ADI XML document model
The ADI XML document model (or ADI XML model) is a set of restrictions placed on the XSL/XML model by the authorization rules implementation. The ADI XML model enables the interface to be simple and yet functional for authorization purposes. The model constrains the authorization rules to function within a predetermined XML document format with the same top-level XML document element for all rules. The XML ADI is imported by the rules evaluator from credential attributes, from application context, or from other data sources. The XML ADI must be inserted into this XML document before authorization rules can use the data. Similarly to simplify the process of defining rules, the authorization rules must operate within the confines of the ADI XML model. The ADI XML model requires the XML document to contain the following top-level XML element. All target ADI for a particular rule evaluation is inserted in the top-level XML element. The XMLADI element is created automatically as part of the rule evaluation process by the authorization engine.
<XMLADI> <!-- XML formatted ADI are inserted here. --> </XMLADI>As a result of this restriction, the XPath to the data used in an authorization rule must include the prefix /XMLADI to access a particular data element within the model. For example, we might add an ADI item of JohnSmith to the document to access the fields of JohnSmith within the ADI XML document. In this case, specify the XPath /XMLADI/JohnSmith to access the data contained in the XML object JohnSmith. An XPath is the path to a particular child element within the hierarchy of a structured XML data object. Much like a directory path on a hard disk drive is used to access a specific file, an XPath designation starts from the root of the document (in this case /XMLADI). The designation traces a path from this root down through its child elements to the specific element being referenced. For example, with the example entitlement JohnSmith in the XML entitlement example as a reference, the JohnSmith XML object has a child element called CreditCard. The child elements of the CreditCard element are attributes which are common to most credit cards. To access Balance under the CreditCard element of JohnSmith, you would use the following XPath:"/XMLADI/JohnSmith/CreditCard/Balance"
XPaths like this example are the means by which authorization rules access the ADI data values that are needed to make attribute-based authorization decisions.
All data elements are restricted to work within the ADI XML model. The authorization rules must also be restricted to operate on or match XPaths within the model. Therefore, XSL template match statements are also restricted to matching XPaths starting from /XMLADI within the ADI XML document. See Format and constraints of rules.
- Containers and XML ADI container names
When data is requested from a resource manager, the granularity of the XML data returned is at the level of a single container of information.- Limitations of container names
One restriction imposed by the ADI XML document model is that each item of ADI consumed by the rules evaluator must have a unique container name. The container name must not be confused with containers provided by other entitlements data providers.
Parent topic: Authorization rule language