Authorization Attributes

Authorization attributes provide contextual information that informs fine-grained dynamic authorization decisions. Attributes have the following characteristics:

An attribute has zero or more resolvers that bring the contextual data into the attribute value. The list of ordered resolvers are evaluated sequentially until a successful value is returned.
An attribute has zero or more processors that transform the data coming from the resolvers.
An attribute has a valueType property value that specifies the final output type of the attribute.

For detailed information about attribute resources and the attribute hierarchy within the PingOne Authorize trust framework, refer to Attributes in the PingOne Cloud Platform Administrator Guide.

Authorization attributes data model

Property Type? Required? Mutable? Description

Property	Type?	Required?	Mutable?	Description
`defaultValue`	String	Optional	Mutable	The value to use if no resolvers are defined or if an error occurred with the resolvers or processors.
`description`	String	Optional	Mutable	The attribute resource’s description.
`fullName`	String	Required	Mutable	A unique name generated by the system for each attribute resource. It is the concatenation of names in the attribute resource hierarchy.
`id`	String	N/A	Read only	The resource’s unique identifier.
`managedEntity`	Object	Optional	Read only	A system-assigned set of restrictions and metadata related to the resource.
`name`	String	Required	Mutable	A user-friendly attribute name.
`parent`	Object	Optional	Mutable	The attribute resource’s parent.
`parent.id`	String	Optional	Mutable	The attribute resource’s parent ID.
`processor`	Object	Optional	Mutable	The attribute resource’s processor.
`processor.type`	String	Optional	Mutable	The attribute resource’s processor type. Options are `JSON_PATH`, `SPEL`, `XPATH`, `COLLECTION_FILTER`, `COLLECTION_TRANSFORM`, `CHAIN`, and `REFERENCE`. Refer to Authorization processors processor type data model for additional properties for each processor type.
`processor.name`	String	Optional	Mutable	A user-friendly authorization processor name. The `name` value must be unique.
`repetitionSource`	Object	Optional	Mutable	A setting to designate the attribute as multi-valued and repeatable.
`resolvers`	Array	Optional	Mutable	The attribute resource’s resolvers.
`resolvers.type`	String	Optional	Mutable	The attribute resource’s resolver type. Options are `REQUEST`, `CONSTANT`, `ATTRIBUTE`, `SERVICE`, `SYSTEM`, `CONFIGURATION`, `CURRENT_REPETITION_VALUE`, `CURRENT_USER_ID`, and `USER`.
`type`	String	Required	Read only	The attribute type. Options are `ATTRIBUTE`.
`valueType`	Object	Required	Mutable	The value type object for the attribute.
`valueType.type`	String	Required	Mutable	The output type for the attribute. Options are `BOOLEAN`, `STRING`, `NUMBER`, `XML`, `JSON`, `COLLECTION`, `DATE_TIME`, `LOCAL_TIME`, `LOCAL_DATE`, `LOCAL_DATE_TIME`, `ZONED_DATE_TIME`, `TIME_PERIOD`, `PERIOD`, and `DURATION`.
`version`	String	Required	Read only	A random ID generated by the system for concurrency control purposes.

defaultValue

String

Optional

Mutable

The value to use if no resolvers are defined or if an error occurred with the resolvers or processors.

description

String

Optional

Mutable

The attribute resource’s description.

fullName

String

Required

Mutable

A unique name generated by the system for each attribute resource. It is the concatenation of names in the attribute resource hierarchy.

id

String

N/A

Read only

The resource’s unique identifier.

managedEntity

Object

Optional

Read only

A system-assigned set of restrictions and metadata related to the resource.

name

String

Required

Mutable

A user-friendly attribute name.

parent

Object

Optional

Mutable

The attribute resource’s parent.

parent.id

String

Optional

Mutable

The attribute resource’s parent ID.

processor

Object

Optional

Mutable

The attribute resource’s processor.

processor.type

String

Optional

Mutable

The attribute resource’s processor type. Options are JSON_PATH, SPEL, XPATH, COLLECTION_FILTER, COLLECTION_TRANSFORM, CHAIN, and REFERENCE. Refer to Authorization processors processor type data model for additional properties for each processor type.

processor.name

String

Optional

Mutable

A user-friendly authorization processor name. The name value must be unique.

repetitionSource

Object

Optional

Mutable

A setting to designate the attribute as multi-valued and repeatable.

resolvers

Array

Optional

Mutable

The attribute resource’s resolvers.

resolvers.type

String

Optional

Mutable

The attribute resource’s resolver type. Options are REQUEST, CONSTANT, ATTRIBUTE, SERVICE, SYSTEM, CONFIGURATION, CURRENT_REPETITION_VALUE, CURRENT_USER_ID, and USER.

type

String

Required

Read only

The attribute type. Options are ATTRIBUTE.

valueType

Object

Required

Mutable

The value type object for the attribute.

valueType.type

String

Required

Mutable

The output type for the attribute. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME, ZONED_DATE_TIME, TIME_PERIOD, PERIOD, and DURATION.

version

String

Required

Read only

A random ID generated by the system for concurrency control purposes.

Authorization attributes resolvers type data model

Resolver type Description

Resolver type	Description
`REQUEST`	The value comes from the decision request.
`ATTRIBUTE`	The value comes from another attribute. Additional properties are: * `value`, the value object. * `value.id`, the ID of the referring attribute.
`CONSTANT`	The value provided is a constant. Additional properties are: * `value`, the constant value. * `valueType`, the output type of the constant. Options are `BOOLEAN`, `STRING`, `NUMBER`, `XML`, `JSON`, `COLLECTION`, `DATE_TIME`, `LOCAL_TIME`, `LOCAL_DATE`, `LOCAL_DATE_TIME`.
`SERVICE`	The value comes from a service. Additional properties are: * `value`, the value object. * `value.id`, the ID of the referring service.
`SYSTEM`	The value is provided by the system. Additional properties are: * `value`, a value that is set to either `NULL` or `CURRENT_DATE_TIME`.
`CURRENT_REPETITION_VALUE`	The value of the repetition if the attribute belongs to a repetition scope.
`CURRENT_USER_ID`	The value comes from the `userContext` property in the decision request.
`USER`	The value is a PingOne user. Additional properties are: * `query`, a `UserQuery` object that provides a PingOne `userId` string.

REQUEST

The value comes from the decision request.

ATTRIBUTE

The value comes from another attribute. Additional properties are:

* value, the value object.

* value.id, the ID of the referring attribute.

CONSTANT

The value provided is a constant. Additional properties are:

* value, the constant value.

* valueType, the output type of the constant. Options are BOOLEAN, STRING, NUMBER, XML, JSON, COLLECTION, DATE_TIME, LOCAL_TIME, LOCAL_DATE, LOCAL_DATE_TIME.

SERVICE

The value comes from a service. Additional properties are:

* value, the value object.

* value.id, the ID of the referring service.

SYSTEM

The value is provided by the system. Additional properties are:

* value, a value that is set to either NULL or CURRENT_DATE_TIME.

CURRENT_REPETITION_VALUE

The value of the repetition if the attribute belongs to a repetition scope.

CURRENT_USER_ID

The value comes from the userContext property in the decision request.

USER

The value is a PingOne user. Additional properties are:

* query, a UserQuery object that provides a PingOne userId string.

Event types

The audit reporting events applicable to the authorize attribute service are:

Topic Event

Topic	Event
`authorize-model`	`AUTHORIZE_ATTRIBUTE.CREATED`
`authorize-model`	`AUTHORIZE_ATTRIBUTE.UPDATED`
`authorize-model`	`AUTHORIZE_ATTRIBUTE.DELETED`

authorize-model

AUTHORIZE_ATTRIBUTE.CREATED

authorize-model

AUTHORIZE_ATTRIBUTE.UPDATED

authorize-model

AUTHORIZE_ATTRIBUTE.DELETED

Response codes

Code	Message
200	Successful operation.
201	Successfully created.
204	Successfully removed. No content.
400	The request could not be completed.
401	You do not have access to this resource.
403	You do not have permissions or are not licensed to make this request.
404	The requested resource was not found.

PingOne Platform APIs - Early Access

Authorization Attributes

Authorization attributes data model

Authorization attributes resolvers type data model

Event types

Response codes