOB | 2011 | TIME_WITH_TIMEZONE | 2013 |
| DATALINK | 70 | NULL | 0 | TIMESTAMP | 93 |
| DATE | 91 | NUMERIC | 2 | TIMESTAMP_WITH_TIMEZONE | 2014 |
| DECIMAL | 3 | NVARCHAR | -9 | TINYINT | -6 |
| DISTINCT | 2001 | OTHER | 1111 | VARBINARY | -3 |
| DOUBLE | 8 | REAL | 7 | VARCHAR | 12 |