--- title: Authorization Attributes description: Authorization attributes provide contextual information that informs fine-grained dynamic authorization decisions. Attributes have the following characteristics: component: pingone-api-ea page_id: pingone-api-ea:authorize:early-access/pingone-authorize-admin-apis/pingauthorize-trust-framework/authorization-attributes canonical_url: https://developer.pingidentity.com/pingone-api-ea/authorize/early-access/pingone-authorize-admin-apis/pingauthorize-trust-framework/authorization-attributes.html section_ids: authorization-attributes-data-model: Authorization attributes data model authorization-attributes-resolvers-data-model: Authorization attributes resolvers type data model event-types: Event types response-codes: Response codes --- # Authorization Attributes Authorization attributes provide contextual information that informs fine-grained dynamic authorization decisions. Attributes have the following characteristics: * An attribute has zero or more resolvers that bring the contextual data into the attribute value. The list of ordered resolvers are evaluated sequentially until a successful value is returned. * An attribute has zero or more processors that transform the data coming from the resolvers. * An attribute has a `valueType` property value that specifies the final output type of the attribute. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For detailed information about attribute resources and the attribute hierarchy within the PingOne Authorize trust framework, refer to [Attributes](https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_attributes.html) in the *PingOne Cloud Platform Administrator Guide*. | ## Authorization attributes data model | Property | Type | Required | Mutable | Description | | ------------------ | ------ | -------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `defaultValue` | String | Optional | Mutable | The value to use if no resolvers are defined or if an error occurred with the resolvers or processors. | | `description` | String | Optional | Mutable | The attribute resource's description. | | `fullName` | String | Required | Mutable | A unique name generated by the system for each attribute resource. It is the concatenation of names in the attribute resource hierarchy. | | `id` | String | N/A | Read only | The resource's unique identifier. | | `managedEntity` | Object | Optional | Read only | A system-assigned set of restrictions and metadata related to the resource. | | `name` | String | Required | Mutable | A user-friendly attribute name. | | `parent` | Object | Optional | Mutable | The attribute resource's parent. | | `parent.id` | String | Optional | Mutable | The attribute resource's parent ID. | | `processor` | Object | Optional | Mutable | The attribute resource's processor. | | `processor.type` | String | Optional | Mutable | The attribute resource's processor type. Options are `JSON_PATH`, `SPEL`, `XPATH`, `COLLECTION_FILTER`, `COLLECTION_TRANSFORM`, `CHAIN`, and `REFERENCE`. Refer to [Authorization processors processor type data model](#authorization-processors-processor-data-model) for additional properties for each processor type. | | `processor.name` | String | Optional | Mutable | A user-friendly authorization processor name. The `name` value must be unique. | | `repetitionSource` | Object | Optional | Mutable | A setting to designate the attribute as multi-valued and repeatable. | | `resolvers` | Array | Optional | Mutable | The attribute resource's resolvers. | | `resolvers.type` | String | Optional | Mutable | The attribute resource's resolver type. Options are `REQUEST`, `CONSTANT`, `ATTRIBUTE`, `SERVICE`, `SYSTEM`, `CONFIGURATION`, `CURRENT_REPETITION_VALUE`, `CURRENT_USER_ID`, and `USER`. | | `type` | String | Required | Read only | The attribute type. Options are `ATTRIBUTE`. | | `valueType` | Object | Required | Mutable | The value type object for the attribute. | | `valueType.type` | String | Required | Mutable | The output type for the attribute. Options are `BOOLEAN`, `STRING`, `NUMBER`, `XML`, `JSON`, `COLLECTION`, `DATE_TIME`, `LOCAL_TIME`, `LOCAL_DATE`, `LOCAL_DATE_TIME`, `ZONED_DATE_TIME`, `TIME_PERIOD`, `PERIOD`, and `DURATION`. | | `version` | String | Required | Read only | A random ID generated by the system for concurrency control purposes. | ## Authorization attributes resolvers type data model | Resolver type | Description | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `REQUEST` | The value comes from the decision request. | | `ATTRIBUTE` | The value comes from another attribute. Additional properties are:\* `value`, the value object.\* `value.id`, the ID of the referring attribute. | | `CONSTANT` | The value provided is a constant. Additional properties are:\* `value`, the constant value.\* `valueType`, the output type of the constant. Options are `BOOLEAN`, `STRING`, `NUMBER`, `XML`, `JSON`, `COLLECTION`, `DATE_TIME`, `LOCAL_TIME`, `LOCAL_DATE`, `LOCAL_DATE_TIME`. | | `SERVICE` | The value comes from a service. Additional properties are:\* `value`, the value object.\* `value.id`, the ID of the referring service. | | `SYSTEM` | The value is provided by the system. Additional properties are:\* `value`, a value that is set to either `NULL` or `CURRENT_DATE_TIME`. | | `CURRENT_REPETITION_VALUE` | The value of the repetition if the attribute belongs to a repetition scope. | | `CURRENT_USER_ID` | The value comes from the `userContext` property in the decision request. | | `USER` | The value is a PingOne user. Additional properties are:\* `query`, a `UserQuery` object that provides a PingOne `userId` string. | ## Event types The audit reporting events applicable to the authorize attribute service are: | Topic | Event | | ----------------- | ----------------------------- | | `authorize-model` | `AUTHORIZE_ATTRIBUTE.CREATED` | | `authorize-model` | `AUTHORIZE_ATTRIBUTE.UPDATED` | | `authorize-model` | `AUTHORIZE_ATTRIBUTE.DELETED` | ## Response codes | Code | Message | | ---- | --------------------------------------------------------------------- | | 200 | Successful operation. | | 201 | Successfully created. | | 204 | Successfully removed. No content. | | 400 | The request could not be completed. | | 401 | You do not have access to this resource. | | 403 | You do not have permissions or are not licensed to make this request. | | 404 | The requested resource was not found. |