Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
Policy advice that directs the PingAuthorize Server to recursively invoke policy over each item of a JSON array that is contained within an API response. This advice is intended to allow policies, when presented with a request to permit or deny a multi-valued response body, to require that a separate policy request be made to determine whether the client is permitted access to each individual resource that is returned in a JSON array.
The payload for this advice is a JSON object with the following fields:
On each recursive policy request, if policy returns a DENY decision then the array node in question will be removed from the response. If the policy request returns a PERMIT decision with additional advice, then that advice will be fulfilled in the context of the recursive request. For example, this would allow policy to decide for each array item whether to exclude or obfuscate particular attributes.
For a response object containing complex data including arrays of arrays, it is possible to use this advice type to recursively descend through the JSON content of the response. The advice may enforce a maximum depth for such recursive usage. There may also be performance ramifications as the total number of policy requests increases.
↓Parent Component
↓Properties
↓dsconfig Usage
The Filter Response Advice component inherits from the Advice
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
↓ advice-id | None |
↓ decision-type | |
↓ evaluation-order-index |
Description | A unique identifier for the advice type. This ID must match the "code" string returned from a policy decision request. |
Default Value | filter-response |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | A value indicating to what type of decisions this advice should be applied. |
Default Value | PERMIT |
Allowed Values | PERMIT - Only applied to PERMIT decisions. DENY - Only applied to DENY decisions. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
evaluation-order-index (Read-Only)
Description | If multiple Filter Response Advice are returned from a single policy request, then this property governs the order in which the Filter Response Advice will be processed by the Policy Enforcement Point. Obligatory Filter Response Advice are processed first. Within the set of obligatory or non-obligatory Filter Response Advice, those with a smaller evaluation-order-index will be evaluated first. If multiple Filter Response Advice have the same evaluation-order-index, then their order of evaluation is indeterminate. |
Default Value | 5 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Advice:
dsconfig list-advice [--property {propertyName}] ...
To view the configuration for an existing Advice:
dsconfig get-advice-prop --advice-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Advice:
dsconfig set-advice-prop --advice-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...