Sample domain
This annotated sample domain file offers a comprehensive overview of the components required for an authorization domain configuration. It serves as a guide to understanding the system's core architecture and its overall structural requirements.
- Version 2.1
- Version 2.0
# Identifier for the domain. Since it is printed in the audit log, it is a good practice to keep it unique and update it every time the domain changes.
identity: domain_id
# Metadata for tooling and domain management workflow processes.
metadata:
status: under development
createdBy: Bob
approvedBy: Alice
policy:
# Identifier for the main policy. Locate it in the XML attributes PolicyId or PolicySetId in one of the policies in the list below.
mainPolicyId: sample-policy
# A list of policies and/or policy sets. Policy sets may reference policies and other policy sets in the list.
xacmlSpecifications:
- |
<Policy xmlns='urn:oasis:names:tc:xacml:3.0:core:schema:wd-17' Version='1.0' RuleCombiningAlgId='urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides' PolicyId='sample-policy'>
<Description>Control access to resources</Description>
<PolicyDefaults>
<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
</PolicyDefaults>
<Target/>
<Rule RuleId='sample-rule' Effect='Permit'>
<Description>Give permit if role is manager</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId='urn:oasis:names:tc:xacml:1.0:function:string-equal'>
<AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>manager</AttributeValue>
<AttributeDesignator Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' AttributeId='com.acme.user.role' MustBePresent='false' DataType='http://www.w3.org/2001/XMLSchema#string'/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
# A catalog of attributes.
attributes:
# ALFA identifier for the attribute. Must be unique within the domain.
user.role:
# XACML id / attribute id
xacmlId: user.role
# Attribute category
category: AccessSubject
# Attribute datatype
datatype: string
# Attribute issuer
issuer: Acme Inc.
user.resourceId:
xacmlId: user.resourceId
category: Resource
datatype: string
user.employeeId:
xacmlId: user.employeeId
category: AccessSubject
datatype: string
# Configuration of attribute connectors.
attributeConnectors:
employee_database#1:
className: com.axiomatics.acs.plugin.pips.sql.SqlPipModule # The class name of the attribute connector.
# Define what attributes this attribute connector is expected to provide. Configuration is optional but must be present for caching. You can use "provides" and "providedAttribute" interchangeably.
providedAttributes:
- role
- resourceId
# Configuration of the attribute connector. For JSON/YAML configs, you can use "configurationString" and "configuration" interchangeably **without** the "|" symbol.
configuration:
{
"connection": {
"url": "${MY_DB_URL:-jdbc:h2:mem:ac1}",
"driver": "${MY_DB_DRIVER:-org.h2.Driver}"
},
"mapping": [
{
"attributeName": "role",
"nativeAttribute": {
"sqlType": "2004",
"query": "SELECT ROLE FROM EMPLOYEES WHERE EMPLOYEE_ID = ?",
"keys": [{
"sqlType": "12",
"attributeName": "employeeId",
"allowMultiple": false
}]
},
"uId": "region_0"
}]
}
# Configuration of attribute cache
attributeCache:
# ALFA name. Must be present in the attributes section, and must be provided by an attribute connector.
role:
# After an attribute has been resolved, keep it in the cache for this long.
timeToLive: 1 day
# Limit the cache to this number of values per attribute.
maxItems: 1000
resourceId:
timeToLive: 15 minutes
maxItems: 1000
# Configuration of evaluation engine.
decisionParameters:
# The threshold indicates how many individual requests a multiple-decision request should contain before ADS attempts to optimize that specific multiple request.
partialEvaluationThreshold: 3
# Identifier for the domain. Since it is printed in the audit log, it is a good practice to keep it unique and update it every time the domain changes.
identity: domain_id
# Metadata for tooling and domain management workflow processes.
metadata:
status: under development
createdBy: Bob
approvedBy: Alice
policy:
# Identifier for the main policy. Locate it in the XML attributes PolicyId or PolicySetId in one of the policies in the list below.
mainPolicyId: sample-policy
# A list of policies and/or policy sets. Policy sets may reference policies and other policy sets in the list.
xacmlSpecifications:
- |
<Policy xmlns='urn:oasis:names:tc:xacml:3.0:core:schema:wd-17' Version='1.0' RuleCombiningAlgId='urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides' PolicyId='sample-policy'>
<Description>Control access to resources</Description>
<PolicyDefaults>
<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
</PolicyDefaults>
<Target/>
<Rule RuleId='sample-rule' Effect='Permit'>
<Description>Give permit if role is manager</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId='urn:oasis:names:tc:xacml:1.0:function:string-equal'>
<AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>manager</AttributeValue>
<AttributeDesignator Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' AttributeId='com.acme.user.role' MustBePresent='false' DataType='http://www.w3.org/2001/XMLSchema#string'/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
# A catalog of attributes.
attributes:
# ALFA identifier for the attribute. Must be unique within the domain.
role:
# XACML id / attribute id
xacmlId: com.acme.user.role
# Attribute category
category: AccessSubject
# Attribute datatype
datatype: string
# Attribute issuer
issuer: Acme Inc.
resourceId:
xacmlId: com.acme.user.resourceId
category: Resource
datatype: string
# Configuration of attribute connectors.
attributeConnectors:
employee_database#1:
className: com.axiomatics.acs.plugin.pips.sql.SqlPipModule # The class name of the attribute connector.
# Define what attributes this attribute connector is expected to provide. Configuration is optional but must be present for caching. You can use "provides" and "providedAttribute" interchangeably.
provides:
- role
- resourceId
# Configuration of the attribute connector. For JSON/YAML configs, you can use "configurationString" and "configuration" interchangeably **without** the "|" symbol.
configurationString: |
<cfg:configuration xmlns:cfg='http://www.axiomatics.com/jdbc.config' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation=''>
<cfg:connnection>
<!-- Environment variable substitution with default value. -->
<cfg:url>${MY_DB_URL:-jdbc:h2:mem:ac1}</cfg:url>
<cfg:driver>${MY_DB_DRIVER:-org.h2.Driver}</cfg:driver>
</cfg:connnection>
<cfg:mapping>
<cfg:xacmlAttribute AttributeId='com.acme.user.role' Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' DataType='http://www.w3.org/2001/XMLSchema#string' Issuer='Acme Inc.'/>
<cfg:nativeAttribute>
<cfg:sqlType>2004</cfg:sqlType>
<cfg:query>SELECT ROLE FROM EMPLOYEES WHERE EMPLOYEE_ID = ?</cfg:query>
<cfg:key allowMultiple='false' sqlType='12'>
<cfg:xacmlAttribute AttributeId='com.acme.user.employeeId' Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' DataType='http://www.w3.org/2001/XMLSchema#string' Issuer=''/>
</cfg:key>
</cfg:nativeAttribute>
<cfg:uId>region_0</cfg:uId>
</cfg:mapping>
</cfg:configuration>
# Configuration of attribute cache
attributeCache:
# ALFA name. Must be present in the attributes section, and must be provided by an attribute connector.
role:
# After an attribute has been resolved, keep it in the cache for this long.
timeToLive: 1 day
# Limit the cache to this number of values per attribute.
maxItems: 1000
resourceId:
timeToLive: 15 minutes
maxItems: 1000
# Configuration of evaluation engine.
decisionParameters:
# The threshold indicates how many individual requests a multiple-decision request should contain before ADS attempts to optimize that specific multiple request.
partialEvaluationThreshold: 3