Skip to content

feat(policy): dynamic attribute value entitlement mappings#3568

Open
alkalescent wants to merge 14 commits into
mainfrom
DSPX-2754-dynamic-attribute-values-impl
Open

feat(policy): dynamic attribute value entitlement mappings#3568
alkalescent wants to merge 14 commits into
mainfrom
DSPX-2754-dynamic-attribute-values-impl

Conversation

@alkalescent

@alkalescent alkalescent commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Proposed Changes

Implements the DynamicValueMapping policy primitive end to end (the model chosen by the spike / ADR 0005). It raises entitlement authority from a concrete AttributeValue to the AttributeDefinition: a single mapping entitles dynamically-requested values by comparing the requested resource value segment against the entity representation at decision time, instead of pre-provisioning a value + subject mapping per discrete ID (MRNs, account IDs, etc.).

Design highlights:

  • Operator model: DynamicValueResolver reuses SubjectMappingOperatorEnum (IN = the resource segment equals any resolved entity value; IN_CONTAINS = substring). NOT_IN is rejected because dynamic resolution is existential over the resolved values. This keeps the resolver and subject-mapping vocabularies aligned and avoids a parallel operator enum. Follows the operator revert in feat(policy)!: undo subject mapping operator decomposition #3685; the earlier decomposed comparison/quantifier/case_insensitive model was undone.
  • Optional static SubjectConditionSet pre-gate (normal static semantics, no field overload) to support compound "entity attribute AND resource value" conditions.
  • No-coexistence enforced both directions between value-level subject mappings and dynamic mappings on the same definition (attribute values may still exist, e.g. for obligation triggers).
  • HIERARCHY rejected; matching is exact and case-sensitive.
  • Experimental, off by default behind the allow_dynamic_value_mappings config; dynamic mappings are loaded (including in the authz cache), evaluated in decisioning, and gated in the cache refresh only when enabled.
  • Dynamic values are first-class in decisioning: they flow into the same entitlements map and ANY_OF / ALL_OF rule layer as static values (manifest stays a list of attribute FQNs).

Wiring: proto + generated code + SDK client; DB migration + sqlc + CRUD; dedicated DynamicValueMappingService; decision-time evaluator; PDP load/merge with synthetic-value support; and authz cache. Replaces the throwaway spike package and ports its tests. GetEntitlements intentionally does not enumerate dynamic values (high-cardinality, resource-scoped).

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

  • cd service && go build ./...
  • cd service && go test ./internal/subjectmappingbuiltin/... ./internal/access/v2/... ./authorization/v2/...
  • cd service && golangci-lint run ./internal/subjectmappingbuiltin/... ./internal/access/v2/ ./authorization/v2/ ./policy/db/ ./policy/dynamicvaluemapping/
  • DB-layer CRUD and end-to-end GetDecision verification require a live Postgres/platform.

Related

Summary by CodeRabbit

  • New Features

    • Added support for dynamic value mappings in authorization, including creation, listing, retrieval, update, and deletion.
    • Added a new configuration flag to enable or disable dynamic value mapping behavior.
    • Expanded decisioning to recognize dynamic mappings during entitlement evaluation.
  • Bug Fixes

    • Improved cache refresh behavior so partial failures no longer mark cached data as fully loaded.
    • Added validation to reject unsupported or conflicting mapping configurations.

@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@alkalescent, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 19 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7d6c5e41-1cf6-433c-9737-481c29ce8cf8

📥 Commits

Reviewing files that changed from the base of the PR and between f70b321 and f6515a1.

📒 Files selected for processing (3)
  • service/authorization/v2/cache_test.go
  • service/integration/dynamic_value_mappings_test.go
  • service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go
📝 Walkthrough

Walkthrough

Introduces a new "dynamic value mapping" primitive across the policy stack: a schema/migration, DB CRUD queries and client methods, a Connect RPC service, entity-flatten-based evaluation logic, PDP/JIT-PDP integration, entitlement cache storage, authorization config flag propagation, hierarchy/coexistence constraint enforcement, and integration/unit tests plus an ADR document.

Changes

Dynamic value mapping rollout

Layer / File(s) Summary
Schema and query surface
service/policy/db/migrations/*, service/policy/db/models.go, service/policy/db/queries/dynamic_value_mappings.sql, service/policy/db/dynamic_value_mappings.sql.go, service/policy/db/utils.go
Adds the dynamic_value_mappings/dynamic_value_mapping_actions tables, sqlc models, CRUD/count/list SQL queries, generated Go query wrappers, and sort-param helpers.
DB client and consistency guards
service/policy/db/dynamic_value_mappings.go, service/policy/db/attributes.go, service/policy/db/subject_mappings.go
Implements Create/Get/List/Update/Delete with hydration, operator/rule validation, coexistence checks against value-level subject mappings, namespace consistency, subject condition set resolution, and blocks HIERARCHY rule transitions/subject-mapping creation when conflicting dynamic mappings exist.
Service registration and RPC handlers
service/policy/dynamicvaluemapping/dynamic_value_mapping.go, service/logger/audit/constants.go, service/policy/policy.go, service/pkg/server/services_test.go
Registers DynamicValueMappingService with Connect RPC CRUD handlers, audit logging, config hot-reload, and adds the audit ObjectType plus registration wiring and updated service-count test expectation.
Condition and mapping evaluation
service/internal/access/v2/validators.go, service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin*.go
Validates dynamic value mappings and evaluates them against flattened entity data using selector-based IN/IN_CONTAINS matching plus optional static subject-condition gating.
PDP and access flow
service/internal/access/v2/policy_store.go, helpers.go, helpers_test.go, just_in_time_pdp.go, pdp.go, pdp_dynamic_test.go, evaluate.go
Fetches dynamic mappings, indexes them by definition FQN, threads them into decisionable-attribute resolution and GetDecision, and merges dynamically entitled actions into the decision flow.
Authorization config and cache
service/authorization/v2/config.go, authorization.go, cache.go, cache_test.go
Adds AllowDynamicValueMappings config flag, propagates it to PDP/cache construction, and caches/retrieves dynamic value mappings alongside entitlement policy data.
Integration tests and ADR
service/integration/dynamic_value_mappings_test.go, service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md
Adds an integration test suite covering CRUD, coexistence, hierarchy rejection, updates/deletes, and pagination, plus an ADR documenting the dynamic value mapping design.

Estimated code review effort: 4 (Complex) | ~75 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant AuthorizationService
  participant JustInTimePDP
  participant PolicyDecisionPoint
  participant EvaluateDynamicValueMappingsWithActions

  Client->>AuthorizationService: GetDecision request
  AuthorizationService->>JustInTimePDP: NewJustInTimePDP(allowDynamicValueMappings)
  JustInTimePDP->>JustInTimePDP: ListAllDynamicValueMappings (if enabled)
  JustInTimePDP->>PolicyDecisionPoint: NewPolicyDecisionPoint(WithDynamicValueMappings)
  PolicyDecisionPoint->>PolicyDecisionPoint: getResourceDecisionableAttributes
  PolicyDecisionPoint->>EvaluateDynamicValueMappingsWithActions: evaluate dynamic mappings
  EvaluateDynamicValueMappingsWithActions-->>PolicyDecisionPoint: entitled actions by value FQN
  PolicyDecisionPoint-->>AuthorizationService: decision + entitlements
  AuthorizationService-->>Client: response
Loading

Possibly related PRs

  • opentdf/platform#3226: Extends the same PDP/JustInTimePDP decisioning code paths, updating NewJustInTimePDP/NewPolicyDecisionPoint signatures and related decision evaluation logic.

Suggested reviewers: elizabethhealy, c-r33d

Poem

A rabbit hops through tables new,
Dynamic maps in every burrow,
IN and IN_CONTAINS, hop-hop-hop,
Coexistence checks won't let mappings stop.
From cache to PDP, entitlements bloom —
🐰 this warren's got a bit more room!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 52.94% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding dynamic attribute value entitlement mappings in policy.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch DSPX-2754-dynamic-attribute-values-impl

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) comp:sdk A software development kit, including library, for client applications and inter-service communicati comp:authorization docs Documentation size/xl labels Jun 4, 2026
@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 179.705299ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 99.507736ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 405.58654ms
Throughput 246.56 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 46.591212655s
Average Latency 463.808555ms
Throughput 107.32 requests/second

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a new policy primitive, DefinitionValueEntitlementMapping, which enables dynamic entitlement mappings at the attribute definition level. This allows for more flexible and scalable authorization by comparing resource values against entity attributes at decision time, rather than relying on pre-provisioned static mappings. The change includes a full end-to-end implementation, including protocol definitions, service logic, database persistence, and integration into the existing policy decision point.

Highlights

  • New Policy Primitive: Introduced the DefinitionValueEntitlementMapping primitive to support dynamic attribute value entitlement at the definition level.
  • Dynamic Evaluation Logic: Added DynamicValueOperatorEnum and DefinitionValueResolver to allow for dynamic comparison of resource values against entity attributes at decision time.
  • Service and Persistence: Implemented a dedicated CRUD service, database migrations, and SQLC queries to manage the new entitlement mappings.
  • PDP Integration: Integrated dynamic mapping evaluation into the Policy Decision Point (PDP) and added caching to maintain performance.
  • Validation and Safety: Enforced no-coexistence rules to prevent conflicts between static value-level subject mappings and new dynamic mappings on the same definition.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files
  • Ignored by pattern: docs/openapi/**/* (21)
    • docs/openapi/authorization/authorization.openapi.yaml
    • docs/openapi/authorization/v2/authorization.openapi.yaml
    • docs/openapi/common/common.openapi.yaml
    • docs/openapi/entity/entity.openapi.yaml
    • docs/openapi/entityresolution/entity_resolution.openapi.yaml
    • docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml
    • docs/openapi/kas/kas.openapi.yaml
    • docs/openapi/policy/actions/actions.openapi.yaml
    • docs/openapi/policy/attributes/attributes.openapi.yaml
    • docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml
    • docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml
    • docs/openapi/policy/keymanagement/key_management.openapi.yaml
    • docs/openapi/policy/namespaces/namespaces.openapi.yaml
    • docs/openapi/policy/objects.openapi.yaml
    • docs/openapi/policy/obligations/obligations.openapi.yaml
    • docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
    • docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
    • docs/openapi/policy/selectors.openapi.yaml
    • docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
    • docs/openapi/policy/unsafe/unsafe.openapi.yaml
    • docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml
  • Ignored by pattern: protocol/**/* (4)
    • protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go
    • protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go
    • protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go
    • protocol/go/policy/objects.pb.go
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


Dynamic rules now take the stage, No longer static on the page. From definition, values flow, To let the right permissions grow.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements Definition Value Entitlement Mappings (DSPX-2754), which move entitlement authority from concrete attribute values to the attribute definition level. The changes span SDK client generation, caching, PDP evaluation, database storage, and a new gRPC service. The review feedback is highly constructive and identifies several critical issues that should be addressed: a potential data race hazard in the gRPC service, possible nil pointer dereferences in both the PDP evaluator and the database client, a bug in error handling that could return nil values, incorrect type formatting in cache errors, and a redundant database index in the migration script.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread service/policy/definitionvalueentitlement/definition_value_entitlement.go Outdated
Comment thread service/authorization/v2/cache.go Outdated
Comment thread service/internal/access/v2/helpers.go Outdated
Comment thread service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go Outdated
Comment thread service/policy/db/definition_value_entitlement_mappings.go Outdated
Comment thread service/policy/db/definition_value_entitlement_mappings.go Outdated
@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 185.014087ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 118.099251ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 429.531288ms
Throughput 232.81 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.331230891s
Average Latency 441.164371ms
Throughput 112.79 requests/second

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 193.209357ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 99.253148ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 452.432409ms
Throughput 221.03 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 47.779208084s
Average Latency 475.780561ms
Throughput 104.65 requests/second

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 153.929845ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 78.781532ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 411.672475ms
Throughput 242.91 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.358428704s
Average Latency 431.654544ms
Throughput 115.32 requests/second

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 186.551087ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 99.790406ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 444.671341ms
Throughput 224.89 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.347542117s
Average Latency 451.731513ms
Throughput 110.26 requests/second

@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 179.271779ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 94.536026ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 449.588328ms
Throughput 222.43 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 47.609789466s
Average Latency 474.175763ms
Throughput 105.02 requests/second

@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 305.274891ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 107.714912ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 560.889955ms
Throughput 178.29 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.183073863s
Average Latency 439.810332ms
Throughput 113.17 requests/second

alkalescent added a commit that referenced this pull request Jun 9, 2026
Protocol-first half of the dynamic attribute value entitlement work: adds the
DynamicValueMapping / DynamicValueResolver messages and DynamicValueOperatorEnum to
objects.proto, and a dedicated DynamicValueMappingService
(policy.dynamicvaluemapping), plus regenerated protocol/go and OpenAPI/gRPC docs.

No service implementation here. This lands and releases protocol/go first so the
consumer PR (#3568) can require the new version and pass per-module 'go mod tidy'.

Refs: DSPX-2754, DSPX-3498
Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
alkalescent added a commit that referenced this pull request Jun 10, 2026
Protocol-first half of the dynamic attribute value entitlement work: adds the
DynamicValueMapping / DynamicValueResolver messages and DynamicValueOperatorEnum to
objects.proto, and a dedicated DynamicValueMappingService
(policy.dynamicvaluemapping), plus regenerated protocol/go and OpenAPI/gRPC docs.

No service implementation here. This lands and releases protocol/go first so the
consumer PR (#3568) can require the new version and pass per-module 'go mod tidy'.

Refs: DSPX-2754, DSPX-3498
Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
alkalescent added a commit that referenced this pull request Jun 11, 2026
Protocol-first half of the dynamic attribute value entitlement work: adds the
DynamicValueMapping / DynamicValueResolver messages and DynamicValueOperatorEnum to
objects.proto, and a dedicated DynamicValueMappingService
(policy.dynamicvaluemapping), plus regenerated protocol/go and OpenAPI/gRPC docs.

No service implementation here. This lands and releases protocol/go first so the
consumer PR (#3568) can require the new version and pass per-module 'go mod tidy'.

Refs: DSPX-2754, DSPX-3498
Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
alkalescent added a commit that referenced this pull request Jun 11, 2026
Adds the DynamicValueMapping / DynamicValueResolver messages and
DynamicValueOperatorEnum to objects.proto, and a dedicated
DynamicValueMappingService (policy.dynamicvaluemapping), with regenerated
protocol/go and OpenAPI/gRPC docs. Protocol-first half of DSPX-2754; the consumer
implementation (service/sdk/db/PDP) is PR #3568.

Includes review fixes: namespace oneof + min_len:1/uri + direct validation rules on
CreateDynamicValueMappingRequest; per-field List filter comments; and a
namespace_fqn filter (namespace_id|namespace_fqn oneof) on ListDynamicValueMappingsRequest.

Refs: DSPX-2754, DSPX-3498
Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
alkalescent added a commit that referenced this pull request Jun 15, 2026
Protocol-first half of the dynamic attribute value entitlement work: adds the
DynamicValueMapping / DynamicValueResolver messages and DynamicValueOperatorEnum to
objects.proto, and a dedicated DynamicValueMappingService
(policy.dynamicvaluemapping), plus regenerated protocol/go and OpenAPI/gRPC docs.

No service implementation here. This lands and releases protocol/go first so the
consumer PR (#3568) can require the new version and pass per-module 'go mod tidy'.

Refs: DSPX-2754, DSPX-3498
Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
alkalescent added a commit that referenced this pull request Jun 15, 2026
Adds the DynamicValueMapping / DynamicValueResolver messages and
DynamicValueOperatorEnum to objects.proto, and a dedicated
DynamicValueMappingService (policy.dynamicvaluemapping), with regenerated
protocol/go and OpenAPI/gRPC docs. Protocol-first half of DSPX-2754; the consumer
implementation (service/sdk/db/PDP) is PR #3568.

Includes review fixes: namespace oneof + min_len:1/uri + direct validation rules on
CreateDynamicValueMappingRequest; per-field List filter comments; and a
namespace_fqn filter (namespace_id|namespace_fqn oneof) on ListDynamicValueMappingsRequest.

Refs: DSPX-2754, DSPX-3498
Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Remove the reserved field numbers/names added for the removed comparison,
quantifier, and case_insensitive fields. The decomposed proto surface had no
consumers, so reserving the numbers is unnecessary. Regenerated protocol/go.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Service consumer for dynamic value mappings, built on protocol/go v0.34.0 and
sdk v0.23.0:

- DB: dynamic_value_mappings table + queries + CRUD, no-coexistence guard with
  value-level subject mappings, comparison + case_insensitive columns.
- Service: DynamicValueMappingService, validators, and PDP wiring that loads
  dynamic mappings via the SDK and evaluates them alongside subject mappings.
- Evaluation: shared comparison helper (EQUALS/CONTAINS/STARTS_WITH/ENDS_WITH)
  used by both static conditions (with quantifier + deprecated-operator
  normalization) and the dynamic resolver (existential, case_insensitive).

protocol/go protos, the dynamicvaluemapping package, and the sdk wrapper landed
in #3580 and #3635; this PR bumps to those releases.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
…ing indexing

- Bump numExpectedPolicyServices to 11 now that DynamicValueMappingService is
  registered (fixes the go (service) CI failure).
- PDP: skip HIERARCHY attribute definitions when indexing dynamic value mappings,
  using the canonical definition map (defense in depth vs an unset payload rule).
- Add a multi-SubjectSet static-gate test to lock the AND aggregation across
  subject sets.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
…te value

ensureNoDynamicValueMappingCoexistence ran on the CreateSubjectMapping path and
returned ErrNotFound for a non-existent attribute value, masking the foreign-key
violation that the create insert previously surfaced. Treat a not-found value as
"nothing to guard" and return nil so the normal create path reports
ErrForeignKeyViolation. The coexistence guard still fires for existing values.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Add TestListByDefinition_Pagination asserting page boundaries (Total and
NextOffset) across multiple dynamic value mappings on one definition, matching
the subject-mapping list pagination coverage.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
…rlap

Strengthen TestListByDefinition_Pagination to verify the paginated pages
partition the corpus: page items are distinct, page 2 does not repeat page 1,
and the union covers all created mappings exactly once.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
…and ADR

Remove DSPX-2754 ticket tokens from code comments and the dynamic_value_mappings
table comment (regenerated models.go), and genericize the Virtru repo / Atlassian
links in the ADR. Also clarify in the ADR that no-coexistence is between
value-level subject mappings and dynamic mappings, not the existence of attribute
values (which may exist for obligation triggers, FQN resolution).

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
- Gate the feature behind an experimental allow_dynamic_value_mappings config
  (default off); the PDP only loads and evaluates dynamic mappings when enabled.
- Consolidate the PDP constructors into a single NewPolicyDecisionPoint with a
  WithDynamicValueMappings functional option (drops the second constructor).
- Drop nil checks made redundant by nil-safe proto getters; use a named
  ErrDynamicValueMappingEvaluation sentinel.
- Remove the can't-happen unnamespaced-mapping skip (CRUD enforces namespacing);
  log a HIERARCHY-referencing dynamic mapping at error level (needs correction).
- Wrap UpdateDynamicValueMapping get+update+audit in a transaction, matching
  UpdateSubjectMapping.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Consume the reverted policy protos that drop the operator decomposition.
DynamicValueResolver now carries a SubjectMappingOperatorEnum instead of the
removed ConditionComparisonOperatorEnum + case_insensitive, and Condition is
evaluated directly on its operator again.

- Restore EvaluateCondition to switch on SubjectMappingOperatorEnum (IN, NOT_IN,
  IN_CONTAINS); drop the normalized comparison/quantifier helpers.
- Resolve dynamic value mappings via the resolver operator: IN is existential
  equality, IN_CONTAINS is substring; NOT_IN and UNSPECIFIED are rejected in the
  resolver, the access validator, and the DB layer.
- Rename the dynamic_value_mappings.operator column (was comparison), drop
  case_insensitive, and regenerate sqlc.
- Update tests to construct resolvers with operators; remove the case-insensitive
  canonicalization test (case folding is no longer part of resolution).

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
@alkalescent alkalescent force-pushed the DSPX-2754-dynamic-attribute-values-impl branch from c7ba900 to 369b655 Compare June 30, 2026 05:01
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 207.767364ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 107.910064ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 451.618004ms
Throughput 221.43 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 46.03870741s
Average Latency 458.749148ms
Throughput 108.60 requests/second

- Gate the entitlement policy cache's dynamic value mapping fetch behind the
  allow_dynamic_value_mappings flag so cache readiness no longer depends on the
  experimental endpoint when the feature is disabled.
- Tighten dynamic value mapping negative-path integration tests to assert the
  specific rejection sentinel (ErrEnumValueInvalid / ErrRestrictViolation).
- Update ADR 0005 to the shipped operator model (SubjectMappingOperatorEnum,
  NOT_IN rejected, exact/case-sensitive matching, optional SubjectConditionSet
  pre-gate) and drop the removed decomposed-operator description.
- Align a stale HIERARCHY rule-change error message with the DynamicValueMapping
  naming.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 187.154537ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 100.214783ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 437.747786ms
Throughput 228.44 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.803988876s
Average Latency 446.148533ms
Throughput 111.60 requests/second

Base automatically changed from fix/undo-operator-decomposition to main July 1, 2026 15:20
Comment thread service/integration/dynamic_value_mappings_test.go
The dynamic value mapping indexing loop skipped mappings whose attribute
definition was absent from the entitleable set. The DVM table has a foreign key
to attribute_definitions (ON DELETE CASCADE), so a mapping cannot reference a
missing definition; the guard is unreachable. Remove it and read the HIERARCHY
defense-in-depth rule directly from the canonical map (nil-safe on a miss).

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 199.992525ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 104.116187ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 683.414973ms
Throughput 146.32 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.490049659s
Average Latency 452.135984ms
Throughput 109.91 requests/second

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 159.567849ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 80.43147ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 353.301281ms
Throughput 283.04 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 34.415605272s
Average Latency 342.878736ms
Throughput 145.28 requests/second

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
service/internal/access/v2/helpers_test.go (1)

1131-1207: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider adding a case for the new hasDynamicMapping branch.

None of the three subtests exercise dynamicMappingsByDefinitionFQN populated with allowDirectEntitlements=false — the new branch added in helpers.go (lines 258-280) that admits synthetic values purely via a dynamic mapping. Integration coverage exists via pdp_dynamic_test.go, but a focused unit case here would pin down the new admission logic directly.

✅ Suggested additional subtest
t.Run("dynamic mapping present, direct entitlements disabled, synthetic value admitted", func(t *testing.T) {
	resources := []*authz.Resource{
		{
			Resource: &authz.Resource_AttributeValues_{
				AttributeValues: &authz.Resource_AttributeValues{
					Fqns: []string{attrSyntheticValueFQN},
				},
			},
		},
	}
	dynamicMappings := subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN{
		attrFQN: {{AttributeDefinition: attr}},
	}

	decisionableAttrs, err := getResourceDecisionableAttributes(ctx, logger,
		nil,
		nil,
		entitleableAttributesByDefinitionFQN,
		dynamicMappings,
		resources,
		false, // direct entitlements disabled
	)
	require.NoError(t, err)
	require.Contains(t, decisionableAttrs, attrSyntheticValueFQN)
})
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@service/internal/access/v2/helpers_test.go` around lines 1131 - 1207, The
unit tests in getResourceDecisionableAttributes are missing coverage for the new
hasDynamicMapping path. Add a focused subtest in helpers_test.go that passes
dynamicMappingsByDefinitionFQN with a matching definition FQN, uses
allowDirectEntitlements=false, and verifies the synthetic value is accepted
without error. Use getResourceDecisionableAttributes,
entitleableAttributesByDefinitionFQN, and
subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN to locate the branch
and assert the returned decisionableAttrs contains the synthetic FQN.

Source: Path instructions

service/authorization/v2/cache.go (1)

238-244: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Refresh log omits dynamic value mappings count.

The debug log after a successful refresh reports counts for attributes, subject mappings, registered resources, and obligations, but not for the newly-added dynamic value mappings, making it harder to observe this experimental feature's cache state.

🔧 Proposed fix
 	c.logger.DebugContext(ctx,
 		"refreshed EntitlementPolicyCache",
 		slog.Int("attributes_count", len(attributes)),
 		slog.Int("subject_mappings_count", len(subjectMappings)),
+		slog.Int("dynamic_value_mappings_count", len(dynamicValueMappings)),
 		slog.Int("registered_resources_count", len(registeredResources)),
 		slog.Int("obligations_count", len(obligations)),
 	)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@service/authorization/v2/cache.go` around lines 238 - 244, The refresh debug
log in EntitlementPolicyCache is missing the new dynamic value mappings count.
Update the c.logger.DebugContext call in the refresh path to include a count
field for dynamic value mappings alongside attributes, subject mappings,
registered resources, and obligations, using the same local variable that holds
the dynamic mappings so the cache state is fully observable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@service/authorization/v2/cache_test.go`:
- Line 24: The tests for NewEntitlementPolicyCache only cover the
allowDynamicValueMappings=false path, so add a case that creates the cache with
true and exercises the dynamic mapping branch. Update cache_test.go to hit the
ListAllDynamicValueMappings accessor and verify both the cache miss and cache
hit behavior for the dynamic-value-mapping path.

In `@service/integration/dynamic_value_mappings_test.go`:
- Around line 86-95: Add a sibling test alongside TestRejectsHierarchyDefinition
to cover validateDynamicValueResolverOperator rejecting
SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN. Use DynamicValueMappingsSuite,
createDefinition, s.resolver, and CreateDynamicValueMapping to construct a
request with an ANY_OF attribute and assert db.ErrEnumValueInvalid, matching the
existing hierarchy rejection style.
- Around line 175-180: The delete verification in the dynamic value mappings
test only checks for any error, which can hide regressions in
GetDynamicValueMapping. Update the assertion after DeleteDynamicValueMapping in
dynamic_value_mappings_test.go to require the specific db.ErrNotFound sentinel,
matching the stricter pattern already used in this test file for other policy
errors. Keep the check tied to the existing
s.db.PolicyClient.GetDynamicValueMapping call so it verifies the mapping is
truly gone.

In `@service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go`:
- Around line 29-79: EvaluateDynamicValueMappingsWithActions currently appends
the same mapping actions once per matching entity in
entityRepresentation.GetAdditionalProps(), which can duplicate actions for a
single valueFQN when multiple entities satisfy the same mapping. Update the
logic so each mapping/valueFQN contributes actions at most once across all
entities, using an existential check/break after the first match rather than
appending per entity. While refactoring, keep the work centered in
EvaluateDynamicValueMappingsWithActions and avoid recomputing
resourceValueSegment inside the per-entity loop since it depends only on the
valueFQN and attribute value.

---

Outside diff comments:
In `@service/authorization/v2/cache.go`:
- Around line 238-244: The refresh debug log in EntitlementPolicyCache is
missing the new dynamic value mappings count. Update the c.logger.DebugContext
call in the refresh path to include a count field for dynamic value mappings
alongside attributes, subject mappings, registered resources, and obligations,
using the same local variable that holds the dynamic mappings so the cache state
is fully observable.

In `@service/internal/access/v2/helpers_test.go`:
- Around line 1131-1207: The unit tests in getResourceDecisionableAttributes are
missing coverage for the new hasDynamicMapping path. Add a focused subtest in
helpers_test.go that passes dynamicMappingsByDefinitionFQN with a matching
definition FQN, uses allowDirectEntitlements=false, and verifies the synthetic
value is accepted without error. Use getResourceDecisionableAttributes,
entitleableAttributesByDefinitionFQN, and
subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN to locate the branch
and assert the returned decisionableAttrs contains the synthetic FQN.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8a4b35fb-436d-41a5-b2b2-d8e6df7510cf

📥 Commits

Reviewing files that changed from the base of the PR and between b3aa840 and f70b321.

📒 Files selected for processing (28)
  • service/authorization/v2/authorization.go
  • service/authorization/v2/cache.go
  • service/authorization/v2/cache_test.go
  • service/authorization/v2/config.go
  • service/integration/dynamic_value_mappings_test.go
  • service/internal/access/v2/evaluate.go
  • service/internal/access/v2/helpers.go
  • service/internal/access/v2/helpers_test.go
  • service/internal/access/v2/just_in_time_pdp.go
  • service/internal/access/v2/pdp.go
  • service/internal/access/v2/pdp_dynamic_test.go
  • service/internal/access/v2/policy_store.go
  • service/internal/access/v2/validators.go
  • service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go
  • service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin_test.go
  • service/logger/audit/constants.go
  • service/pkg/server/services_test.go
  • service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md
  • service/policy/db/attributes.go
  • service/policy/db/dynamic_value_mappings.go
  • service/policy/db/dynamic_value_mappings.sql.go
  • service/policy/db/migrations/20260618000000_add_dynamic_value_mappings.sql
  • service/policy/db/models.go
  • service/policy/db/queries/dynamic_value_mappings.sql
  • service/policy/db/subject_mappings.go
  • service/policy/db/utils.go
  • service/policy/dynamicvaluemapping/dynamic_value_mapping.go
  • service/policy/policy.go
💤 Files with no reviewable changes (12)
  • service/policy/db/attributes.go
  • service/pkg/server/services_test.go
  • service/policy/db/subject_mappings.go
  • service/policy/db/utils.go
  • service/policy/policy.go
  • service/policy/db/dynamic_value_mappings.sql.go
  • service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md
  • service/policy/db/models.go
  • service/policy/dynamicvaluemapping/dynamic_value_mapping.go
  • service/policy/db/dynamic_value_mappings.go
  • service/policy/db/migrations/20260618000000_add_dynamic_value_mappings.sql
  • service/policy/db/queries/dynamic_value_mappings.sql

Comment thread service/authorization/v2/cache_test.go
Comment thread service/integration/dynamic_value_mappings_test.go
Comment thread service/integration/dynamic_value_mappings_test.go
- EvaluateDynamicValueMappingsWithActions now flattens entities once and matches
  each mapping existentially across all entities, appending its actions at most
  once per value FQN. Previously multiple matching entities (e.g. person +
  client) duplicated the entitlement, and the resource value segment was
  recomputed per entity.
- Add integration coverage for NOT_IN operator rejection (ErrEnumValueInvalid).
- Assert ErrNotFound after dynamic value mapping delete.
- Add authz cache coverage for the enabled dynamic-value-mappings path.

Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 186.925403ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 90.291417ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 415.398046ms
Throughput 240.73 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 42.220140486s
Average Latency 419.830339ms
Throughput 118.43 requests/second

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

@alkalescent alkalescent enabled auto-merge July 6, 2026 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:authorization comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) comp:sdk A software development kit, including library, for client applications and inter-service communicati docs Documentation size/xl

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants