The Trust Framework defines all the entities that your organization can use to build policies. These entities include, for example, the HTTP request attributes that describe API requests protected by PingDataGovernance Server and the services that identify the REST APIs themselves.
- PingDataGovernance Server receives a SCIM 2.0 or API request and translates it to a policy request.
- PingDataGovernance Server submits the policy request to the PDP for evaluation.
- The PDP applies any matching policies to the policy request and then issues a policy decision.
- PingDataGovernance Server uses the policy decision to determine how to proceed with the request, depending on the decision result (typically PERMIT or DENY) and any advices included with the decision.
-
A policy decision with a DENY result could cause PingDataGovernance Server to reject a request because it originates from an untrusted IP address.
-
A policy decision with the Exclude Attributes advice could cause PingDataGovernance Server to remove specific attributes from an API response because the requesting user lacks a necessary entitlement.
Each policy request that PingDataGovernance Server generates includes a specific set of attributes. These attributes vary based on the service being used. For more information, see the following topics:
Policy request structure is tightly coupled to the Trust Framework. If the Trust Framework entity definitions do not match the policy requests generated by PingDataGovernance Server, then PingDataGovernance Server does not function as expected. For this reason, your Trust Framework should always be based on the default policies included with the server installation package in the file resource/policies/defaultPolicies.SNAPSHOT.
For information about working with the Trust Framework to customize your organization's policies, see Trust Framework.
Trust Framework versions
The policy request structure used by PingDataGovernance Server is versioned so that
it can evolve across releases of the server. You configure the version in the Policy
Decision Service using the trust-framework-version property.
PingDataGovernance Server always supports a minimum of two Trust Framework versions,
the current (and preferred) Trust Framework version and the previous Trust Framework
version.
When an instance of PingDataGovernance Server is first installed, the Trust Framework version is undefined. The server raises an alarm to indicate this condition and to provide instructions about how to set the preferred version.
You should explicitly set the version to the preferred version. For example, the following dsconfig command configures the Policy Decision Service to form policy requests using Trust Framework version v2.
dsconfig set-policy-decision-service-prop \
--set trust-framework-version:v2New releases of PingDataGovernance Server might introduce changes to the way that the server generates policy requests, potentially in ways that are not backward-compatible with the Trust Framework and policies used in a previous release. In these cases, PingDataGovernance Server will prefer the new Trust Framework version and raises an alarm with instructions to move to the new Trust Framework version. Existing policies will continue to work with the older Trust Framework version. However, the older Trust Framework version will be deprecated, so transitioning to the new Trust Framework version is imperative.
For more information about upgrading the Trust Framework version, see Upgrading the Trust Framework and policies.