Versions Compared

Old Version 17

changes.mady.by.user Former user

Saved on

compared with

New Version 18

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

For entitlement management, WSO2 Identity server provides two APIs for Policy Administration and Policy Evaluation.

...

  • You can use the following URL in your browser to see the WSDL of the EntitlementPolicyAdminService  admin service.


    Code Block
      https://localhost:9443/services/EntitlementPolicyAdminService?wsdl

    By using any SoapUI, you can call this admin SOAP service.


    Note

    Note:

    All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

    1. Build a string of the form username:password.
    2. Encode the string you created above using Base64.

    3. Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows: 

      Code Block
      Authorization: Basic YWRtaW46YWRtaW4=



Operations included in the API

The following commonly used operations are available in the EntitlementPolicyAdminService. A sample SOAP request and response will be available with each of the operation.

Table of Contents
maxLevel6
minLevel6


addPolicy()


DescriptionAdds a new policy.
Input Parameters
ParameterDescription
policy
The policy that should be registered. The XACML policy should be embedded to the SOAP service as a CDATA.
version
Version of the policy.
policyId
The policy name that should be registered.
Request
Expand
titleClick here to see the request
Code Block
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:addPolicy>
         <!--Optional:-->
         <xsd:policyDTO>
            <!--Optional:-->
            <xsd1:policy><![CDATA[
				   <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="sample_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
				   <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
				   <Target>
				      <AnyOf>
				         <AllOf>
				            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				            </Match>
				         </AllOf>
				      </AnyOf>
				   </Target>
				   <Rule Effect="Permit" RuleId="permit_by_roles">
				      <Condition>
				         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
				            </Apply>
				         </Apply>
				      </Condition>
				   </Rule>
				   <Rule Effect="Deny" RuleId="deny_others"></Rule>
				</Policy>        
				]]>
			</xsd1:policy>
            <!--Optional:-->
            <xsd1:version>1.0</xsd1:version>
            <xsd1:policyId>sample_policy_template</xsd1:policyId>
         </xsd:policyDTO>
      </xsd:addPolicy>
   </soapenv:Body>
</soapenv:Envelope>
Response
Expand
titleClick here to see the sample response
Code Block
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:addPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:addPolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>

...

DescriptionPublish a policy to PDP
Input Parameters
ParameterDescription
policyId
The policy name that should be published to PDP.
Request
Expand
titleClick here to expand the request
Code Block
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:updatePolicy>
         <!--Optional:-->
         <xsd:policyDTO>
        
            <!--Optional:-->
            <xsd1:policy>
            <![CDATA[
				   <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="samplepolicy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
				   <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
				   <Target>
				      <AnyOf>
				         <AllOf>
				            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				            </Match>
				         </AllOf>
				      </AnyOf>
				   </Target>
				   <Rule Effect="Permit" RuleId="permit_by_roles">
				      <Condition>
				         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myName</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
				            </Apply>
				         </Apply>
				      </Condition>
				   </Rule>
				   <Rule Effect="Deny" RuleId="deny_others"></Rule>
				</Policy>        
				]]>
            </xsd1:policy>
          
            <xsd1:policyEditorData>?</xsd1:policyEditorData>
            <!--Optional:-->
            <xsd1:policyId>samplepolicy_template</xsd1:policyId>
          
         </xsd:policyDTO>
      </xsd:updatePolicy>
   </soapenv:Body>
</soapenv:Envelope>
Response
Expand
titleClick here to expand the response
Code Block
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:updatePolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:updatePolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>
Info

There is no REST API available for the policy management.


Policy Evaluation API

Policy evaluation includes all the actions that should be done during the policy evaluation such as getting the decision, getting all entitlement attributes, etc. For this, WSO2 Carbon Platform has provided an admin service called EntitlementService to evaluate a policy.

  • You can use the following URL in your browser to see the WSDL of the EntitlementService  admin service.


    Code Block
      https://localhost:9443/services/EntitlementService?wsdl

    By using any SoapUI, you can call this admin SOAP service.


    Note

    Note:

    All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

    1. Build a string of the form username:password.
    2. Encode the string you created above using Base64.

    3. Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows: 

      Code Block
      Authorization: Basic YWRtaW46YWRtaW4=



Operations included in the API

The following commonly used operations are available in the EntitlementPolicyAdminService. A sample SOAP request and response will be available with each of the operation.


Table of Contents
maxLevel4
minLevel4
typeflat

...