The XACML-JSON PDP API first converts the XACML-JSON request to a batch decision request
for the policy decision point to be consumed by the Policy Decision Service. Policies can
match a decision request by Service
, Domain
,
Action
, or other attributes.
The following example XACML-JSON request body illustrates the conversion to a batch decision request. For an example with more than one decision request, see Example.
{
"Request": {
"MultiRequests": {
"RequestReference": [{
"ReferenceId": [
"dom",
"act",
"srv",
"idp",
"att"
]
}]
},
"AccessSubject": [{
"Id": "dom",
"Attribute": [{
"AttributeId": "domain",
"Value": "Sales.Asia Pacific"
}]
}],
"Action": [{
"Id": "act",
"Attribute": [{
"AttributeId": "action",
"Value": "Retrieve"
}]
}],
"Resource": [{
"Id": "srv",
"Attribute": [{
"AttributeId": "service",
"Value": "Mobile.Landing page"
}]
}],
"Environment": [{
"Id": "idp",
"Attribute": [{
"AttributeId": "symphonic-idp",
"Value": "Social networks.Spacebook"
}]
}],
"Category": [{
"Id": "att",
"Attribute": [{
"AttributeId": "attribute:Prospect name",
"Value": "B. Vo"
}]
}]
}
}
The previous example shows a single decision request with the following attributes:
- A domain of
Sales.Asia Pacific
- An action of
Retrieve
- A service of
Mobile.Landing page
- An identity provider of
Social networks.Spacebook
- A single attribute named
Prospect name
, with a value ofB. Vo
The following table shows how these values map from the Trust Framework entities to the XACML-JSON request.
Parent (JSON Path) | Field (JSON Path) | PingAuthorize Trust Framework type | Example value |
---|---|---|---|
$.Request |
$.AccessSubject[*].Attribute[?(@.AttributeId ==
"domain")].Value |
Domain | Sales.Asia Pacific |
$.Action[*].Attribute[?(@.AttributeId ==
"action")].Value |
Action | Retrieve |
|
$.Resource[*].Attribute[?(@.AttributeId ==
"service")].Value |
Service | Mobile.​Landing page |
|
$.Environment[*].Attribute[?(@.AttributeId ==
"symphonic-idp")].Value |
Identity Provider | Social Networks.​Spacebook |
|
$.Category[*].Attribute[?(@.AttributeId ==
"attribute:Prospect name")].Value |
Other Attribute (Prospect name in this case) |
B. Vo |
To illustrate how you can match rules against the Prospect name
Trust
Framework attribute, the following image shows how Prospect name
is
defined in the Policy Editor. In this example, the
Prospect name
attribute has a Request resolver and a
Value Settings Type of String
.
The Trust Framework attribute name must be a case-sensitive match with the
decision request AttributeId
after the attribute:
prefix is removed.