Mapping configuration

This is the second part of the configuration, where the attribute-specific configuration is managed.

Element or attribute	Description	Supported format
xacmlAttribute	The XACML attribute to be fetched from this attribute source.	A valid XACML-format attribute contains XML attributes for AttributeId, Category, DataType, and Issuer.
attributeName	The identifier of the ALFA attribute to be fetched from this attribute source. NOTE: Only available in JSON and YAML configurations.	A valid ALFA attribute name that begins with a letter or underscore and includes only letters, numbers, and underscores.
tableName	The database table name from which the target XACML attribute value is fetched.	Any valid JDBC database table specification. The exact format depends on the database used.
columnName	The column name of the specified table from which the target XACML attribute value is fetched.	Any valid JDBC database column name. The exact format may depend on the database used.
key	Other XACML attributes and their corresponding column names in the specified table that act as keys to the target attribute.	A valid XACML-format attribute contains XML attributes for AttributeId, Category, DataType, and Issuer.
uId	An identifier used to distinguish otherwise identical mappings for the purpose of caching.	The element is required, but can contain an arbitrary value.
isSingleValued	This indicates whether or not a lookup of the target attribute is expected to lead to one or several values as a result. This information does not affect the way the attribute connector retrieves attributes. It is only used in the context of supporting other capabilities of an attribute connector host.

note

The attribute allowMultiple is deprecated and does not have any functionality. It remains in the configuration for reasons of compatibility.

The Table Attribute Connector ignores mappings with no keys. This is not consistent with general attribute connector behavior. Mappings with no keys are only used in the context of other tools.

XML

This is an extract from the sample XML-format configuration file supplied in the Configuration appendix.

<mapping isSingleValued="false">
  <xacmlAttribute Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
  <tableName>employee_details</tableName>
  <columnName>employee_role</columnName>
  <key allowMultiple="false">
    <xacmlAttribute Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="name" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    <columnName>employee_name</columnName>
  </key>
  <uId>aa34ffde-45ae-47fc-8893-f8bc60c2f28f</uId>
</mapping>

Mapping configuration example in XML format

note

Several key attributes can be specified for a given target attribute that is to be looked up with a composite key.

JSON

The following are extracts from the sample JSON-format configuration files supplied in the Configuration appendix.

XACML

{
  "mappings": [
    {
      "isSingleValued": false,
      "xacmlAttribute": {
        "category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
        "attributeId": "role",
        "datatype": "http://www.w3.org/2001/XMLSchema#string",
        "issuer": null
      },
      "tableName": "employee_details",
      "columnName": "employee_role",
      "keys": [
        {
          "xacmlAttribute": {
            "category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
            "attributeId": "name",
            "datatype": "http://www.w3.org/2001/XMLSchema#string",
            "issuer": null
          },
          "columnName": "employee_name",
          "allowMultiple": false
        }
      ],
      "uId": "aa34ffde-45ae-47fc-8893-f8bc60c2f28f"
    }
  ]
}

Mapping configuration example in JSON format with XACML attribute mappings

ALFA

{
  "mappings": [
    {
      "attributeName": "role",
      "isSingleValued": false,
      "tableName": "employee_details",
      "columnName": "employee_role",
      "keys": [
        {
          "attributeName": "name",
          "columnName": "employee_name",
          "allowMultiple": false
        }
      ],
      "uId": "aa34ffde-45ae-47fc-8893-f8bc60c2f28f"
    }
  ]
}

Mapping configuration example in JSON format with ALFA attribute names

note

When using ALFA, you must also include the dictionary (attributes section) in the authorization domain configuration. See the Configuration appendix for details.

YAML

The following are extracts from the sample YAML-format configuration files supplied in the Configuration appendix.

XACML

mappings:
  - xacmlAttribute:
      category: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
      attributeId: "role"
      datatype: "http://www.w3.org/2001/XMLSchema#string"
      issuer: null
    tableName: "employee_details"
    columnName: "employee_role"
    isSingleValued: false
    keys:
      - xacmlAttribute:
          category: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
          attributeId: "name"
          datatype: "http://www.w3.org/2001/XMLSchema#string"
          issuer: null
        columnName: "employee_name"
        allowMultiple: false
    uId: "aa34ffde-45ae-47fc-8893-f8bc60c2f28f"

Mapping configuration example in YAML format with XACML attribute mappings

ALFA

mappings:
  - attributeName: "role"
    isSingleValued: false
    tableName: "employee_details"
    columnName: "employee_role"
    keys:
      - attributeName: "name"
        columnName: "employee_name"
        allowMultiple: false
    uId: "aa34ffde-45ae-47fc-8893-f8bc60c2f28f"

Mapping configuration example in YAML format with ALFA attribute names

note

When using ALFA, you must also include the dictionary (attributes section) in the authorization domain configuration. See the Configuration appendix for details.

The isSingleValued element should be set to true if this attribute mapping is guaranteed to return only a single value, as opposed to a set of values. This setting is only important if the Table Attribute Connector is to be used as a Target Connector in a host that supports the ARQ SQL capability since it allows the ARQ SQL engine to make optimizations accordingly.

Key attribute

An attribute passed to the Table Attribute Finder in runtime as a key to lookup another attribute can either contain no key value (an empty set), a single key value, or multiple key values. In cases where

• No key value is given - the Attribute Finder will return empty set

• A single key value is given - the Attribute Finder runs the query and returns the retrieved data

• Multiple key values are given - the Attribute Finder runs a single query where all the values of the key attributes are used

XACML to SQL mappings and conversions

The Table Attribute Connector performs the following XACML to SQL mappings and conversions:

• Attributes of data type Integer are not converted

• Attributes of other data types are converted to String

• The final attribute values (Integer or String) are included in the IN CLAUSE of a parameterized select query

The parameterized query is assigned to a prepared_query variable which is created by the Prepared Statement class.

For the Integer case:

SELECT column_name FROM table WHERE key_attribute_column IN (1)

For all other cases:

SELECT column_name FROM table WHERE key_attribute_column IN ('12.4')