The OOTB attribute retrievers are used by ASI Authorization and ASI Role Mapping providers to retrieve attributes for use in policies. After an attribute retriever is implemented, it will retrieve the required attribute values (as specified in policy constraints) for use during policy evaluation.
To use an attribute retriever, you define its configuration, attributes, and attribute handling logic (or query) on the authorization or role mapping provider being used by the SSM instance. With the exception of the WebLogic Server 9.x/10.0 SSM, this is performed in the Administration Console. For WLS SSMs, this is performed using the WebLogic console.
When defining the attribute retriever’s query, you may use OES system attributes. For example, the following use of the %sys_user% system attribute will retrieve the current user’s “user_type” from the data source.
SELECT user_type FROM customer WHERE user_id=%sys_user%
In order to be included in policy constraints, each attribute retrieved from an external source must be defined as a dynamic attribute. To do this in the Entitlements Administration Application, navigate to the application containing the policies. Then use the application’s Extensions > Dynamic Attributes tab.
Setting Up OOTB Attribute Retrievers
To set up an attribute and configure an attribute retriever:
Use the Administration Console to add the configuration settings and attribute properties on the provider’s Attribute Retriever and Attribute tabs. These settings are described in the following sections:
Distribute the changes to the SCM (or the XML file if no SCM is used).
Restart the SSM instance.
RDBMS Attribute Retrievers
RDBMS Attribute Retrievers retrieve attribute values from an RDBMS database. Table 6-1 indicates the properties used to configure a RDBMS Attribute Retriever.
Idle timeout in seconds for ALES database connection.
Description
Short description of the attribute retriever.
Driver
Defines the Java class name of the RDBMS database JDBC Driver.
Database Name
Database instance name
Failed Server Retry Sec
Time in seconds after which a previously failed primary server is retried.
Login / Password
Login and password to access the database.
Name
The attribute retriever name in OES.
Pool Size
The database pool size that the Attribute Retriever use to access the RDBMS
System
The OES database type (Oracle 10, 92, 90, blank, Sybase 15, Sybase 125, Sybase, Pointbase, MS Sql Server, DB2)
Server
Defines the RDBMS database server URL. For failover, specify a comma separated list of primary and backup server URLs. If failure occurs when accessing the first server, then the next one is used.
Table 6-2 indicates the properties used to define the attributes used with a RDBMS attribute retriever.
Table 6-2 Attributes of a RDBMS Attribute Retriever
Property
Description
Name
The attribute name in OES.
Description
(Optional) A short description.
Retriever
For this attribute retriever type, the value is always:
RDBMSAttributeRetriever
Attribute Query
The query to retrieve the attribute. May include OES system attributes.
Examples:
SELECT name FROM table WHERE name = %sys_user%
SELECT user_type FROM customer WHERE user_id=%sys_user%
Use Cache
Select checkbox to locally cache this attributes value.
TTL
If Use Cache is selected, specify the seconds after which the cache will expire.
LDAP Attribute Retrievers
LDAP Attribute Retrievers retrieve attribute values from a LDAP database. Table 6-3 indicates the properties used to configure a LDAP Attribute Retriever.
Table 6-3 LDAP Attribute Retriever Configurations
Property
Description
Description
Short description of the attribute retriever.
Failed Server Retry Sec
Time in seconds after which a previously failed primary server is retried.
Host
The host name or IP address of the LDAP server. For failover, please specify another host name separated by a comma similar to host1,host2. Please note that the ports and other parameters of the failover server is assumed to be same as the primary server.
Name
The attribute retriever name in OES.
Principal / Credential
The Distinguished Name (DN) of the LDAP user used to connect to the LDAP server and the user’s credential.
Port
The LDAP server listening port
System
The LDAP type:
iPlanet Open LDAP Active Directory Novell LDAP
Table 6-4 indicates the properties used to define the attribute whose value is returned by a LDAP attribute retriever.
Table 6-4 Attributes of a LDAP Attribute Retriever
Property
Description
Name
The attribute name in OES.
Description
(Optional) A short description.
Retriever
For this attribute retriever type, the value is always:
LDAPAttributeRetriever
Attribute Query
The entry to retrieve the attribute. May include OES system attributes.
Select checkbox to locally cache this attributes value.
TTL
If Use Cache is selected, specify the seconds after which the cache will expire.
Service Data Objects (SDO) Attribute Retrievers
Service Data Objects (SDO) is a specification that identifies a unified framework for data application development. It works with data from multiple data sources in the form of physical or Logical data services from ODSI (formerly AquaLogic Data Services Platform (ALDSP)). The ODSI services can in turn depend on multiple data services to retrieve data.
Table 6-5 indicates the properties used to configure a SDO Attribute Retriever.
Table 6-5 SDO Attribute Retriever Configurations
Property
Description
Description
Short description of the attribute retriever.
Failed Server Retry Sec
Time in seconds after which a previously failed primary server is retried.
Initial Context Factory
Initial Context factory to use. For example, if the WebLogic initial context factory is used, the value is:
weblogic.jndi.WLInitialContextFactory
This class must be available in the SSM classpath.
Name of the dataservice application to connect to.
Server URL
The server URL in the format t3://<host>:<port>
For failover, specify additional URLs separated with a comma. For example:
t3://<host1>:<port1>,t3://<host2>:<port2>
Table 6-6 indicates the properties used to define the attribute whose value is returned by a SDO attribute retriever.
Table 6-6 Attributes of a SDO Attribute Retriever
Property
Description
Name
The attribute name in OES.
Description
(Optional) A short description.
Retriever
For this attribute retriever type, the value is always:
SDOAttributeRetriever
Attribute Query
The SDO function name that retrieves the attribute. May be a method name that obtains the data from a logical or physical service
Example: getCustomer
Parameter
A comma-separated list of parameters to use for SDO method name based on method signature. May include OES system attributes.
Example: %sys_user%,customer_id
ALES Identity Attribute Retrievers
An ALES Identity Attribute Retriever retrieves the value of an identity attributes from the OES database. Table 6-7 indicates the properties used to configure a ALES Identity Attribute Retriever.
Idle timeout in seconds for ALES database connection.
Description
Short description of the attribute retriever.
Driver
The Java class name of the OES database JDBC Driver.
Database Name
Database instance name
Failed Server Retry Sec
Time in seconds after which a previously failed primary server is retried.
Login / Password
Login and password to access the database.
Name
The attribute retriever name in OES.
Pool Size
Database pool size.
System
The OES database type (Oracle 10, 92, 90, blank, Sybase 15, Sybase 125, Sybase, Pointbase, MS Sql Server, DB2)
Server
The database server URL. For failover, specify a comma separated list of primary and backup server URLs. If failure occurs when accessing the first server, then the next one is used.
There is no need to create attributes for an ALES Identity Retriever. Simply create identity attributes using the Entitlements Administration Application and then use those attributes in the policy constraints as needed.
