The PDP API first converts the XACML-JSON request to a batch decision request for the
policy decision point to be consumed by the Policy Decision Service. Policies can match a
decision request by Service
, Domain
,
Action
, or other attributes.
The following example XACML-JSON request body illustrates the conversion to a batch decision request. For an example with more than one decision request, see Example.
{
"Request": {
"MultiRequests": {
"RequestReference": [{
"ReferenceId": [
"dom",
"act",
"srv",
"idp",
"att"
]
}]
},
"AccessSubject": [{
"Id": "dom",
"Attribute": [{
"AttributeId": "domain",
"Value": "Sales.Asia Pacific"
}]
}],
"Action": [{
"Id": "act",
"Attribute": [{
"AttributeId": "action",
"Value": "Retrieve"
}]
}],
"Resource": [{
"Id": "srv",
"Attribute": [{
"AttributeId": "service",
"Value": "Mobile.Landing page"
}]
}],
"Environment": [{
"Id": "idp",
"Attribute": [{
"AttributeId": "symphonic-idp",
"Value": "Social networks.Spacebook"
}]
}],
"Category": [{
"Id": "att",
"Attribute": [{
"AttributeId": "attribute:Prospect name",
"Value": "B. Vo"
}]
}]
}
}
The previous example shows a single decision request with the following attributes:
- A domain of
Sales.Asia Pacific
- An action of
Retrieve
- A service of
Mobile.Landing page
- An identity provider of
Social networks.Spacebook
- A single attribute named
Prospect name
, with a value ofB. Vo
The following table shows how these values map from the Trust Framework entities to the XACML-JSON request.
Parent (JSON Path) | Field (JSON Path) | PingDataGovernance Trust Framework type | Example value |
---|---|---|---|
$.Request |
$.AccessSubject[*].Attribute[?(@.AttributeId ==
"domain")].Value |
Domain | Sales.Asia Pacific |
$.Action[*].Attribute[?(@.AttributeId ==
"action")].Value |
Action | Retrieve |
|
$.Resource[*].Attribute[?(@.AttributeId ==
"service")].Value |
Service | Mobile.​Landing page |
|
$.Environment[*].Attribute[?(@.AttributeId ==
"symphonic-idp")].Value |
Identity Provider | Social Networks.​Spacebook |
|
$.Category[*].Attribute[?(@.AttributeId ==
"attribute:Prospect name")].Value |
Other Attribute (Prospect name in this case) |
B. Vo |
To illustrate how you can match rules against the Prospect name
Trust
Framework attribute, the following image shows how Prospect name
is
defined in the Policy Administration GUI. In this example, the Prospect
name
attribute has a Request resolver and a Value Settings
Type of String
.
The Trust Framework attribute name must be a case-sensitive match with the
decision request AttributeId
after the attribute:
prefix is removed.