PingAuthorize

Value settings

Every attribute has a defined data type that constrains the set of allowable values and provides a predictable behavior model for value processing and other data transformations.

Catching type inconsistencies early helps with building and testing the Trust Framework. The primary types for accepting data into the system and for producing output data are JSON, XML, and UTF-8 text (known as string). The remaining types are used within the Trust Framework for more fine-grained data processing.

All data types have conversions to and from a canonical String representation. Conversion of other formats, such as alternative date or time representations, requires the use of user-defined value processing. Learn more in Processors.

Examples of type conversions when data enters the Policy Decision Point (PDP) include:

  • Attribute default values you define in the user interface are textual. The system converts these to the type defined by the attribute before use.

  • Attributes might take their values from fields in the decision request, which are textual. The system converts the value to the type defined by the attribute before use.

  • The PDP might invoke external services to retrieve data. Typical response formats are JSON, XML and String. JSON Path or XPath value processing can extract components of a response, typically as text, which the system then converts to the types defined by an attribute before use.

Examples of type conversions when exporting data from the PDP include:

  • Building a request for a service invocation. Attributes might be request parameters directly or might be used in Attribute interpolation. In both cases, the system uses the canonical conversion to a String format.

  • Adding attribute data to statements, either directly or through Attribute Interpolation. Again, the system uses the canonical conversion to String format.

  • In all logging and response data that includes attribute values, the system renders those values using their canonical String representations.

The following table lists the data types:

Data type Description

Boolean

A simple true or false.

True can be represented in textual form, such as in default values or decision request parameters, as true, yes, or 1. False can be represented by false, no, or 0.

Case is insignificant.

In value processing contexts such as SpEL expressions, the value is a java.lang.Boolean instance.

Number

A numeric value.

Decimal integers and reals are supported, including scientific notation.

In value processing contexts, the value is a java.math.BigDecimal instance.

Date

A date, such as "23 April 2020."

The textual representation is ISO-8601; for example, 2020-04-23.

In value processing contexts, the value is a java.time.LocalDate.

Date values can be converted to the following types:

  • Date Time (the time component becomes 00:00:00)

  • Zoned Date Time (the time zone is assumed to be UTC)

Time

A time of day, such as 4:15 pm and 30 seconds.

The textual representation is ISO-8601.

The maximum resolution is microseconds. For example, 16:15:30, 16:15:30.783, and 16:15:30.783239 are all valid.

In value processing contexts, the value is a java.time.LocalTime.

Time values cannot be converted to other types.

Date Time

A date and time of day, such as 4:15 pm and 30 seconds on April 23, 2020.

The textual representation is ISO-8601.

The maximum resolution is microseconds. For example, 2020-04-23T16:15:30 or 2020-04-23T16:15:30.783239.

In value processing contexts, the value is a java.time.LocalDateTime.

Date Time values can be converted to the following types:

  • Date and Time, dropping the appropriate information in each case.

  • Zoned Date Time. The time zone is assumed to be UTC.

Zoned Date Time

A date and time of day with a time zone expressed as an offset from UTC.

The textual representation is ISO-8601. For example, 2020-04-23T16:15:30.783+01:00.

In value processing contexts, the value is a java.time.ZonedDateTime.

Zoned Date Time values can be converted to the following types, dropping the appropriate information in each case:

  • Date Time

  • Date

  • Time

Duration

A time duration expressible in seconds or fractions of a second.

The textual representation is ISO-8601. For example:

  • PT3H for 3 hours

  • PT2M45.836S for 2 minutes and 45.836 seconds

In value processing contexts, the value is a java.time.Duration.

Duration values cannot be converted to other types.

Period

A time period expressible in calendric units, such as a number of days or months.

The textual representation is ISO-8601. For example:

  • P9Y for 9 years

  • P3M2D for 3 months and 2 days

In value processing contexts, the value is a java.time.Period.

Period values cannot be converted to other types.

JSON

A JSON document.

This type is most useful for bringing data into and out of the PDP. It is the only type that is subject to JSON Path value processors.

The textual representation is JSON.

In value processing contexts, the value is a java.util.Map or java.util.Collection.

XML

An XML document.

This type is most useful for bringing data into and out of the PDP. It is the only type that is subject to XPath value processors.

The textual representation is XML.

In value processing contexts, the value is a org.w3c.Document.

Collection

An ordered collection of other value types.

Only valid value types as described here can be members of collections. JSON-formatted arrays are valid textual representations of collections.

In value processing contexts, a collection is a java.util.Collection; however, the objects contained are of an internal type.

Use only the get() method to retrieve items by zero-based integer index.

String

All other data is interpreted as UTF-8 text, stored internally as UTF-16.

In value processing contexts, these values are java.lang.String.

The legacy Date Time and Time Period types are ambiguous unions of the types described above. They are retained for backward compatibility only. For new Trust Frameworks, use the more specific types.

Default value

You can give attributes an optional default value in the event that the attribute cannot be resolved.

In addition, you can use a default value to encode constant attributes within the Trust Framework by not setting any resolvers and always resolving to the default value.

Secrets

To encrypt an attribute’s values in PingAuthorize logs, you can enable secrets for that attribute.

Depending on which mode you have configured PingAuthorize in, these secrets are recorded in one of two logs:

  • Embedded PDP mode: The attributes are encrypted in PingAuthorize/policy-decision.log.

  • External PDP mode: The attributes are encrypted in the decision-audit.log file distributed with the Policy Editor, but not PingAuthorize/policy-decision.log.

To decrypt an attribute’s value, run the following command. In this example, RSNH/SPsNJSFQyyLSxdKsw== represents the encrypted attribute string, and 54655374506153735068526153653939 represents the encryption key in hexadecimal. By default, the encryption key is TeStPaSsPhRaSe99, and cannot be changed.

'echo -n "RSNH/SPsNJSFQyyLSxdKsw==" | base64 -d | openssl enc -aes-128-ecb -d -K "54655374506153735068526153653939"