Example: ADI from dynamic ADI retrieval services

This example evaluates an application-defined XML input document provided by a dynamic entitlement service that was written with the dynamic ADI retrieval service.

The code that must be written might create a batch object that contains a list of operations to be done together. The batch object consists of a number of transaction elements. Each transaction consists of an item and the amount of those items to order. With these assumptions, the following XML object might be used as input for making the authorization decision:

<!-- batched transaction -->
<batch>
  <max_tx_count>5</max_tx_count>
  <max_tx_amount>150</max_tx_amount>
  <account>customerA</account>
  <transaction>
    <item>widgetA</item>
    <amount>10</amount>
  </transaction>
  <transaction>
    <item>widgetB</item>
    <amount>20</amount>
  </transaction>
  <transaction>
    <item>widgetC</item>
    <amount>30</amount>
  </transaction>
  <transaction>
    <item>widgetD</item>
    <amount>40</amount>
  </transaction>
  <transaction>
    <item>widgetE</item>
    <amount>50</amount>
  </transaction>
</batch>

With this expected XML object, we might create the following authorization rule:

<!--Compare group to batch customer and num tranactions
    and total tx amounts to limits.-->
<xsl:if test="azn_cred_groups = batch/account
      and count (batch/transaction) &lt;= batch/max_tx_count
      and sum (batch/transaction/amount) &lt;= batch/max_tx_amount">
    !TRUE!
</xsl:if>        

The authorization rule checks the requesting user is a member of a group whose name matches the name of the account in the transaction. In this example, it is customerA. If the requesting user is not a member of this group, the user is not authorized to submit batch requests on behalf of customerA. Then, the rule checks the total number of transactions within the batch is less than or equal to the max_tx_count element of the batch object. The rule also checks the total number of items ordered in the entire request is less than the max_tx_amount element of the batch object. The rule calls the count() and sum() functions. The count() function counts the number of instances of a transaction element within the batch. The sum() function totals the value of all the amount elements within all transaction elements in the batch.

For additional information of creating authorization rules, see the Authorization C API Developer Reference.

Parent topic: Examples of authorization rules