Skip to main content
Version: 1.1

Create the attribute connectors

Attribute connectors link the Policy Decision Point (PDP) to external Policy Information Points (PIPs). They enable the PDP to dynamically retrieve external information, such as a user's role based on their identity, by calling your business services at runtime. Retrieved attribute values can also be cached for improved performance.

An attribute connector consists of two files:

  • a deployment descriptor
  • a configuration file.

Follow the steps below to create and configure an attribute connector for retrieving external data in your authorization domain:

  1. In the authorizationDomain/attributeConnectors directory, create a new attribute connector deployment descriptor file.

  2. Specify the connector's class name and the attribute(s) it provides.

    myConnector.yaml
    className: <classname>
    provides:
      - user.role
      - user.location

    The table below lists the available built-in attribute connectors. If you have developed a custom connector, specify its class name.

    Attribute connectorClass name
    LDAPcom.axiomatics.acs.plugin.pips.ldap.LdapPipModule
    SQLcom.axiomatics.acs.plugin.pips.sql.SqlPipModule
    Tablecom.axiomatics.acs.plugin.pips.table.TablePipModule
    HTTPcom.axiomatics.attributeconnector.http.ConnectorModule
    JSON Parsercom.axiomatics.attributeconnector.parser.json.ConnectorModule
    JWT Parsercom.axiomatics.attributeconnector.parser.jwt.ConnectorModule
    XML Parsercom.axiomatics.attributeconnector.parser.xml.ConnectorModule
    HTTP (old version)com.axiomatics.pip.http.HttpPIP (deprecated)
    Parser (old version)com.axiomatics.pip.parser.ParserPIP (deprecated)
    tip

    A common scenario is retrieving attribute values from a remote REST/JSON API. In this case, you will need an HTTP attribute connector linked to a JSON parser attribute connector.

  3. Create the configuration file following the instructions in the Attribute connectors documentationOpens in a new tab.

  4. Name the configuration file after the deployment file by appending .configurationString to its name.

    For example, if your deployment file is named myConnector.yaml, the configuration file should be named myConnector.configurationString.yaml.

    note

    The file extension can indicate the configuration format the connector supports.

tip

You can use environment variables in all attribute connector configurations. See Variable substitution for details.

Attribute cache

To improve performance, attribute values retrieved from attribute connectors can be stored in a cache. The configuration is stored in src/authorizationDomain/attributeCache.yaml. For more information, see the Attribute cacheOpens in a new tab section of the Access Decision Service (ADS) documentation.