Working with combinedMultiValue

About the Identity Attributes Relationship Evaluation

Before delving into the combinedMultiValue parameter, it's important to understand how Authorization Policies rely on Identity Attributes as part of the Policy definition. Attributes such as department, location, and job title make it possible to define which users are granted access to the organization’s resources and assets. Policies can be created using either single or multiple Attributes. Using the standard Runtime decision calculation, all Attributes are aggregated and considered during the evaluation process.

To enhance Policy decision-making, organizations can now evaluate the relationship between Identity Attributes as part of the authorization request. This allows for more precise access control based on how attributes interact rather than simply aggregating them.

Using combinedMultiValue: true shifts the Policy evaluation from an aggregated identity model to one that considers how Attributes relate to each other. This method provides deeper, more context-aware access decisions. If combinedMultiValue is set to false or omitted, the evaluation follows the traditional aggregated approach with specified Attributes.

How it Works

The Identity Attributes relationship evaluation applies to both Access and Restrictive Policies. When a request includes combinedMultiValue: true, the evaluation process considers Attribute relationships throughout the entire Policy evaluation, including Dynamic Groups, Conditions, and Asset Rules.

To support efficient decision-making, you can use the following performance tuning configurations:

• Parallel Evaluation of Permutations: Policies can now evaluate permutations in parallel, reducing processing time. This behavior is controlled using the policyEvalParallelMaxPermutations configuration key, with a default value of 1.
• Selective Evaluation for Dynamic Groups and Asset Rules: When evaluating Dynamic Groups, attribute relationships are assessed only where necessary. The threshold for this behavior is configurable via policyEvalOptimizeByRolesColumnsMinPermutations, which defaults to 500.
• Optimized Attribute Consideration: Only Identity Attributes explicitly marked for use in policy evaluation are considered, streamlining the decision process.

For best performance, we recommend retrieving identity data from a single source, such as an external repository (main or auxiliary). The combinedMultiValue parameter can be used with the following API endpoints:

• Permit/Deny
• User Access Token
• Policy Resolution

When evaluating Identity Attribute relationships, attributes can be sourced from:

• External repositories
• Request body
• JWT payload

GWA Global Bank Use Case Example

With steadily growing branches and customers, GWA Global Bank has decided to open additional headquarters. Currently, there are two headquarters, New York and London. The bank has selected Berlin and Paris as new locations.

As part of this expansion, the bank is reviewing its Authorization Policies to ensure compliance with the European Union’s General Data Protection Regulation (GDPR). A key requirement is that only branch and bank managers within the EU can access the data of EU citizens and companies. To enforce this, the bank uses relationship-based Access Decisions, ensuring that access is granted based on both role and location.

Scenario: JohnE’s Access

JohnE works part-time in both London and Paris:

• In London, he is a Branch Manager in the DEV department.
• In Paris, he is a Bank Manager in the ADMIN department.

Using the User Access Token endpoint, the bank evaluates which assets JohnE is allowed to access based on his roles and locations.

Identity Data

A new Policy has been added to enforce GDPR compliance: users can only access assets in the same location as their job role.

Asset Data

The Asset Rule enforces that a user’s department and location must match the entity’s Location and Department for access to be granted.

Standard Access Decision Calculation

When evaluating based on aggregated attributes, the system grants JohnE access to:

According to the aggregated results, the response grants User 1104 (JohnE) access to the following Assets:
These results were created based on an aggregation of JohnE’s Attributes, including being in the DEV and ADMIN departments in both London and Paris. While this may be valuable for setting some permissions or Policies, what the new Policy requires is consideration of the relationship between two Attributes (DEPT and LOCATION) as it relates to the Bank’s Assets.

Identity Attributes Relationship Evaluation (combinedMultiValue: true)

When combinedMultiValue: true is used, the Policy evaluation ensures that JohnE’s Department and Location are evaluated together rather than as a combined set. This results in:

Now, JohnE’s access aligns correctly with his specific roles and locations:

• While in London, he can only access DataServerEU (associated with DEV, London).
• While in Paris, he can only access DataServerADM1 (associated with ADMIN, Paris).

The combinedMultiValue: true parameter ensures that Policies consider the relationships between Identity Attributes, rather than aggregating them. Performance tuning settings, such as policyEvalParallelMaxPermutations and policyEvalOptimizeByRolesColumnsMinPermutations, help optimize evaluations without affecting accuracy. The correct combination of Attributes in Policy evaluation ensures that compliance requirements (such as GDPR) are met while minimizing unnecessary processing.