Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
Policy Decision Service contains the properties that affect the overall operation of the Data Governance Server policy service.
↓Relations from This Component
↓Properties
↓dsconfig Usage
The following components have a direct composition relation from Policy Decision Service:
The following components have a direct aggregation relation from Policy Decision Service:
The properties supported by this managed object are as follows:
| General Configuration Basic Properties: | Advanced Properties: |
|---|---|
| ↓ pdp-mode | ↓ service-key-store |
| ↓ deployment-package | ↓ service-trust-store |
| ↓ policy-server | |
| Policy Request Configuration Basic Properties: | Advanced Properties: |
| ↓ trust-framework-version | ↓ decision-response-view |
| Property Group | General Configuration |
| Description | Determines whether policy requests are made to the embedded PDP or over REST to an external policy decision server. |
| Default Value | disabled |
| Allowed Values | disabled - The policy service will be disabled. Some Data Governance Server HTTP services will be unavailable until the policy service is enabled. external - PDP invocations are made over REST to an external policy decision server. This mode may be more convenient in development environments where policies are being developed. When this option is selected policy requests will be directed to the external server defined by the policy-server property. embedded - PDP invocations are made via a Java call to the embedded PDP library. This is more efficient and is the recommended mode for production environments. When this option is selected the PDP will run with the policies defined by the deployment-package property. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Contents of the policy Deployment Package to load into the embedded decision point. The policies defined by this Deployment Package are only used if the value of the pdp-mode property is "embedded". |
| Default Value | None |
| Allowed Values | application/sdp+json |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the policy external server that is hosting the Policy Decision Point (PDP) for this instance of Data Governance Server. This external server is only used if the value of the pdp-mode property is "external". |
| Default Value | None |
| Allowed Values | The DN of any Policy External Server. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Policy Request Configuration |
| Description | Specifies the trust framework version supported by the Data Governance Server. The trust framework version determines the format of policy requests generated by the Data Governance Server. Change this value only if instructed to so following an upgrade. |
| Default Value | undefined |
| Allowed Values | v2 - Trust framework version 2. v1 - Trust framework version 1. This version is deprecated. undefined - If this setting is chosen, the Policy Decision Service will not be available. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
service-key-store (Advanced Property)
| Property Group | General Configuration |
| Description | Specifies the set of key manager providers containing client certificates for use by services defined in the trust framework. Any key manager providers specified by this property are available for use by trust framework services. A service defined in the trust framework may be configured with the name of a key store containing a client certificate, which is used when establishing connections to an external service that supports TLS mutual authentication. The key store name specified in the trust framework must match the name of a key manager provider specified by this property. This setting is only applicable when the Policy Decision Service is configured in embedded PDP mode. |
| Default Value | None |
| Allowed Values | The DN of any File Based Key Manager Provider. Any key manager provider assigned to the Policy Decision Service must be enabled. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
service-trust-store (Advanced Property)
| Property Group | General Configuration |
| Description | Specifies the set of trust manager providers for use by services defined in the trust framework. Any trust manager providers specified by this property are available for use by trust framework services. A service defined in the trust framework may be configured with the name of a trust store containing a set of trusted CA certificates, to be used when establishing TLS connections to an external service. The trust store name specified in the trust framework must match the name of a trust manager provider specified by this property. This setting is only applicable when the Policy Decision Service is configured in embedded PDP mode. |
| Default Value | None |
| Allowed Values | The DN of any File Based Trust Manager Provider. Any trust manager provider assigned to the Policy Decision Service must be enabled. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
decision-response-view (Advanced Property)
| Property Group | Policy Request Configuration |
| Description | Specifies supplementary data categories ("views") to be returned with the policy decision response. Decision response views provide detailed context that can be useful when troubleshooting policy decisions. Note that requesting additional decision response views in external PDP mode may cause the Trace Log Publisher or the Policy Decision Log Publisher to record sensitive data. |
| Default Value | No supplementary decision response views are requested. |
| Allowed Values | request - The policy decision request. May include sensitive data. decision-tree - Detailed output tracing the decision's policy evaluation flow. attributes - Full details of attributes evaluated during policy decision evaluation. services - Full details of services invoked during policy decision evaluation. evaluated-entities - Attribute and service resolution details. This is equivalent to specifying both 'attributes' and 'services'. evaluation-log - Attribute and service resolution details. This is similar to specifying 'evaluated-entities', but the data are expressed in a flat format. evaluation-log-with-attribute-values - Attribute and service resolution details. This is equivalent to specifying 'evaluation-log', but also includes values and types for successful attribute resolutions. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To view the Policy Decision Service configuration:
dsconfig get-policy-decision-service-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Policy Decision Service configuration:
dsconfig set-policy-decision-service-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...