...
<p>Here is an example of an XACML policy which addresses the following requirement: a given resource can be accessed only by a user belonging to a particular role, and all requests to access any other resource should fail.</p> <ac:macro ac:name="code"><ac:plain-text-body><![CDATA[ <Policy PolicyId="urn:sample:xacml:2.0:samplepolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="
...
urn:oasis:names:tc:xacml:2.0:policy:schema:os"> <Description>Sample XACML Authorization Policy</Description> <Target> <Subjects> <AnySubject /> </Subjects> <Actions> <AnyAction /> </Actions> <Resources> <AnyResource /> </Resources> </Target> <Rule Effect="Permit" RuleId="primary-group-rule">
...
<Target> <Subjects> <AnySubject /> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
...
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
...
>http://localhost:8280/services/echo/ </AttributeValue>
...
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"
...
/> </ResourceMatch>
...
</Resource>
...
</Resources>
...
<Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
...
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
...
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"
...
/> </ActionMatch>
...
</Action>
...
</Actions>
...
</Target>
...
<Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
...
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
...
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
...
</Apply>
...
<SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"
...
/> </Apply>
...
</Condition>
...
</Rule>
...
<Rule Effect="Deny" RuleId="deny-rule" /> </Policy> ]]><
...
/ac:plain-text-body></ac:macro>
<p>The following are a few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.</p>
<h3>The first XACML request</h3>
<ul>
<li><strong>Resource</strong> - <span class="nolink">http://localhost:8280/services/echo/</span></li>
<li><strong>User</strong> - "admin" belongs only to the "admin" group</li>
<li><strong>Result</strong> - Permit</li>
</ul>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
]]></ac:plain-text-body></ac:macro>
<h3>The Second XACML request</h3>
<ul>
<li><strong>Resource</strong> - <span class="nolink">http://localhost:8280/services/echo/</span></li>
<li><strong>User</strong> - "admin" belongs to the "admin" group and the "business" group</li>
<li><strong>Result</strong> - Permit</li>
</ul>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>business</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
]]></ac:plain-text-body></ac:macro>
<h3>The third XACML request</h3>
<ul>
<li><strong>Resource</strong> - <span class="nolink">http://localhost:8280/services/test/</span></li>
<li><strong>User</strong> - "admin" belongs to the "admin" group</li>
<li><strong>Result</strong> - Deny</li>
</ul>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>http://localhost:8280/services/test/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
]]></ac:plain-text-body></ac:macro>
<h3>The forth XACML request</h3>
<ul>
<li><strong>Resource</strong> - <span class="nolink">http://localhost:8280/services/echo/</span></li>
<li><strong>User</strong> - "admin" belongs to the "business" group</li>
<li><strong>Result</strong> - Deny</li>
</ul>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>business</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
]]></ac:plain-text-body></ac:macro>
<p><ac:macro ac:name="excerpt"><ac:parameter ac:name="hidden">true</ac:parameter><ac:rich-text-body>
<p>Instructions on how to write XACML policies in WSO2 Identity Server. Part 2.</p></ac:rich-text-body></ac:macro></p>