Obligations and Advice Dictionary
The Obligations and Advice Dictionary allows the user to create, organize and use obligations and advice in Policy Sets, Policies, and Rules. These obligation and advice elements can also be exported and imported for use in the Policy Editor or PAP Client when authoring policies.
Obligations and Advice Dictionary management
An obligation or advice entity consists of the following fields:
| Field | Description | Supported format |
|---|---|---|
| Name | A short and simple name for the entity | A single case sensitive string adhering to the following constraints: - should be 1 to 255 characters long - should begin with an alphabet (a-z, A-Z) or an underscore (_) - can contain the alphabets (a-z, A-Z), digits (0-9) and underscores (_) only |
| Namespace | This identifies the position of the entity in the hierarchy tree | Can consist of one or more case sensitive strings separated by the character '.'. Each of the strings - should be 1 to 255 characters long - begin with an alphabet (a-z, A-Z) or an underscore (_) - contain alphabets (a-z, A-Z), digits (0-9) and underscores (_) only |
| ID | The XACML identifier of the entity | URI |
| Description | Free-form description of the entity | Any string without new line characters |
| Type | The type of entity | Oblgation Advice |
A key purpose of the Obligations and Advice Dictionary is its policy management use in the Axiomatics PAP Client and Policy Editor.
The Obligations and Advice Dictionary is managed through the "Dictionaries" view in the ASM GUI.
An entity is uniquely identified by a particular combination of ID, name, namespace, and type. If no ID is explicitly provided when an entity is created, the system generates one by concatenating the name and the namespace, delimited by a '.'
Listing and viewing obligations and advice
All the obligation and advice entities defined in ASM are displayed when the Obligations and Advice Dictionary is selected in the main menu. By default, all attribute data (name, description, namespace, type, and ID) is shown directly in the listing.
An entity can be viewed by selecting it on the list. This will open the entity's details in the Tools pane, enabling it to be edited. (See Modifying obligations and advice.)
Creating an obligation or advice
A new entity can be created in two ways:
by creating it from scratch
by cloning an existing entity
Creating an obligation or advice from scratch
A new obligation/advice entity is created by clicking the Create button in the toolbar above the attribute list. This opens an empty form in the Tools pane where information for the new entity can be filled in.
Obligation/Advice
Radio buttons determining whether the entity is an obligation or an advice.
Name
The name of the obligation/advice.
Namespace
Selected from a drop-down menu containing the available namespaces. (See Managing attribute namespaces in the Attribute Dictionary for more information about namespaces.)
Use default ID
By default this check box is selected, which means that on creation the default ID is used. Deselect the check box to enable the ID field for editing.
ID
If no ID is explicitly provided, the system generates one by concatenating the name and the namespace, delimited by a '.'
Description (optional)
A text string describing the obligation/advice.
If the user fails to include any required information when creating an obligation/advice, a validation error message will be displayed.
Cloning an obligation or advice
Obligation/advice entities can also be cloned. ASM allows the user to clone multiple entities simultaneously. Select one or more rows on the obligation/advice list by checking the appropriate check boxes and click the Clone button in the toolbar.
Note: To prevent the user from confusing the various clones of any one entity, numeric suffixes are automatically added to the name of each cloned item. The indexing system identifies the clone according to its sequential relation to the original entity and to its subsequent iterations. For example, the suffix -1-2 indicates the item is the second clone made from the first clone generated.
After cloning, the cloned entities appear in the list and can be modified as desired.
Modifying obligations and advice
To modify an obligations and advice entity, select the entity from the list and simply make the desired changes in the Tools pane.
The user can change the type, name, ID, and description, and select a different namespace. Clicking the Apply button will submit the changes. ASM prevents the user from duplicating entities or creating entities without name, ID, or type.
If the user fails to include any required information when creating or editing an entity, a validation error message will be displayed.
Deleting obligations and advice
Obligations and advice entities can be removed singly or in batches by selecting the check box next to each entity to be removed and then clicking the Remove button.
Managing namespaces for obligations and advice
APS 6.0 introduced namespaces to facilitate the efficient organizing and managing of a large number of elements. With namespaces, elements can be organized in a hierarchical tree. The namespace of an element simply identifies its position in the tree. Note that the namespace is not part of the formal definition of an element as per the XACML specification.
The Obligations and Advice Dictionary uses the namespaces created in the Attribute Dictionary, and the four default namespaces (Attributes.access_subject, Attributes.resource, Attributes.action, Attributes.environment) are always available.
Consequently, new namespaces required for obligations and advice entities are created and managed via the Attribute Dictionary. (See Managing attribute namespaces in the Attribute Dictionary for more information about namespaces.)
Exporting the Obligations and Advice Dictionary
The Obligations and Advice Dictionary can be exported to an XML file that can be imported again into a Axiomatics Services Manager instance. To export the entire dictionary, click the Export all button in the action bar. The web browser will download the Obligations and Advice Dictionary in XML format. The default file name for the exported dictionary is "obligation-advice.xml".
Importing obligations and advice into the dictionary
Obligation/advice entities can be imported from a file into the Obligations and Advice Dictionary by clicking the Import button in the action bar. This will not replace existing entities but simply add entities not already present in the dictionary. If an entity is present in the dictionary but not in the imported file, the entity will remain in the dictionary.
Resolving conflicts in obligations and advice
In the same way as with attributes, conflicts may arise when an imported file contains obligations or advice that are considered the same from an XACML perspective (same name or ID), but that otherwise have a conflicting definition (different description). However, it is also possible for a conflict to occur after an obligation/advice has been edited. In both cases, the built-in conflict resolution tool is used.
If a conflict occurs, an icon is displayed in the "Conflict" column, and the Resolve button on the toolbar is enabled.
- Click the Resolve button to access the "Resolve conflict" window.
The "Resolve conflict" window displays all the conflicting items highlighted together with their fields, and the user can resolve the conflict in each case by selecting to keep either the old value or the new conflicting one.
After clicking on the Resolve button in the window, a message is displayed with a summary of the resolved obligation/advice definition.