Skip to main content

The most recent patch for this version is 7.4.1.  Learn more  

Version: 7.4

Obligations and Advice Dictionary

The Obligations and Advice Dictionary allows you to create, organize, and use obligations and advice in Policy Sets, Policies, and Rules. These obligation and advice elements can also be exported and imported for use in the Policy Editor or PAP Client when authoring policies.

Obligations and Advice Dictionary management

An obligation or advice entity consists of the following fields:

FieldDescriptionSupported format
NameA short and simple name for the entityA single case sensitive string adhering to the following constraints:
- should be 1 to 255 characters long
- should begin with an alphabet (a-z, A-Z) or an underscore (_)
- can contain the alphabets (a-z, A-Z), digits (0-9) and underscores (_) only
NamespaceThis identifies the position of the entity in the hierarchy treeCan consist of one or more case sensitive strings separated by the character '.'. Each of the strings
- should be 1 to 255 characters long
- begin with an alphabet (a-z, A-Z) or an underscore (_)
- contain alphabets (a-z, A-Z), digits (0-9) and underscores (_) only
IDThe XACML identifier of the entityURI
DescriptionFree-form description of the entityAny string without new line characters
TypeThe type of entityOblgation
Advice

A key purpose of the Obligations and Advice Dictionary is its policy management use in the Axiomatics PAP Client and Policy Editor.

The Obligations and Advice Dictionary is managed through the Dictionaries view in the ASM GUI.

An entity is uniquely identified by a particular combination of ID, name, namespace, and type. If no ID is explicitly provided when an entity is created, the system generates one by concatenating the name and the namespace, delimited by a a full-stop character (.).

List and view obligations and advice

List all the obligation and advice entities defined in ASM by clicking Dictionaries > Obligations and Advice Dictionary in the navigation control bar.

By default, all attribute data (name, description, namespace, type, and ID) display in the list.

Click a row to select an item in the list. The side panel expands enabling basic editing of the item. See the Modify obligations and advice section below for details.

Create an obligation or advice

A new entity can be created in two ways:

  • by creating it from scratch

  • by cloning an existing entity

Create an obligation or advice from scratch

Click the Create button in the toolbar above the list.

The side panel expands where you can fill in the information for the new obligation/advice. A number of fields are required. See the Obligations and Advice Dictionary management section above for a full description of the attribute fields.

Obligation/Advice

Radio buttons determining whether the entity is an obligation or an advice.

Name

The name of the obligation/advice.

Namespace

Selected from a drop-down menu containing the available namespaces. See the Manage attribute namespaces in the Attribute Dictionary section for more information about namespaces.

Use default ID

By default this check box is selected, which means that on creation the default ID is used. Deselect the check box to enable the ID field for editing.

ID

If no ID is explicitly provided, the system generates one by concatenating the name and the namespace, delimited by a full-stop character (.).

Description (optional)

A text string describing the obligation/advice.

If the user fails to include any required information when creating an obligation/advice, a validation error message will be displayed.

Clone an obligation or advice

Obligation/advice entities can also be cloned. ASM allows you to clone multiple entities simultaneously.

  1. Select one or more rows on the obligation/advice list by selecting the corresponding checkboxes.

  2. Click the Clone button in the toolbar.

    The cloned obligations/advice entities display in the list.

    note

    To avoid confusion, numeric suffixes are automatically added to the name of each cloned item. The indexing system identifies the clone according to its sequential relation to the original attribute and to its subsequent iterations. For example, the suffix -1-2 indicates the item is the second clone made from the first clone generated.

  3. Modify the cloned obligation/advice entities as needed.

Modify an obligation or advice

Modify an obligations or advice entity as follows:

  1. Select the entity in the list.

    The side panel expands.

  2. Make the required changes.

    You can edit the Name, ID, and Description fields, and select a new value for the namespace.

  3. Click Apply to submit the changes.

    ASM prevents you from duplicating attributes or creating attributes without name, ID, or data type.

If you fail to include any required information when editing an entity, a validation error message will display.

Delete obligations and advice

Delete one or more obligations/advice entities by selecting the checkbox(es) to the left of the name(s) on the list and then clicking the Remove button in the action bar.

Managing namespaces for obligations and advice

APS 6.0 introduced namespaces to facilitate the efficient organizing and managing of a large number of elements. With namespaces, elements can be organized in a hierarchical tree. The namespace of an element simply identifies its position in the tree. Note that the namespace is not part of the formal definition of an element as per the XACML specification.

The Obligations and Advice Dictionary uses the namespaces created in the Attribute Dictionary, and the four default namespaces (Attributes.access_subject, Attributes.resource, Attributes.action, Attributes.environment) are always available.

Consequently, new namespaces required for obligations and advice entities are created and managed via the Attribute Dictionary. See Manage attribute namespaces in the Attribute Dictionary for more information about namespaces.

Export the Obligations and Advice Dictionary

The Obligations and Advice Dictionary can be exported to an XML file that can be imported again into a Axiomatics Services Manager instance.

Export the entire dictionary as follows by clicking the Export all button in the toolbar. The default file name for the exported dictionary is obligation-advice.xml.

Import obligations and advice into the dictionary

Obligation/advice entities can be imported from a file into the Obligations and Advice Dictionary by clicking the Import button in the toolbar. This will not replace existing entities but simply add entities not already present in the dictionary. If an entity is present in the dictionary but not in the imported file, the entity will remain in the dictionary.

Resolve conflicts in obligations and advice

In the same way as with attributes, conflicts may arise when an imported file contains obligations or advice that are considered the same from an XACML perspective (same name or ID), but that otherwise have a conflicting definition (different description). However, it is also possible for a conflict to occur after an obligation/advice has been edited. In both cases, the built-in conflict resolution tool is used.

If a conflict occurs, a warning icon displays in the Conflict column, and the Resolve button in the toolbar is enabled.

  1. Click the Resolve button in the toolbar.

    The Resolve conflict window displays. All conflicting items are highlighted along with their fields.

  2. Resolve the conflict in each case by selecting to keep either the old or the new conflicting attribute.

  3. Click Resolve.

    A summary of the resolved obligation/advice definition displays.