Skip to main content

The most recent patch for this version is 7.6.1.  Learn more  

Version: 7.6

Table Attribute Connector

The Table Attribute Connector is similar to the SQL Attribute Connector in that it specifies how attributes can be fetched from a SQL database. The main differences are that the Table Attribute Connector assumes attributes can be fetched directly from columns in the database and it does not support arbitrary SQL queries. These differences make it more restrictive than the SQL Attribute Connector but also easier to configure.

To configure a Table Attribute Connector, no specific SQL knowledge is required. However, the table names and column names storing attribute values in the target database must be known in addition to any connection information required.

The configuration consists of two parts:

  1. A general part specifying the client implementation to use, the location of the SQL database, the authentication mechanism and the account to use.

  2. An attribute specific part that specifies which XACML attribute can be fetched and how to obtain it from the database.

General configuration

Click the "Configuration" link in the Attribute Connector editor to open the base form for the chosen attribute connector type.

FieldDescriptionSupported format
Connection typeThe type of connection to the SQL database. There are different parameter fields depending on the type selected.This field is selected from a drop-down combo box. Only the JDBC data source is supported in this version.
DriverThe driver specifies the class name of the JDBC driver to be used by PDPs to connect to the SQL database. Drivers can be made available to the ASM built-in SQL Attribute Connector. Note that the class name can be entered manually or chosen from the list of already installed drivers. Installing drivers in ASM is not strictly necessary, but the drivers provide a means to test the connection to the database. See The Check connection button below.A fully qualified class name of the SQL driver class. For example: oracle.jdbc.OracleDriver
Connection URLThe connection URL contains the URL to access the SQL database.A valid JDBC URL. For example: jdbc:oracle:thin:@//localhost:1521/my-instance
note

The notice in the ASM UI about a performance degradation issue using JDBC can be disregarded. It refers to a situation with a legacy authorization engine, and is no longer relevant in this version of ASM.

The Check connection button

As mentioned in the table above, additional JDBC drivers can be made available to the SQL Attribute Connector. The availability of these drivers in the ASM UI supports the check connection function. When a driver has been selected from the list, and the URL has been set in the Connection URL field, the Check connection button becomes enabled, allowing the user to verify the connection to the database.

Attribute-specific configuration

Click the Add button at the bottom of the Attribute Connector editor. This switches to the Attribute Mapping page, where the attribute-specific configuration is managed.

FieldDescriptionSupported format
Attribute provided by the mappingThe URI of the XACML attribute to be fetched from this attribute source.Selection is done from the list of attributes defined in the Attribute Dictionary.
Table nameThe database table name from which the target XACML attribute value is fetched.Any valid JDBC database table specification. The exact format depends on the database used.
Column nameThe column name of the specified table from which the target XACML attribute value is fetched.Any valid JDBC database column name. The exact format may depend on the database used.
Key attributeOther XACML attributes and their corresponding column names in the specified table that act as keys to the target attribute.Any valid JDBC database column name. The exact format may depend on the database used.
is single valuedN/A
CacheA Cache Configuration telling PDPs using the Attribute Source how to cache attribute values fetched using the query.A choice of existing Cache Configurations.
note

The Cache setting for an attribute mapping is done in the special cache configuration for the Attribute Connector.

Attribute mappings

The Table Attribute Connector Configuration panel shows a table of attributes provided by this Attribute Connector.

A mapping can be deleted simply by clicking the X button to the right of the attribute mapping line in the table.

Existing attribute mappings can be edited by clicking the attribute name link in the XACMLID column of the table and new mappings added by clicking the Add button.

In either case, the Attribute Mapping Editor will open. To create a new mapping follow the steps below:

  1. Select a target attribute from the Attributes provided by the mapping table.

  2. Enter the database table name from which the attribute values are to be fetched in the Table name field.

  3. Enter the column name of the table that holds the actual values for the attribute.

  4. Set the attribute or attributes in the Key attributes table that are to be used as keys in the database table from which the target attribute values will be looked up.

  5. Add a key by selecting an attribute from the drop-down list under the Key attributes table and click the Add button.

    This will add a new line to the table.

  6. Enter the name of the database table column acting as key in the COLUMN NAME field.

    note

    Several key attributes can be specified for a given target attribute that is to be looked up with a composite key.

  7. Click Apply to commit the new attribute mapping.

The above figure shows an attribute mapping by which the subject attribute role can be fetched from the role of the roles table. This is done by using the subject-id attribute to select the value from the user_name column of the same table.

The resulting SQL statement used to fetch values for the role attribute in the Table Attribute Connector will look similar to the following: select ROLE from ROLES where user_name=4711, where 4711 is a sample value for the subject-id attribute previously resolved or provided to the Service in the request.

Key Attribute

An attribute passed to the Table Attribute Finder in runtime as a key to lookup another attribute can either contain no key value (an empty set), a single key value, or multiple key values. In cases where

  • No key value is given - the Attribute Finder will return "empty set"

  • A single key value is given - the Attribute Finder runs the query and returns the retrieved data

  • Multiple key values are given - the Attribute Finder runs the query multiple times, iterating over the set of key values and collects the full set of all the values returned for each query

Data type mappings and conversions

Most of the mapping needs are handled in the ASM GUI interface, based on the definition of the attribute connector in the Attribute Dictionary.

More detailed information about how the Table Attribute connector maps XACML types to SQL types (and vice versa), which XACML attributes that can or cannot be mapped to a column in a table, as well as how it converts values between those types, is available in the Table Attribute Connector User's Guide included in the separately distributed Table Attribute Connector package. Visit the download area of the Axiomatics Customer Support siteOpens in a new tab to access the file.