Version: 1.1

Authorization Domain layout

The src/authorizationDomain directory represents an authorization domain, mirroring the structure of the single-file YAML domain representation used by ADS.

Each section (metadata, attributes, and attributeCache) corresponds to a YAML file with the same name. For example, identity.yaml. The policy field corresponds to the alfaSpecifications folder and the attributeConnectors field corresponds to the attributeConnectors folder.

To exclude a field from the domain, omit the corresponding file or folder.

Important

An empty file will generate a section with the YAML value null, which is invalid for all sections.

metadata.yaml
Defines the value of the metadata field in the single-file domain representation. For example:
metadata.yaml
```
status: under development
createdBy: Bob
approvedBy: Alice
```
note
If applicable, the Git commit ID, message, and author will be automatically added to the metadata.
alfaSpecifications/
This directory corresponds to the policy field in the single-file domain representation. All files within this directory are processed as ALFA policies.

attributes.yaml

Defines the value of the metadata field in the single-file domain representation. For example:

attributes.yaml
acme.role:
  xacmlId: acme.role
  category: AccessSubject
  datatype: string
acme.resource.identity:
  xacmlId: acme.resource.identity
  category: Resource
  datatype: string

attributeConnectors/connector_1.yaml

Defines the settings for the attribute connector identified as connector_1. All configuration settings can be included in this file. For example:

connector_1.yaml
className: com.axiomatics.acs.plugin.pips.sql.SqlPipModule
provides:
- role
- resourceId
  configurationString: |
  <cfg:configuration xmlns:cfg='http://www.axiomatics.com/jdbc.config' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation=''>
  <cfg:connnection>
  <!-- Environment variable substitution with default value. -->
  <cfg:url>${MY_DB_URL:-jdbc:h2:mem:ac1}</cfg:url>
  <cfg:driver>${MY_DB_DRIVER:-org.h2.Driver}</cfg:driver>
  </cfg:connnection>
  <cfg:mapping>
  <cfg:xacmlAttribute AttributeId='com.acme.user.role' Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' DataType='http://www.w3.org/2001/XMLSchema#string'/>
  <cfg:nativeAttribute>
  <cfg:sqlType>2004</cfg:sqlType>
  <cfg:query>SELECT ROLE FROM EMPLOYEES WHERE EMPLOYEE_ID = ?</cfg:query>
  <cfg:key allowMultiple='false' sqlType='12'>
  <cfg:xacmlAttribute AttributeId='com.acme.user.employeeId' Category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' DataType='http://www.w3.org/2001/XMLSchema#string'/>
  </cfg:key>
  </cfg:nativeAttribute>
  <cfg:uId>region_0</cfg:uId>
  </cfg:mapping>
  </cfg:configuration>

Alternatively, you can define the configurationString value in a separate file (see below) if it is large or complex.

attributeConnectors/connector_2.yaml
If this file omits the configurationString field, its value is read from a file named connector_2.configurationString.* (see below). This additional file is optional, but it's an error if multiple files match the pattern.
attributeConnectors/connector_2.configurationString.xml
The file extension is ignored, so use any extension that's convenient for editing.
note
This file is ignored if there is no corresponding connector_2.yaml file or if connector_2.yaml already includes a configurationString field.
attributeCache.yaml
Defines the value of the attributeCache field in the single-file domain representation. For example:
attributeCache.yaml
```
acme.role:
  timeToLive: 1 day
  maxItems: 1000
acme.resource.identity:
  timeToLive: 15 minutes
  maxItems: 1000
```
decisionParameters.yaml
Defines the value of the decisionParameters field in the single-file domain representation. For example:
decisionParameters.yaml
```
partialEvaluationThreshold: 3
```