cred-attributes-entitlement-services

This stanza entry specifies the service used to add external information to the user credential. The addition is in the form of credential attributes and allows applications to use that information in making access decisions.

These extended attributes are stored in the user registry. This service can also work with attributes with an API call. A list of authorization API entitlement service IDs are queried by the azn_id_get_creds() interface. The query compiles a list of attributes to be added to the user credential while the credential is being built.

A list of service identifiers, which can be found within the [aznapi-entitlement-services] stanza, is queried to compile a list of attributes. The attributes are added to the user credential while the credential is being built. Each service ID is queried in the order it is declared in the list. The attribute returned is inserted into the credential attribute list of each credential that is built. The following example shows two entries from the credential attribute list:

You cannot use this stanza entry to override read-only attributes in the credential attribute list that include the principal name, principal UUID, and others. The exception to this rule is for the azn_cred_groups attribute.

The Authorization C API Developer Reference lists the read-only attributes and contains more information about this service. The document explains why administrators who do not want this capability must ensure the azn_mod_rad service is not loaded by the application.

Usage: Optional

Default value: There is no default value.

Example: cred-attribute-entitlement-services = myEntSvcID

Parent topic: [aznapi-configuration] stanza