Skip to main content
Version: 1.0

User authorization

ADM has an internal Policy Decision Point (PDP) that is used for the authorization decisions for all the API calls to ADM. The internal PDP is configured with the authorization domain referred to by the "system" name, which is automatically created when the database is initialized. The "system" domain is under the namespace "system".

If the authorization domain referred to by the "system" name is missing or invalid, ADM will not start.

The "system" authorization domain

The "system" authorization domain can be retrieved and stored in the same manner as any other stored domain, and it can be updated.

If the authorization domain referred to by the "system" name is updated during runtime, the internal PDP is not reconfigured dynamically. A restart of ADM is required for the updated authorization domain configuration to be applied.

At restart, the updated domain is subject to the regular validations, and ADM will fail to start if the domain has become invalid.

Structure of the "system" authorization domain

The "system" domain should follow a simple, basic structure.

identity: 28bd13d6-9fd6-480e-9881-811ffea146e3
policy:
  mainPolicyId: permit_all
  xacmlSpecifications:
    - |
      <xacml3:Policy PolicyId="permit_all" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
        <xacml3:Description>Permit all</xacml3:Description>
        <xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
        <xacml3:Target/>
        <xacml3:Rule RuleId="permit" Effect="Permit">
          <xacml3:Description>Permit</xacml3:Description>
          <xacml3:Target/>
        </xacml3:Rule>
      </xacml3:Policy>

Default "system" authorization domain

Restrictions regarding the "system" authorization domain

Certain restrictions apply to the "system" authorization domain compared to other domains:

  • attribute connectors are not supported

Initializing the "system" authorization domain

If you want to update the "system" authorization domain, you use the initialize command to execute the update. This command can also be used to get back to a working state if the "system" authorization domain for some reason is missing or has become invalid, either via a default simple "permit-all" policy or a previous version you know is valid.

The command initialize requires that either the --file or the --permit-all option is provided at runtime; both cannot be used at the same time.

  • --file <path/to/>domain.yaml will initialize the "system" authorization domain with the provided domain file, and in doing so replace any existing "system" domain

  • --permit-all will store a permit-all "system" domain, and in doing so replace any existing "system" domain

The initialize command starts ADM, updates the policy according to the option(s) set and then exits.

permit-all

java -cp authorization-domain-manager-<version>.jar;JDBC.jar com.axiomatics.domainmanager.App initialize --permit-all <path/to/>deployment.yaml

file

java -cp authorization-domain-manager-<version>.jar;JDBC.jar com.axiomatics.domainmanager.App initialize --file <path/to/>domain.yaml <path/to/>deployment.yaml

See the appendix Initialization for an example of a permit_all.yaml policy file.