PingAuthorize

JSON PDP API request format

Individual requests

A valid JSON PDP API request is a simple JSON object that can be forwarded to the Policy Decision Service. Policies can match a decision request by service, domain, action, or other attributes.

The following table describes the values contained in a valid JSON PDP API request:

Field Type Required Trust Framework type Example value

domain

String

Optional

Domain

Sales.Asia Pacific

action

String

Optional

Action

Retrieve

service

String

Optional

Service

Mobile.​Landing page

identityProvider

String

Optional

Identity Provider

Social Networks.​Spacebook

attributes

Map <String, String>

Required

Other Attributes

{"Prospect name": "B. Vo"}

The attributes field can be empty.
Example
{
  "domain": "Sales.Asia Pacific",
  "action": "Retrieve",
  "service": "Mobile.Landing page",
  "identityProvider": "Social Networks.Spacebook",
  "attributes": {
    "Prospect name": "B. Vo"
  }
}

The following image shows how Prospect name is defined in the Policy Editor. In this example, the Prospect name attribute has a Request resolver and a Type of string.

Screen capture of the Attributes tab of the Trust Framework window in the Policy Editor. The Prospect name attribute is displayed configured as specified.

The Trust Framework attribute name must match the key of the attributes map.

Batch requests

Batch requests consist of a requests array that contains individual JSON requests.

Example
{
  "requests": [
    {
      "domain": "Sales.Asia Pacific",
      "action": "Retrieve",
      "service": "Mobile.Landing page",
      "identityProvider": "Social Networks.Spacebook",
      "attributes": {
        "Prospect name": "B. Vo"
      }
    },
    {
      "domain": "Sales.EMEA",
      "action": "Search",
      "service": "Mobile.Users search",
      "identityProvider": "Social Networks.Chirper",
      "attributes": {
        "Prospect name": "A. Mann"
      }
    }
  ]
}

Query requests

Query requests differ from individual and batch JSON PDP API requests in allowing the following types of attributes:

  • Unbounded: Attributes without specified values. Their values can be resolved at decision runtime by calling external services or referencing other query attributes.

    You must enable and configure query settings for unbounded attributes. Learn more in Enabling query settings.

  • Multivalued: Attributes with multiple values specified.

A query request includes the following fields:

  • query: An array containing the following elements:

    • attribute: The full name of an unbounded, multivalued, or standard authorization attribute.

    • values (optional): An array defining the values of the attribute. If multiple values are included, the attribute is treated as multivalued. If the attribute is unbounded, omit this field.

      You cannot leave the values array empty in embedded policy decision point (PDP) mode. In external PDP mode, attributes with an empty values array are treated as unbounded.

    The query array has the following constraints:

    • At most one attribute can be included without values (unbounded).

    • At most two attributes can be multivalued.

    • At most three attributes can be included in the array, but not all three can be multivalued or unbounded.

  • context (optional): A JSON object containing the same fields as a standard individual JSON request.

You can include single-valued attributes in either the query or context fields. When a single-valued attribute is included in query, it appears in each element of the results array in the response.

The following example asks which actions Joe can perform on the account:

Example
{
  "query": [
    {
      "attribute": "action"
    },
    {
      "attribute": "Subject",
      "values": ["{\"id\": 23, \"name\":\"Joe\"}"]
    },
    {
      "attribute": "Resource",
      "values": ["account"]
    }
  ]
}

Learn more in Policy queries.