Request Attributes represent dynamic input parameters passed in Authorization requests, enabling fine-grained, request-specific logic to be evaluated as part of the Access Decision.
The PDP evaluates these Attributes when used by the Policy logic in Conditions or Assets Rule Sets with the request.
syntax.
If Request Attributes are defined with API Mappers in the Workspace settings, the PDP extracts the Request Attribute value dynamically according to the defined mapper. Values can be extracted from the incoming REST request's path, query parameters, headers, or body—based on the configured Mappers and their associated API Mappers, similar to how Asset Attributes use API Mappers.
Managing Request Attributes
You can manage Request Attributes in the Authorization Workspace under the Request Attributes tab. Each Attribute includes a Display Name, ID, optional Description, and a list of Mappings that determine where the PDP retrieves its value.
Creating a Request Attribute
- Open your Authorization Workspace Settings.
- Select the Request Attributes tab.
- Click New Attribute.
- Enter a Display Name (used in the Workspace UI).
- Enter a Request Attribute ID (Referenced in the Policy logic and used in Authorization request calculations).
- Enter a Description (optional).
- Click Create to create your Request Attribute
Defining Request Attribute Mappings
- To use the Request Attribute with dynamic API Mappers, define the Mappings by clicking on Request Attribute Mappings under the Mapping section.
- In the side panel that opens, click Add to create a new collapsible Mapping block. You can also edit or delete a Mapping block by clicking on Edit or the trash icon.
- Fill out the Mapping form:
- Source – The source of the value (e.g., Path, Body, Header, Query).
- Path – The path to the value in the request.
- API Mapper – Select from the list of defined API Mappers for the Application.
- Click Save, then Close the side panel.
- A Mapper is marked as Incomplete if no API Mapper is selected.
- If an API Mapper is already used in another Mapping block, it will be unavailable to use in another mapping block.
Editing a Request Attribute
- Go to the Authorization Workspace Settings.
- Select the Request Attributes tab.
- Select the Attribute in the list and click Edit.
- Modify the fields as needed.
- Click Save to apply your changes.
Deleting a Request Attribute
- Navigate to the Authorization Workspace Settings.
- Open the Request Attributes tab.
- Hover over the Attribute you want to delete and click the trash icon.
- Confirm the deletion in the Delete this Request Attribute? prompt.
⚠️ You cannot delete a Request Attribute that is currently connected to an API Mapper. Ensure that you unlink the API Mapper or delete the Mapping block before deleting the Request Attribute.
Defining the Source and Path
Each Mapper defines a Source (where the value comes from) and a Path (how to extract it). The table below outlines the available options:
Source | Description | Example Value |
---|---|---|
Path | Extracts a value from the URI path. A numeric path index (e.g., [4] ) indicates the position of the segment in the URI. |
[4] |
Body | Extracts the value from the JSON body of the request using JSONPath syntax. | $.accounts.accountId |
Header | Extracts the value from a specified HTTP header. | x-user-role |
Query | Extracts the value from a query parameter in the URI. | /loan?status=pending |
URI Regex | Extracts the value using a regular expression applied to the full URI. This allows more flexible matching patterns. | ^/env/\d+\?action=(\w+)$ |
Path Mapping Example
In the following example, two Attributes are included in the API call. The API Mapper defines the user Attribute value by the path [4] and the account Attribute by the path [6].
For more information about using Request Attributes with the V5 API, refer to Working with the V5 Endpoint for API Access.