PingAuthorize

Query request and response examples

The following examples highlight different query request and response formats supported by the JSON PDP API. Learn more about the structure of such requests and responses in JSON PDP API request and response flow.

Using a query attribute with no values specified

The following request asks, "Which actions can the specified user perform on accounts?":

{
    "query": [
        {
            "attribute": "Action"
        },
        {
            "attribute": "Subject",
            "values": ["John Smith"]
        },
        {
            "attribute": "Resource",
            "values": ["account"]
        }
    ]
}

The response returns each action that produced a PERMIT decision, given the specified subject and resource:

{
  "requestId": "4da494e4-2f50-4165-b1b3-644981564196",
  "timeStamp": "2024-09-19T21:44:51.905443Z",
  "deploymentPackageId": "ed614a98-f4d0-483a-b9dd-574aa327ad11",
  "elapsedTime": 7,
  "result": [
     {
       "attribute": "Action",
       "value": "edit",
       "results": [
           {
               "attribute": "Subject",
               "value": "John Smith",
               "results": [
                   {
                       "attribute": "Resource",
                       "value": "account",
                       "decision": "PERMIT"
                   }
               ]
           }
       ]
     },
     {
       "attribute": "Action",
       "value": "view",
       "results": [
           {
               "attribute": "Subject",
               "value": "John Smith",
               "results": [
                   {
                       "attribute": "Resource",
                       "value": "account",
                       "decision": "PERMIT"
                   }
               ]
           }
       ]
     }
  ]
}

Using a query attribute with multiple values specified

The following request uses a request attribute with multiple values to ask, "Can the specified user edit or view account information?":

{
    "query": [
        {
            "attribute": "Action",
            "values": ["edit", "view"]
        },
        {
            "attribute": "Subject",
            "values": ["Tom Johnson"]
        },
        {
            "attribute": "Resource",
            "values": ["account"]
        }
    ]
}

The response returns each action that produced a PERMIT decision, given the specified subject and resource:

{
   "requestId": "af52d214-6dbb-4699-9fe1-74ec88ccebac",
   "timeStamp": "2024-09-20T01:40:04.381703Z",
   "deploymentPackageId": "292863fe-2cde-440f-9c7b-9aee4a8dc94e",
   "elapsedTime": 4,
   "results": [
      {
         "attribute": "Action",
         "value": "edit",
         "results": [
             {
                "attribute": "Subject",
                "value": "John Smith",
                "results": [
                    {
                       "attribute": "Resource",
                       "value": "account",
                       "decision": "PERMIT"
                    }
               ]
             }
         ]
      },
      {
        "attribute": "Action",
        "value": "view",
        "results": [
            {
               "attribute": "Subject",
               "value": "John Smith",
               "results": [
                   {
                     "attribute": "Resource",
                     "value": "account",
                     "decision": "PERMIT"
                   }
               ]
            }
        ]
      }
   ]
}

Using a query attribute with no values specified and a query attribute with multiple values specified

The following request asks, "Which users can either edit or view bank accounts?":

{
    "query": [
        {
            "attribute": "Subject"
        },
        {
            "attribute": "Action",
            "values": ["edit", "view"]
        },
        {
            "attribute": "Resource",
            "values": ["account"]
        }
    ]
}

The response returns each user that produced a PERMIT decision on either of the specified actions, given the specified resource:

{
   "requestId": "2d3fe162-7490-43a4-abdf-56c978a35abf",
   "timeStamp": "2024-09-20T01:53:06.102542Z",
   "deploymentPackageId": "292863fe-2cde-440f-9c7b-9aee4a8dc94e",
   "elapsedTime": 4,
   "results": [
      {
         "attribute": "Subject",
         "value": "John Smith",
         "results": [
             {
                "attribute": "Action",
                "value": "edit",
                "results": [
                    {
                       "attribute": "Resource",
                       "value": "account",
                       "decision": "PERMIT"
                    }
                ]
             },
             {
                "attribute": "Action",
                "value": "view",
                "results": [
                    {
                       "attribute": "Resource",
                       "value": "account",
                       "decision": "PERMIT"
                    }
                ]
             }
         ]
      },
      {
        "attribute": "Subject",
        "value": "Sally White",
        "results": [
            {
               "attribute": "Action",
               "value": "edit",
               "results": [
                   {
                     "attribute": "Resource",
                     "value": "account",
                     "decision": "PERMIT"
                   }
               ]
            }
        ]
      }
   ]
}

Using query attributes to resolve other query attributes

When building the Trust Framework around your policy query use case, you can use resolvers to create chains of dependence between query attributes.

In this example, the Account attribute is configured with query settings to enable authorization questions, such as "Which accounts can this user update? The AccountList attribute is configured as the Account attribute’s source collection:

Screen capture of the Account attribute with query settings enabled. The Account.AccountList attribute is selected as the source.

Screen capture of the Account.AccountList attribute. The attribute is defined with a Services.Accounts service resolver.

The AccountList attribute uses the Accounts service as its resolver, and this service interpolates the User attribute in its endpoint URL definition:

Screen capture of the Services.Accounts service. The service is of type HTTP and is defined with an example API URL inteprolating the User attribute.

The following query requests asks, "Which accounts can John Smith edit?":

{
    "query": [
        {
            "attribute": "Account"
        },
        {
            "attribute": "Subject",
            "values": ["John Smith"]
        },
        {
            "attribute": "Action",
            "values": ["edit"]
        }
    ]
}

In resolving the Account attribute, the Accounts service uses the single-valued User attribute included in the request to make an HTTP call and retrieve a list of accounts. The response then returns an array of accounts that produced a PERMIT decision, given the specified user and action.

Using multivalued or unbounded query attributes to resolve other query attributes is not currently supported.