For entitlement management, WSO2 Identity server provides two APIs for Policy Administration and Policy Evaluation.
The following section guides you on invoking the two admin service and describes the operations available in the WSO2 Identity Server Entitlement ServiceMangement APIs. toc
...
...
Invoking the admin service
...
|
As admin services are secured to prevent anonymous invocations, you cannot view the WSDL of the admin service by default. Follow the steps below to view and invoke it: |
...
Set the <HideAdminServiceWSDLs>
|
...
element to false in <IS_HOME>/repository/conf/carbon.xml file.
Code Block |
---|
| <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs> |
- Restart the Identity Server.
- If you have started the server in default configurations, use the following URL in your browser to see the WSDL of the admin service: eg:
https://localhost:9443/services/EntitlementService?wsdl
|
...
For more information on WSO2 admin services and how to invoke an admin service using either SoapUI or any other client program, see Calling Admin Services. |
Policy Administration API
Policy administration includes all the actions that should be done to manage a policy. Such as adding and updating policy/policies, publishing policies, removing policies etc. For this, WSO2 Carbon Platform has provided an admin service called EntitlementPolicyAdminService to manage policy administration stuff.
You can use the following URL in your browser to see the WSDL of the EntitlementPolicyAdminService admin service.
Code Block |
---|
https://localhost:9443/services/EntitlementPolicyAdminService?wsdl |
By using any SoapUI, you can call this admin service.
Operations included in the API
The following operations are available in the EntitlementPolicyAdminService
addPolicy()
Description | Adds a new claim dialect. |
---|
Input Parameters | Parameter | Description |
---|
claimDialectURI | The URI which defines the new claim dialect. |
|
---|
Request | Expand |
---|
title | Click here to see the request |
---|
| Code Block |
---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:addPolicy>
<!--Optional:-->
<xsd:policyDTO>
<!--Optional:-->
<xsd1:policy><![CDATA[
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="samplepolicy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>
]]>
</xsd1:policy>
<!--Optional:-->
<xsd1:version>1.0</xsd1:version>
</xsd:policyDTO>
</xsd:addPolicy>
</soapenv:Body>
</soapenv:Envelope> |
|
|
---|
Response |
|
---|
Policy Evaluation API
Table of Contents |
---|
maxLevel | 4 |
---|
minLevel | 4 |
---|
type | flat |
---|
|
...