Authorization domain file
This page contains an authorization domain file example.
Copy this content to a new file named domain.yaml to use it in the authorization example.
Please note that this domain file must be used when running the requests described in the example. Otherwise the sample responses will not match the corresponding request.
identity: 565faab3-639d-4e51-a3d2-9039bc1f428c
metadata: {}
policy:
mainPolicyId: >-
http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54
xacmlSpecifications:
- |
<xacml3:PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54" Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>abcbank policy regarding customer records access</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer_record</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="abcbank.documentType" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" PolicyId="http://www.axiomatics.com/automatic-unique-id/50f5b25e-dc7f-4672-a673-1a482e53f023">
<xacml3:Description>An investment banker has limited access to customer records when located remotely</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">investment_banker</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.role" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule RuleId="9602915f-69fe-4222-b63f-a859e4578f41" Effect="Permit">
<xacml3:Description>An investment banker can read their own customer records once located remotely.</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remote</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.location" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.name" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="abcbank.documentOwner" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule RuleId="f9f24f27-a727-48ec-9aea-1c4798b1b2e7" Effect="Permit">
<xacml3:Description>An investment banker can read, create, update customer records once located in office.</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">office</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.location" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" PolicyId="6e26eb0f-2568-44bf-9720-8de917eea70f">
<xacml3:Description>A group manager can access customer records</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">group_manager</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.role" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule RuleId="a326af3d-4d4c-4d26-a6de-4c1cb1a98425" Effect="Permit">
<xacml3:Description>A group manager can read, create or update customer records</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" PolicyId="db83a8ad-3192-4d1a-b083-794dacb9c0d6">
<xacml3:Description>An employee has no access at customer records.</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.role" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule RuleId="44c46b1c-2dc9-4037-b748-edf976916eeb" Effect="Deny">
<xacml3:Description>An employee cannot read, create or update customer records</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>
attributes:
abcbank.role:
xacmlId: abcbank.role
category: 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.location:
xacmlId: abcbank.location
category: 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.documentOwner:
xacmlId: abcbank.documentOwner
category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:resource'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.documentType:
xacmlId: abcbank.documentType
category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:resource'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.name:
xacmlId: abcbank.name
category: 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.documentId:
xacmlId: abcbank.documentId
category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:resource'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.action:
xacmlId: abcbank.action
category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:action'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
attributeConnectors: {}
decisionParameters: null