Table Attribute Connector
The Table Attribute Connector is similar to the SQL Attribute Connector in that it specifies how attributes can be fetched from a SQL database. The main differences are that the Table Attribute Connector assumes attributes can be fetched directly from columns in the database and it does not support arbitrary SQL queries. These differences make it more restrictive than the SQL Attribute Connector but also easier to configure.
To configure a Table Attribute Connector, no specific SQL knowledge is required. However, the table names and column names storing attribute values in the target database must be known in addition to any connection information required.
The configuration consists of two parts:
A general part specifying the client implementation to use, the location of the SQL database, the authentication mechanism and the account to use.
An attribute specific part that specifies which XACML attribute can be fetched and how to obtain it from the database.
General configuration
Click the "Configuration" link in the Attribute Connector editor to open the base form for the chosen attribute connector type.
| Field | Description | Supported format |
|---|---|---|
| Connection type | The type of connection to the SQL database. There are different parameter fields depending on the type selected. | This field is selected from a drop-down combo box. Only the JDBC data source is supported in this version. |
| Driver | The driver specifies the class name of the JDBC driver to be used by PDPs to connect to the SQL database. Drivers can be made available to the ASM built-in SQL Attribute Connector. Note that the class name can be entered manually or chosen from the list of already installed drivers. Installing drivers in ASM is not strictly necessary, but the drivers provide a means to test the connection to the database. See "The Check connection button" below. | A fully qualified class name of the SQL driver class. For example: oracle.jdbc.OracleDriver |
| Connection URL | The connection URL contains the URL to access the SQL database. | A valid JDBC URL. For example: jdbc:oracle:thin:@//localhost:1521/my-instance |
Note: The notice in the ASM UI about a performance degradation issue using JDBC can be disregarded. It refers to a situation with a legacy authorization engine, and is no longer relevant in this version of ASM.
The Check connection button
As mentioned in the table above, additional JDBC drivers can be made available to the SQL Attribute Connector. The availability of these drivers in the ASM UI supports the check connection function. When a driver has been selected from the list, and the URL has been set in the Connection URL field, the Check connection button becomes enabled, allowing the user to verify the connection to the database.
Attribute-specific configuration
Click the Add button at the bottom of the Attribute Connector editor. This switches to the Attribute Mapping page, where the attribute-specific configuration is managed.
| Field | Description | Supported format |
|---|---|---|
| Attribute provided by the mapping | The URI of the XACML attribute to be fetched from this attribute source. | Selection is done from the list of attributes defined in the Attribute Dictionary. |
| Table name | The database table name from which the target XACML attribute value is fetched. | Any valid JDBC database table specification. The exact format depends on the database used. |
| Column name | The column name of the specified table from which the target XACML attribute value is fetched. | Any valid JDBC database column name. The exact format may depend on the database used. |
| Key attribute | Other XACML attributes and their corresponding column names in the specified table that act as keys to the target attribute. | Any valid JDBC database column name. The exact format may depend on the database used. |
| is single valued | N/A | |
| Cache | A Cache Configuration telling PDPs using the Attribute Source how to cache attribute values fetched using the query. | A choice of existing Cache Configurations. |
Note: The Cache setting for an attribute mapping is done in the special cache configuration for the Attribute Connector.
Attribute mappings
The Table Attribute Connector Configuration panel shows a table of attributes provided by this Attribute Connector.
A mapping can be deleted simply by clicking the 'X' symbol to the right of the attribute mapping line in the table.
Existing attribute mappings can be edited by clicking the attribute name link in the "XACMLID" column of the table and new mappings added by clicking the Add button.
In either case, the Attribute Mapping Editor will open. To create a new mapping the following steps must be taken:
Select a target attribute from the "Attributes provided by the mapping" table
Enter the database table name from which the attribute values are to be fetched in the "Table name" field
Enter the column name of the table that holds the actual values for the attribute
Set the attribute or attributes in the "Key attributes" table that are to be used as keys in the database table from which the target attribute values will be looked up
Add a key by selecting an attribute from the drop-down list under the Key attributes table and click the Add button. This will add a new line to the table. Enter the name of the database table column acting as key in the "COLUMN NAME" field.
Note that several key attributes can be specified for a given target attribute that is to be looked up with a composite key.
- Click Apply to commit the new attribute mapping
The above figure shows an attribute mapping by which the subject attribute "role" can be fetched from the "ROLE" of the "ROLES" table. This is done by using the "subject-id" attribute to select the value from the "user_name" column of the same table.
The resulting SQL statement used to fetch values for the "role" attribute in the Table Attribute Connector will look something like the following: "select ROLE from ROLES where user_name=4711", where 4711 is a sample value for the subject-id attribute previously resolved or provided to the Service in the request.
Key Attribute
An attribute passed to the Table Attribute Finder in runtime as a key to lookup another attribute can either contain no key value (an empty set), a single key value, or multiple key values. In cases where
No key value is given -- the Attribute Finder will return "empty set"
A single key value is given -- the Attribute Finder runs the query and returns the retrieved data
Multiple key values are given -- the Attribute Finder runs the query multiple times, iterating over the set of key values and collects the full set of all the values returned for each query
Data type mappings and conversions
Most of the mapping needs are handled in the ASM GUI interface, based on the definition of the attribute connector in the Attribute Dictionary.
More detailed information about how the Table Attribute connector maps XACML types to SQL types (and vice versa), which XACML attributes that can or cannot be mapped to a column in a table, as well as how it converts values between those types, is available in the Table Attribute Connector User's Guide included in the separately distributed Table Attribute Connector package. Go to the download area of https://support.axiomatics.com to access the file.