Value settings
Every attribute has a defined data type that constrains the set of allowable values and provides a predictable behavior model for value processing and other data transformations.
Catching type inconsistencies early helps with building and testing the Trust Framework. The primary types for accepting data into the system and for producing output data are JSON, XML, and UTF-8 text (known as string). The remaining types are used within the Trust Framework for more fine-grained data processing.
All data types have conversions to and from a canonical String representation. Conversion of other formats, such as alternative date or time representations, requires the use of user-defined value processing. Learn more in Processors.
Examples of type conversions when data enters the Policy Decision Point (PDP) include:
-
Attribute default values you define in the user interface are textual. The system converts these to the type defined by the attribute before use.
-
Attributes might take their values from fields in the decision request, which are textual. The system converts the value to the type defined by the attribute before use.
-
The PDP might invoke external services to retrieve data. Typical response formats are JSON, XML and String. JSON Path or XPath value processing can extract components of a response, typically as text, which the system then converts to the types defined by an attribute before use.
Examples of type conversions when exporting data from the PDP include:
-
Building a request for a service invocation. Attributes might be request parameters directly or might be used in Attribute interpolation. In both cases, the system uses the canonical conversion to a String format.
-
Adding attribute data to statements, either directly or through Attribute Interpolation. Again, the system uses the canonical conversion to String format.
-
In all logging and response data that includes attribute values, the system renders those values using their canonical String representations.
The following table lists the data types:
Data type | Description |
---|---|
Boolean |
A simple true or false. True can be represented in textual form, such as in default values or decision request parameters, as Case is insignificant. In value processing contexts such as SpEL expressions, the value is a |
Number |
A numeric value. Decimal integers and reals are supported, including scientific notation. In value processing contexts, the value is a |
Date |
A date, such as "23 April 2020." The textual representation is ISO-8601; for example, In value processing contexts, the value is a Date values can be converted to the following types:
|
Time |
A time of day, such as 4:15 pm and 30 seconds. The textual representation is ISO-8601. The maximum resolution is microseconds. For example, In value processing contexts, the value is a Time values cannot be converted to other types. |
Date Time |
A date and time of day, such as 4:15 pm and 30 seconds on April 23, 2020. The textual representation is ISO-8601. The maximum resolution is microseconds. For example, In value processing contexts, the value is a Date Time values can be converted to the following types:
|
Zoned Date Time |
A date and time of day with a time zone expressed as an offset from UTC. The textual representation is ISO-8601. For example, In value processing contexts, the value is a Zoned Date Time values can be converted to the following types, dropping the appropriate information in each case:
|
Duration |
A time duration expressible in seconds or fractions of a second. The textual representation is ISO-8601. For example:
In value processing contexts, the value is a Duration values cannot be converted to other types. |
Period |
A time period expressible in calendric units, such as a number of days or months. The textual representation is ISO-8601. For example:
In value processing contexts, the value is a Period values cannot be converted to other types. |
JSON |
A JSON document. This type is most useful for bringing data into and out of the PDP. It is the only type that is subject to JSON Path value processors. The textual representation is JSON. In value processing contexts, the value is a |
XML |
An XML document. This type is most useful for bringing data into and out of the PDP. It is the only type that is subject to XPath value processors. The textual representation is XML. In value processing contexts, the value is a |
Collection |
An ordered collection of other value types. Only valid value types as described here can be members of collections. JSON-formatted arrays are valid textual representations of collections. In value processing contexts, a collection is a Use only the |
String |
All other data is interpreted as UTF-8 text, stored internally as UTF-16. In value processing contexts, these values are |
The legacy Date Time and Time Period types are ambiguous unions of the types described above. They are retained for backward compatibility only. For new Trust Frameworks, use the more specific types.
Default value
You can give attributes an optional default value in the event that the attribute cannot be resolved.
In addition, you can use a default value to encode constant attributes within the Trust Framework by not setting any resolvers and always resolving to the default value.
Secrets
To encrypt an attribute’s values in PingAuthorize logs, you can enable secrets for that attribute.
Depending on which mode you have configured PingAuthorize in, these secrets are recorded in one of two logs:
-
Embedded PDP mode: The attributes are encrypted in
PingAuthorize/policy-decision.log
. -
External PDP mode: The attributes are encrypted in the
decision-audit.log
file distributed with the Policy Editor, but notPingAuthorize/policy-decision.log
.
To decrypt an attribute’s value, run the following command. In this example, RSNH/SPsNJSFQyyLSxdKsw==
represents the encrypted attribute string, and 54655374506153735068526153653939
represents the encryption key in hexadecimal. By default, the encryption key is TeStPaSsPhRaSe99
, and cannot be changed.
'echo -n "RSNH/SPsNJSFQyyLSxdKsw==" | base64 -d | openssl enc -aes-128-ecb -d -K "54655374506153735068526153653939"