Janrain Advanced Policy Manager Documentation

Advanced Policy Manager API Overview

The Advanced Policy Manager API allows you to make real-time authorization decisions about who and what can access all of the websites, applications, resources, and user data in your ecosystem. The decision engine analyses each incoming access request, gathers the necessary information from user profile data and any relevant external services, and determines whether it should be accepted or denied based on the business rules set up in the Advanced Policy Manager.

Security Schemes

Basic Authentication basic-auth

Advanced Policy Manager supports basic HTTP authentication using Capture login_client credentials. To create the authorization code, combine your client ID and secret like this client_id + ":" + secret, then base64 encode the result.

Authorization string

Used to send the authorization code.

Example: Authorization: Basic aW1fYV9saXR0bGVfdGVhX3BvdF9zaG9ydF9hbmRfc3Q6b3V0X2hlcmVfaXNfbXlfaGFuZGxlX2hlcmVfaXNfbXk=

Responses

Endpoints

https://{mydomain}.janrainservices.com/apm

URI Parameters

mydomain string required

/governance-engine

post

Description

Requests a policy decision.

Each parameter of the body payload is optional and can be included in the policy decision request when applicable to the context. The available options for each parameter are defined in your Trust Framework and then be applied to policy definitions. The parameters included in a policy decision request are evaluated in real time to determine which policies apply to a user in a particular context.

The following parameters are supported. Values are case sensitive.

  • domain - The name of a valid Domain configured in your Trust Framework. For example, "user authorization" or "data integration".
  • service - The name of a valid Service configured in your Trust Framework. For example, "fraud score" or "user".
  • identityProvider - The name of a valid Identity Provider configured in your Trust Framework. For example, "facebook" or "traditional".
  • action - The name of a valid Action configured in your Trust Framework. For example, "login" or "register".
  • attributes - A JSON object that includes any valid Attributes configured in your Trust Framework as keys.

Request Example (application/json)

{
  "domain": "",
  "service": "",
  "identityProvider": "",
  "action": "login",
  "attributes": {
    "entity.type_name": "user",
    "entity.uuid": "d1e8308d-4874-42d7-ab58-17dc2a069fdb",
    "settings.for_client_id": "u5vue8j4rths84y5p6cnyqp6egwx86y7"
  }
}

Responses

200 OK

Received a decision regarding a specified access request.

The response will always include the following parameters:

  • id - A unique identifier assigned to the request.
  • timestamp - The time in UTC that the request was processed.
  • decision - One of the following:
    • PERMIT - The attempted access should be allowed. Inspect the $.statments array to determine if any additional steps may be taken.
    • DENY - The attempted access should not be allowed, or should potentially be allowed, given some additional conditions are met. Inspect the $.statments array to determine what additional steps should be taken.
    • NOT_APPLICABLE - Indicates that no policies were applicable based on the information provided in the decision request.
    • INDETERMINATE - Indicates that a policy was applicable based on the information provided in the decision request but that the evaluation could not be resolved to either PERMIT or DENY. This may be due to missing attributes or a service timeout.
  • authorised - If the decision is PERMIT, this will return true. All other decisions will result in false.

If advice has been configured on any rules that are evaluated in the decision request, the $.statements array will be also be returned in the response. This advice may be used by the policy enforcement point to determine if any additional steps should be taken. It will include an object for each applicable piece of advice with the following parameters.

  • statements - An array of advice per applicable rule.
    • name - The name assigned to the advice.
    • code - The code assigned to the advice.
    • payload - Optional. A string that may be used to provide a longer description of the advice, a set of instructions for the policy enforcement point to follow, or a message that should be displayed to the end user.
    • obligatory - true or false indicates whether the advice must be followed in order for the access request to be allowed.
    • attributes - Optional. A JSON object that may include any attributes that were processed in the policy decision request.

Additionally, the following attributes may be included based on the headers that are sent with the decision request.

  • request - A copy of the request that was evaluated. Included when the x-respond-with header includes Request.
  • evaluation - The full chain of evaluations made at every level of policies and policy sets. Included when the x-respond-with header includes DecisionTree.

Response Headers

Content-Type string required

Must be application/json.

x-branch string

The name of the branch to use for policy decisions. Required when calling the /governance-engine API embedded in the admin point.

Example: production
x-respond-with string

A comma separated list of optional parameters to include in the policy decision response. Generally used for troubleshooting.

Possible values:
  • Request
  • DecisionTree
  • EvaluatedEntities
  • Metrics
  • Statements
  • Errors
Example: Request, DecisionTree
x-user-id string

The identifier of the user making the request. Required when calling the /governance-engine API embedded in the admin point.

Example: janrain

401 Unauthorized

A request was made without credentials or the credentials were invalid.

403 Forbidden

The credentials provided were incorrect for the requested resource.

Response Example (application/json)
{
  "id": "7b388ace-50f7-413a-a720-115cc3b8d1fc",
  "deploymentPackageId": "700f3a94-8ed1-4b61-a18f-c82a54c813a1",
  "timestamp": "2018-03-29T15:54:03.613Z",
  "authorised": false,
  "decision": "DENY",
  "statements": [
    {
      "name": "User must provide gender",
      "code": "invalid_gender",
      "payload": "Please provide your gender.",
      "obligatory": true,
      "attributes": {}
    },
    {
      "name": "User must live in whitelisted country",
      "code": "invalid_country",
      "payload": "",
      "obligatory": true,
      "attributes": {
        "settings.whitelisted_countries": "[GB]",
        "entity.primaryAddress.country": ""
      }
    }
  ]
}