The services and datastores from which additional policy information is retrieved range from development and testing environments to preproduction and production environments.

For example, you might use a Trust Framework service to retrieve a user's consent from the PingDirectory Consent API. This service depends on the URL of the Consent API, the username and password that are used for authentication, and other items that vary between development, preproduction, and production environments.

About policy configuration keys

To avoid hard-coding values such as URLs, usernames, or passwords, Trust Framework attributes can refer to policy configuration keys, which are key/value pairs defined outside of the Trust Framework and provided to the policy engine at runtime.

To define a Trust Framework attribute that uses a policy configuration key, configure the attribute with a Configuration Key resolver and the name of the policy configuration key.

For example, in the following image, an attribute called ConsentServiceBaseUri is configured to use a policy configuration key called ConsentBaseUri.

Screen capture of the ConsentServiceBaseUri attribute window with the Parent field left blank and the Resolvers section showing the specified configuration

The means by which policy configuration keys are provided to the policy engine differ based on whether the PingAuthorize Server is configured to use external PDP mode or embedded PDP mode, as shown in the following table.

Mode Where to define policy configuration keys
External PDP mode

An options file and run the Policy Editor’s setup tool.

See Define policy configuration keys in a development environment.

Embedded PDP mode

The PingAuthorize Server configuration.

See Define policy configuration keys in a preproduction environment.