Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
The Policy Decision Service contains the properties that affect the overall operation of the PingAuthorize Server policy service.
↓Relations from This Component
↓Properties
↓dsconfig Usage
The following components have a direct composition relation from Policy Decision Service:
The following components have a direct aggregation relation from Policy Decision Service:
The properties supported by this managed object are as follows:
| General Configuration Basic Properties: | Advanced Properties: |
|---|---|
| ↓ pdp-mode | None |
| ↓ policy-server | |
| ↓ deployment-package-source-type | |
| Deployment Package Store Configuration Basic Properties: | Advanced Properties: |
| ↓ deployment-package-store | None |
| Trust Framework Attribute Cache Configuration Basic Properties: | Advanced Properties: |
| ↓ external-attribute-cache | None |
| Deployment Package Static-file Configuration Basic Properties: | Advanced Properties: |
| ↓ deployment-package | ↓ deployment-package-security-level |
| ↓ deployment-package-trust-store | |
| ↓ deployment-package-verification-key-nickname | |
| Policy Request Configuration Basic Properties: | Advanced Properties: |
| ↓ trust-framework-version | ↓ decision-response-view |
| ↓ embedded-mode-logged-attributes | |
| Policy Information Provider Configuration Basic Properties: | Advanced Properties: |
| None | ↓ service-key-store |
| ↓ service-trust-store | |
| SpEL Allowed Classes Configuration Basic Properties: | Advanced Properties: |
| ↓ spel-allowed-class | None |
| Property Group | General Configuration |
| Description | Determines whether policy requests are made to the embedded PDP or over REST to an external policy decision server. |
| Default Value | disabled |
| Allowed Values | disabled - The policy service will be disabled. Some PingAuthorize Server HTTP services will be unavailable until the policy service is enabled. external - PDP invocations are made over REST to an external policy decision server. This mode may be more convenient in development environments where policies are being developed. When this option is selected policy requests will be directed to the external server defined by the policy-server property. embedded - PDP invocations are made via a Java call to the embedded PDP library. This is more efficient and is the recommended mode for production environments. When this option is selected the PDP will run with the policies defined by either a static deployment package file or the configured deployment package store. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the policy external server that is hosting the Policy Decision Point (PDP) for this instance of PingAuthorize Server. This external server is only used if the value of the pdp-mode property is "external". |
| Default Value | None |
| Allowed Values | The DN of any Policy External Server. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
deployment-package-source-type
| Property Group | General Configuration |
| Description | Whether to read deployment packages from a static file or a store. There are two ways to define the policies that the Policy Decision Service will use for authorization decisions when the pdp-mode is set to "embedded". Policies can either be loaded from a deployment package file provided directly, or they can be automatically loaded from a deployment package store. If this property is set to "static-file", the deployment-package property of the Policy Decision Service will be used to allow deployment package files to be provided manually. The policies used by the Policy Decision Service will not change unless the value of the deployment-package property changes. If this property is set to "store", the deployment-package-store property will be used to allow a deployment package store to be polled for new deployment packages. A deployment package will be taken from the store when the property is configured, or on server startup, as well as at regular intervals afterwards as defined by the poll-interval property of the deployment package store. |
| Default Value | static-file |
| Allowed Values | store - Read from a deployment package store static-file - Read from a static file |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Deployment Package Store Configuration |
| Description | A deployment package store from which to load deployment packages. The store is only polled for new deployment packages, and the policies defined by those packages are only used when the value of the pdp-mode property is "embedded" and the deployment-package-source-type is "store". |
| Default Value | None |
| Allowed Values | The DN of any Deployment Package Store. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Trust Framework Attribute Cache Configuration |
| Description | The external attribute cache that the Policy Decision Service will use for caching-enabled Trust Framework attributes. |
| Default Value | None |
| Allowed Values | The DN of any External Attribute Cache. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Deployment Package Static-file Configuration |
| Description | Contents of the policy Deployment Package to load into the embedded decision point. The policies defined by this Deployment Package are only used if the value of the pdp-mode property is "embedded" and the deployment-package-source-type is "static-file". |
| Default Value | None |
| Allowed Values | application/sdp+json |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Policy Request Configuration |
| Description | Specifies the trust framework version supported by the PingAuthorize Server. The trust framework version determines the format of policy requests generated by the PingAuthorize Server. Change this value only if instructed to do so following an upgrade. |
| Default Value | undefined |
| Allowed Values | v2 - Trust framework version 2. v1 - Trust framework version 1. This version is deprecated. undefined - If this setting is chosen, the Policy Decision Service will not be available. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | SpEL Allowed Classes Configuration | ||||
| Description | Specifies additional Java classes allowed for use in SpEL expressions during policy evaluation. Java classes must be available on the server classpath at server start. For classes not part of the Java standard library, place JAR files in the server lib folder and restart the server. This setting is only applicable when the Policy Decision Service is configured in embedded PDP mode. | ||||
| Default Value | Only the following Java classes are available for use in SpEL expressions during policy evaluation: java.lang.String, java.util.Date, java.util.Random, java.util.UUID, java.lang.Integer, java.lang.Long, java.lang.Double, java.lang.Byte, java.lang.Math, java.lang.Boolean, java.time.LocalDate, java.time.DayOfWeek, java.time.Instant, java.time.ChronoUnit, java.text.SimpleDateFormat | ||||
| Allowed Values | A string Example values
| ||||
| Multi-Valued | Yes | ||||
| Required | No | ||||
| Admin Action Required | None. Modification requires no further action |
deployment-package-security-level (Advanced Property)
| Property Group | Deployment Package Static-file Configuration |
| Description | Specifies how the Policy Decision Service verifies the integrity of a deployment package when pdp-mode is "embedded" and the deployment-package-store-type is "static-file". All deployment packages include a message digest that the Policy Decision Service uses to verify that the contents of a deployment package have not been altered. A deployment package may also be cryptographically signed. By default, this property is set to "unsigned", meaning that the Policy Decision Service will accept any deployment package with a valid digest but will not verify the deployment package's signature, if one is present. Configure this property to "signed" to additionally require that a deployment package was created by a trusted Policy Administration GUI. If this property is set to "signed", then the following properties must also be configured:
|
| Default Value | unsigned |
| Allowed Values | unsigned - The deployment package signature will not be verified. signed - The deployment package must be signed and trusted. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
deployment-package-trust-store (Advanced Property)
| Property Group | Deployment Package Static-file Configuration |
| Description | Specifies the trust manager provider containing the public signing key certificate used to verify a deployment package. This is only used if the value of the pdp-mode property is "embedded", the deployment-package-source-type is "static-file", and the deployment-package-security-level property is "signed". The trust manager provider specified by this property must refer to a trust store containing the public signing key certificate used by the Policy Administration GUI that created the deployment package. |
| Default Value | None |
| Allowed Values | The DN of any File Based Trust Manager Provider. Any trust manager provider assigned to the Policy Decision Service must be enabled. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
deployment-package-verification-key-nickname (Advanced Property)
| Property Group | Deployment Package Static-file Configuration |
| Description | Specifies the nickname (also called the alias) of the public signing key certificate used to verify a deployment package. This is only used if the value of the pdp-mode property is "embedded", the deployment-package-source-type is "static-file", and the deployment-package-security-level property is "signed". The value of this property must refer to the public signing key certificate included in the trust store designated by the deployment-package-trust-store property. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
decision-response-view (Advanced Property)
| Property Group | Policy Request Configuration |
| Description | Specifies supplementary data categories ("views") to be returned with the policy decision response. Decision response views provide detailed context that can be useful when troubleshooting policy decisions. Note that requesting additional decision response views in external PDP mode may cause the Trace Log Publisher or the Policy Decision Log Publisher to record sensitive data. |
| Default Value | No supplementary decision response views are requested. |
| Allowed Values | request - The policy decision request. May include sensitive data. decision-tree - Detailed output tracing the decision's policy evaluation flow. attributes - Full details of attributes evaluated during policy decision evaluation. services - Full details of services invoked during policy decision evaluation. evaluated-entities - Attribute and service resolution details. This is equivalent to specifying both 'attributes' and 'services'. evaluation-log - Attribute and service resolution details. This is similar to specifying 'evaluated-entities', but the data are expressed in a flat format. evaluation-log-with-attribute-values - Attribute and service resolution details. This is equivalent to specifying 'evaluation-log', but also includes values and types for successful attribute resolutions. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
embedded-mode-logged-attributes (Advanced Property)
| Property Group | Policy Request Configuration |
| Description | For embedded mode, specifies attributes that, when evaluated, get returned with the policy decision response. While the Policy Decision Service runs in embedded mode, the specified attributes and their full details get returned with the policy decision response if they are evaluated. Enabling certain decision response views might override this configuration and cause all evaluated attributes to be included in the response. Note that including additional attributes could cause the Trace Log Publisher or the Policy Decision Log Publisher to record sensitive data. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
service-key-store (Advanced Property)
| Property Group | Policy Information Provider Configuration |
| Description | Specifies the set of key manager providers containing client certificates for use by services defined in the trust framework. Any key manager providers specified by this property are available for use by trust framework services, also called policy information providers (PIPs). A service defined in the trust framework may be configured with the name of a key store containing a client certificate, which is used when establishing connections to an external service that supports TLS mutual authentication. The key store name specified in the trust framework must match the name of a key manager provider specified by this property. This setting is only applicable when the Policy Decision Service is configured in embedded PDP mode. |
| Default Value | None |
| Allowed Values | The DN of any File Based Key Manager Provider. Any key manager provider assigned to the Policy Decision Service must be enabled. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
service-trust-store (Advanced Property)
| Property Group | Policy Information Provider Configuration |
| Description | Specifies the set of trust manager providers for use by services defined in the trust framework. Any trust manager providers specified by this property are available for use by trust framework services, also called policy information providers (PIPs). A service defined in the trust framework may be configured with the name of a trust store containing a set of trusted CA certificates, to be used when establishing TLS connections to an external service. The trust store name specified in the trust framework must match the name of a trust manager provider specified by this property. This setting is only applicable when the Policy Decision Service is configured in embedded PDP mode. |
| Default Value | None |
| Allowed Values | The DN of any File Based Trust Manager Provider. Any trust manager provider assigned to the Policy Decision Service must be enabled. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To view the Policy Decision Service configuration:
dsconfig get-policy-decision-service-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Policy Decision Service configuration:
dsconfig set-policy-decision-service-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...