aam authorization policy¶

Authorization-policy configuration

policy Specification¶

Parameter Value

Type Collection

Object Key(s) name

Collection Name policy-list

Collection URI /axapi/v3/aam/authorization/policy

Element Name policy

Element URI /axapi/v3/aam/authorization/policy/{name}

Element Attributes policy_attributes

Partition Visibility shared

Schema policy schema

Operations Allowed:

Operation	Method	URI	Payload
Create Object	POST	/axapi/v3/aam/authorization/policy	policy attributes
POST /axapi/v3/aam/authorization/policy/ Payload: { "policy": { "name": "a", "user-tag": "a", "attribute-rule": "1 and 2" } }
Create List	POST	/axapi/v3/aam/authorization/policy	policy attributes
Get Object	GET	/axapi/v3/aam/authorization/policy/{name}	policy attributes
GET /axapi/v3/aam/authorization/policy/a/attribute/1 Reponse: { "attribute": { "attr-num": 1, "attribute-name": "a", "any": 1, "uuid": "5da0970a-4f5d-11ee-bde4-3768133b9b1a", "a10-url": "/axapi/v3/aam/authorization/policy/a/attribute/1" } }
Get List	GET	/axapi/v3/aam/authorization/policy	policy-list
Modify Object	POST	/axapi/v3/aam/authorization/policy/{name}	policy attributes
Replace Object	PUT	/axapi/v3/aam/authorization/policy/{name}	policy attributes
PUT /axapi/v3/aam/authorization/policy/a/attribute/1 Payload: { "attribute": { "attr-num": 1, "attribute-name": "abcd", "any": 1 } }
Replace List	PUT	/axapi/v3/aam/authorization/policy	policy-list
Delete Object	DELETE	/axapi/v3/aam/authorization/policy/{name}	policy attributes
DELETE /axapi/v3/aam/authorization/policy/a/attribute/1 Reponse: { "response": { "http-status": 200, "status": "OK", "msg": "Success" } }

policy-list¶

policy-list is JSON List of policy attributes

policy-list : [

{ policy attributes },

{ policy attributes },

…

]

policy attributes¶

attribute-list

Type: List

Reference Object: /axapi/v3/aam/authorization/policy/{name}/attribute/{attr-num}

attribute-rule

Description Define attribute rule for authorization policy

Type: string

Format: string-rlx

extended-filter

Description Extended search filter. EX: Check whether user belongs to a nested group. (memberOf:1.2.840.113556.1.4.1941:=$GROUP-DN)

Type: string

Format: string-rlx

Maximum Length: 511 characters

Maximum Length: 1 characters

forward-policy-authorize-only

Description This policy only provides server info for forward policy feature

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

jwt-authorization

Description Specify JWT authorization template (Specify JWT authorization template name)

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: jwt-authorization, server, and service-group are mutually exclusive

Reference Object: /axapi/v3/aam/jwt-authorization

jwt-claim-map-list

Type: List

Reference Object: /axapi/v3/aam/authorization/policy/{name}/jwt-claim-map/{attr-num}

name

Description Specify authorization policy name

Type: string

Maximum Length: 63 characters

Maximum Length: 1 characters

server

Description Specify a LDAP or RADIUS server for authorization (Specify a LDAP or RADIUS server name)

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: server, service-group, and jwt-authorization are mutually exclusive

Reference Object: /axapi/v3/aam/authentication/server/ldap/instance

service-group

Description Specify an authentication service group for authorization (Specify authentication service group name)

Type: string

Format: string-rlx

Maximum Length: 127 characters

Maximum Length: 1 characters

Mutual Exclusion: service-group, server, and jwt-authorization are mutually exclusive

Reference Object: /axapi/v3/aam/authentication/service-group

user-tag

Description Customized tag

Type: string

Format: string-rlx

Maximum Length: 127 characters

Maximum Length: 1 characters

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

jwt-claim-map-list¶

Specification Value

Type list

Block object keys

attr-num

Description Spcify attribute ID for claim mapping

Type: number

Range: 1-32

bool-val

Description ‘true’: True; ‘false’: False;

Type: string

Supported Values: true, false

boolean-type

Description Claim type is boolean

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: boolean-type, string-type, and number-type are mutually exclusive

claim

Description Specify JWT claim name to map to.

Type: string

Maximum Length: 63 characters

Maximum Length: 1 characters

num-val

Description Specify JWT claim value.

Type: number

Range: 0-4294967295

number-type

Description Claim type is number

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: number-type, string-type, and boolean-type are mutually exclusive

str-val

Description Specify JWT claim value.

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

string-type

Description Claim type is string

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: string-type, number-type, and boolean-type are mutually exclusive

type

Description Specify claim type

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

attribute-list¶

Specification Value

Type list

Block object keys

A10-AX-AUTH-URI

Description Custom-defined attribute

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: A10-AX-AUTH-URI and attribute-name are mutually exclusive

a10-dynamic-defined

Description The value of this attribute will depend on AX configuration instead of user configuration

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

any

Description Matched when attribute is present (with any value).

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: any and attr-type are mutually exclusive

attr-int

Description ‘equal’: Operation type is equal; ‘not-equal’: Operation type is not equal; ‘less-than’: Operation type is less-than; ‘more-than’: Operation type is more-than; ‘less-than-equal-to’: Operation type is less-than-equal-to; ‘more-than-equal-to’: Operation type is more-thatn-equal-to;

Type: string

Supported Values: equal, not-equal, less-than, more-than, less-than-equal-to, more-than-equal-to

attr-int-val

Description Set attribute value

Type: number

Range: 0-4294967295

attr-ip

Description ‘equal’: Operation type is equal; ‘not-equal’: Operation type is not-equal;

Type: string

Supported Values: equal, not-equal

attr-ipv4

Description IPv4 address

Type: string

Format: ipv4-address

attr-num

Description Set attribute ID for authorization policy

Type: number

Range: 1-32

attr-number

Description ‘equal’: Operation type is equal; ‘not-equal’: Operation type is not equal; ‘less-than’: Operation type is less-than; ‘more-than’: Operation type is more-than; ‘less-than-equal-to’: Operation type is less-than-equal-to; ‘more-than-equal-to’: Operation type is more-thatn-equal-to;

Type: string

Supported Values: equal, not-equal, less-than, more-than, less-than-equal-to, more-than-equal-to

attr-number-val

Description Set attribute value

Type: string

Maximum Length: 20 characters

Maximum Length: 1 characters

attr-str

Description ‘match’: Operation type is match; ‘sub-string’: Operation type is sub-string;

Type: string

Supported Values: match, sub-string

attr-str-val

Description Set attribute value

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

attr-type

Description Specify attribute type

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: attr-type and any are mutually exclusive

attribute-name

Description Specify attribute name

Type: string

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: attribute-name and A10-AX-AUTH-URI are mutually exclusive

custom-attr-str

Description ‘match’: Operation type is match; ‘sub-string’: Operation type is sub-string;

Type: string

Supported Values: match, sub-string

custom-attr-type

Description Specify attribute type

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

integer-type

Description Attribute type is integer

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: integer-type,string-type, ip-type, and number-type are mutually exclusive

ip-type

Description IP address is transformed into network byte order

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: ip-type,string-type, integer-type, and number-type are mutually exclusive

number-type

Description Attribute type is decimal number

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: number-type,string-type, integer-type, and ip-type are mutually exclusive

string-type

Description Attribute type is string

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: string-type,integer-type, ip-type, and number-type are mutually exclusive

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters