User authorization
ADM has an internal Policy Decision Point (PDP) that is used for the authorization decisions for all the API calls to ADM. The internal PDP is configured with the authorization domain referred to by the system name, which is automatically created when the database is initialized. The system domain is under the namespace system.
If the authorization domain referred to by the system name is missing or invalid, ADM will not start.
The system authorization domain
The system authorization domain can be retrieved and stored in the same manner as any other stored domain, and it can be updated.
If the system authorization domain is updated during runtime, the internal PDP is not reconfigured dynamically. A restart of ADM is required for the updated authorization domain configuration to be applied.
At restart, the updated domain is subject to the regular validations, and ADM will fail to start if the domain has become invalid.
Structure of the system authorization domain
The system domain should follow a simple, basic structure.
identity: 28bd13d6-9fd6-480e-9881-811ffea146e3
policy:
mainPolicyId: permit_all
xacmlSpecifications:
- |
<xacml3:Policy PolicyId="permit_all" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>Permit all</xacml3:Description>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
<xacml3:Target/>
<xacml3:Rule RuleId="permit" Effect="Permit">
<xacml3:Description>Permit</xacml3:Description>
<xacml3:Target/>
</xacml3:Rule>
</xacml3:Policy>
Default system authorization domain
Attributes for the system policy
The following table shows the attributes that may be used to define the system policy, which is defined in the policy section of the “system” domain.
All attributes of the table have the same Datatype, http://www.w3.org/2001/XMLSchema#string.
| Category | Attribute ID (<namespace>.<attribute_name>) | Description |
|---|---|---|
| action | Adm.Api.Action.accessType | This attribute provides an action (on a resource). Each one of them corresponds to one operation of ADM (REST API). Supported actions are: copy -> Copy name deleteName -> Delete name deleteNamespace -> Delete namespace retrieveById -> Retrieve domain by id retrieveByName -> Retrieve domain by name retrieveDomainNames -> Retrieve domain names retrieveHistory -> Retrieve domain name history rollback -> Roll back a domain name change store -> Store domain See also Endpoint addresses for operation. |
| subject | Adm.Api.Subject.userId | This attribute provides the user ID that the end user uses to authenticate with the application. |
| resource | Adm.Api.Resource.resourceNamespace | This attribute provides the namespace under which the accessed domain is. |
| resource | Adm.Api.Resource.domainId | This attribute provides the ID of the accessed domain. |
| resource | Adm.Api.Resource.sourceDomainName | This attribute provides the name of the accessed domain. In the case of the COPY endpoint, it specifically refers to the source domain. |
| resource | Adm.Api.Resource.destinationDomainName | This attribute also provides the 'name' of the accessed domain, and is used only in the case of the COPY endpoint, where it refers to the destination domain. |
Restrictions regarding the system authorization domain
Certain restrictions apply to the system authorization domain compared to other domains:
- attribute connectors are not supported
Initializing the system authorization domain
If you want to update the system authorization domain, you use the initialize command to execute the update. This command can also be used to get back to a working state if the system authorization domain for some reason is missing or has become invalid, either via a default simple "permit-all" policy or a previous version you know is valid.
The command initialize requires that either the --file or the --permit-all option is provided at runtime; both cannot be used at the same time.
--file <path_to_file>/domain.yamlwill initialize the system authorization domain with the provided domain file, and in doing so replace any existing system domain--permit-allwill store a permit-all system domain, and in doing so replace any existing system domain
The initialize command starts ADM, updates the policy according to the option(s) set and then exits.
permit-all
java -cp authorization-domain-manager-1.1.4.jar;JDBC.jar com.axiomatics.domainmanager.App initialize --permit-all <path_to_file>/deployment.yaml
file
java -cp authorization-domain-manager-1.1.4.jar;JDBC.jar com.axiomatics.domainmanager.App initialize --file <path_to_file>/domain.yaml <path_to_file>/deployment.yaml
See the additional resources section Initialization for an example of a permit_all.yaml policy file.