dynamic-adi-entitlement-services

The dynamic-adi-entitlement-services configuration entry lists the service IDs of the dynamic ADI retrieval entitlement services. These services must be called by the authorization engine if ADI is missing from the requesting user credential or from the application context and cannot be gathered from the resource manager.

Any entitlement service configured under this entry is called by the authorization engine with the azn_entitlement_get_entitlements() interface and is passed the azn_perminfo_rules_adi_request attribute. The string values of this attribute are the container names of the ADI that are still required. If the dynamic ADI retrieval service can fulfill the request, it returns the requested data to the authorization engine in the entitlements parameter. ISAM provides demonstrations of how an entitlement service can perform the functions of a dynamic ADI retrieval service and a credential attribute retrieval service. See the Authorization C API Developer Reference. To specify the authorization engine must call multiple dynamic ADI retrieval services, specify multiple entries. The following examples demonstrate how to specify the service IDs of two different entitlement services for use as dynamic ADI entitlement services. The service IDs must correspond to valid entitlement service definitions in the [aznapi-entitlement-service] stanza.

dynamic-adi-entitlement-services = ent_cred_attrs_id
dynamic-adi-entitlement-services = ent_svc_demo_id

Parent topic: Configuration file and initialization attributes