For entitlement management, WSO2 Identity server provides two APIs for Policy Administration and Policy Evaluation.
...
You can use the following URL in your browser to see the WSDL of the EntitlementPolicyAdminService admin service.
Code Block |
---|
https://localhost:9443/services/EntitlementPolicyAdminService?wsdl |
By using any SoapUI, you can call this admin SOAP service.
Note |
---|
Note: All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods. - Build a string of the form username:password.
- Encode the string you created above using Base64.
Define an authorization header with the term "Basic_ ", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows: Code Block |
---|
Authorization: Basic YWRtaW46YWRtaW4= |
|
Operations included in the API
The following commonly used operations are available in the EntitlementPolicyAdminService. A sample SOAP request and response will be available with each of the operation.
addPolicy()
Description | Adds a new policy. |
---|
Input Parameters | Parameter | Description |
---|
policy | The policy that should be registered. The XACML policy should be embedded to the SOAP service as a CDATA. | version | Version of the policy. | policyId | The policy name that should be registered. |
|
---|
Request | Expand |
---|
title | Click here to see the request |
---|
| Code Block |
---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:addPolicy>
<!--Optional:-->
<xsd:policyDTO>
<!--Optional:-->
<xsd1:policy><![CDATA[
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="sample_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>
]]>
</xsd1:policy>
<!--Optional:-->
<xsd1:version>1.0</xsd1:version>
<xsd1:policyId>sample_policy_template</xsd1:policyId>
</xsd:policyDTO>
</xsd:addPolicy>
</soapenv:Body>
</soapenv:Envelope> |
|
|
---|
Response | Expand |
---|
title | Click here to see the sample response |
---|
| Code Block |
---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:addPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:addPolicyResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
---|
...
Description | Publish a policy to PDP |
---|
Input Parameters | Parameter | Description |
---|
policyId | The policy name that should be published to PDP. |
|
---|
Request | Expand |
---|
title | Click here to expand the request |
---|
| Code Block |
---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:updatePolicy>
<!--Optional:-->
<xsd:policyDTO>
<!--Optional:-->
<xsd1:policy>
<![CDATA[
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="samplepolicy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myName</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>
]]>
</xsd1:policy>
<xsd1:policyEditorData>?</xsd1:policyEditorData>
<!--Optional:-->
<xsd1:policyId>samplepolicy_template</xsd1:policyId>
</xsd:policyDTO>
</xsd:updatePolicy>
</soapenv:Body>
</soapenv:Envelope> |
|
|
---|
Response | Expand |
---|
title | Click here to expand the response |
---|
| Code Block |
---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:updatePolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:updatePolicyResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
---|
Info |
---|
There is no REST API available for the policy management. |
Policy Evaluation API
Policy evaluation includes all the actions that should be done during the policy evaluation such as getting the decision, getting all entitlement attributes, etc. For this, WSO2 Carbon Platform has provided an admin service called EntitlementService to evaluate a policy.
You can use the following URL in your browser to see the WSDL of the EntitlementService admin service.
Code Block |
---|
https://localhost:9443/services/EntitlementService?wsdl |
By using any SoapUI, you can call this admin SOAP service.
Note |
---|
Note: All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods. - Build a string of the form username:password.
- Encode the string you created above using Base64.
Define an authorization header with the term "Basic_ ", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows: Code Block |
---|
Authorization: Basic YWRtaW46YWRtaW4= |
|
Operations included in the API
The following commonly used operations are available in the EntitlementPolicyAdminService. A sample SOAP request and response will be available with each of the operation.
Table of Contents |
---|
maxLevel | 4 |
---|
minLevel | 4 |
---|
type | flat |
---|
|
...