The authorization domain
Authorization domains are central to the Axiomatics' methodology for defining authorization policies. Essentially, they are logical containers used to organize and manage all the components necessary in evaluating access requests and returning appropriate authorization responses.
A domain groups the following data:
- Policies: The set of rules that define access logic (who can do what under which conditions).
- Attributes: The vocabulary of the authorization system (user roles, resource sensitivity, action IDs, etc).
- Attribute connectors: The components that link to external data sources, such as a database or LDAP directory, to dynamically fetch the real-time values needed to evaluate and resolve access requests.
- Attribute cache: A cache used to store attribute values retrieved from attribute connectors, aiming to enhance performance.
- Partial evaluation threshold: An indicator specifying the minimum number of individual requests a multiple-decision request must contain before the authorization engine attempts to optimize it.
These bundles form aggregates of domain data, which are then used to evaluate access requests and produce "permit" or "deny" responses.
Authorization domain file
The data of the authorization domain is stored in an authorization domain configuration file. This file contains a collection of policies and settings, including attribute connectors and cache configurations. To learn more about this file and its various sections, read the Authorization domain file analysis section.