Skip to main content
Version: 1.1

Introduction

The Axiomatics® Contextual Authorization Query (CAQ) is a standalone cloud-native application that provides reverse query evaluation functionality. CAQ; evaluates reverse queries, that is, it provides information on what conditions need to be satisfied to get an expected PDP decision.

The service provides a REST API that can be used for evaluating reverse queries against an authorization policy and its respective attributes.

For more details on reverse queries please refer to Reverse queries.

About Contextual Authorization Query

The Axiomatics® Contextual Authorization Query (CAQ) is a cloud-native engine, suitable for flexible deployment in microservices, cloud or hybrid architectures.

The service for CAQ is a standalone application, run from the command line. You can deploy and configure it independently of any management software, which means that the application can easily run autonomously or at scale.

CAQ evaluates reverse query requests. The evaluation response provides a set of constraints that need to be met to get an expected PDP decision. To be able to perform reverse query evaluation, the CAQ is configured with an authorization domain through which it gains access to authorization policies and attribute data.

Reverse queries

A reverse query is a question that seeks to identify the authorization access requests that would be evaluated by the PDP to a given PDP decision (Permit, Deny, Not Applicable or Indeterminate). A PDP evaluates access requests against authorization policies.

A reverse query response provides information on what conditions need to be satisfied to get an expected PDP decision. Such a process can then be used to answer questions like “Is there a request that evaluates to Deny?” or “Can one ever get an Indeterminate response from the PDP?”.

In addition, reverse queries can determine some attribute values in order to get a sub-set of the conditions that need to be met for a PDP decision. In this way, a reverse query can be used to answer questions like “Which documents can be accessed by employees working in the Sales department?” or “Can user Alice access any document from the Sales Department with security classification ‘Confidential’?”.

Reverse queries are a powerful tool, not only for analyzing policies but, more significantly, for speeding up multiple access requests.

Notices

AXIOMATICS® is a registered trademark of Axiomatics AB, corporate identification no. 556708-1012, Sweden. Other trademarks are the property of their respective owners.

Except as otherwise expressly agreed in writing by Axiomatics AB, information in this document does not constitute in any way a representation, warranty or commitment on the part of Axiomatics.

Copyright © 2012-2024 Axiomatics AB. All Rights Reserved.