Skip to main content

The most recent patch for this version is 26.1.2.  Learn more  

Version: 26.1

Create the attribute connectors

Attribute connectors link the Policy Decision Point (PDP) to external Policy Information Points (PIPs). They enable the PDP to dynamically retrieve external information, such as a user's role based on their identity, by calling your business services at runtime. Retrieved attribute values can also be cached for improved performance.

An attribute connector consists of one file:

  • a deployment descriptor

Follow the steps below to create and configure an attribute connector for retrieving external data in your authorization domain:

  1. In the src/authorizationDomain/attributeConnectors directory, create a new attribute connector deployment descriptor file.

    myConnector.yaml
    className: <classname>
    providedAttributes:
      - attributeName: user.role
      - attributeName: user.location
    configuration:
    # Connector specific configuration goes here

    The table below lists the available built-in attribute connectors. If you have developed a custom connector, specify its class name.

    Attribute connectorClass name
    LDAPcom.axiomatics.acs.plugin.pips.ldap.LdapPipModule
    SQLcom.axiomatics.acs.plugin.pips.sql.SqlPipModule
    Tablecom.axiomatics.acs.plugin.pips.table.TablePipModule
    HTTPcom.axiomatics.attributeconnector.http.ConnectorModule
    JSON Parsercom.axiomatics.attributeconnector.parser.json.ConnectorModule
    JWT Parsercom.axiomatics.attributeconnector.parser.jwt.ConnectorModule
    XML Parsercom.axiomatics.attributeconnector.parser.xml.ConnectorModule
    tip

    A common scenario is retrieving attribute values from a remote REST/JSON API. In this case, you will need an HTTP attribute connector chained to a JSON parser attribute connector.

  2. Create the configuration section following the specific format for your connector, see Attribute connectors documentationOpens in a new tab.

    Provided attributes are the values you intend to resolve from your PIP. The key attributes (the data used to look up those provided attributes) are defined within the connector-specific configuration section.

    note

    Configuring custom attribute connectors may require the use of configurationString: instead of configuration:.

tip

You can use environment variables in all attribute connector configurations. See Variable substitution for details.

Attribute cache

To improve performance, attribute values retrieved from attribute connectors can be stored in a cache. The configuration is stored in src/authorizationDomain/attributeCache.yaml. For more information, see the Attribute cacheOpens in a new tab section of the Access Decision Service (ADS) documentation.