For entitlement management, WSO2 Identity server provides two APIs for Policy Administration and Policy Evaluation.
...
addPolicy()
| Description | Adds a new policy. |
|---|
| Input Parameters | | Parameter | Description |
|---|
policy | The policy that should be registered. The XACML policy should be embedded to the SOAP service as a CDATA. | version | Version of the policy. | policyId | The policy name that should be registered. |
|
|---|
| Request | | Expand |
|---|
| title | Click here to see the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:addPolicy>
<!--Optional:-->
<xsd:policyDTO>
<!--Optional:-->
<xsd1:policy><![CDATA[
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="sample_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>
]]>
</xsd1:policy>
<!--Optional:-->
<xsd1:version>1.0</xsd1:version>
<xsd1:policyId>sample_policy_template</xsd1:policyId>
</xsd:policyDTO>
</xsd:addPolicy>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to see the sample response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:addPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:addPolicyResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
...
| Description | Get the details of the publisher |
|---|
| Input Parameters | None |
|---|
| Request | | Expand |
|---|
| title | Click here to expand the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getPublisherModuleData/>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to expand the response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getPublisherModuleDataResponse xmlns:ns="http://org.apache.axis2/xsd" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd">
<ns:return xsi:type="ax2340:PublisherDataHolder" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2340:moduleName>Carbon Basic Auth Policy Publisher Module</ax2340:moduleName>
<ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
<ax2340:displayName>Subscriber Password</ax2340:displayName>
<ax2340:displayOrder>3</ax2340:displayOrder>
<ax2340:id>subscriberPassword</ax2340:id>
<ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
<ax2340:required>true</ax2340:required>
<ax2340:secret>true</ax2340:secret>
<ax2340:value xsi:nil="true"/>
</ax2340:propertyDTOs>
<ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
<ax2340:displayName>Subscriber URL</ax2340:displayName>
<ax2340:displayOrder>1</ax2340:displayOrder>
<ax2340:id>subscriberURL</ax2340:id>
<ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
<ax2340:required>true</ax2340:required>
<ax2340:secret>false</ax2340:secret>
<ax2340:value xsi:nil="true"/>
</ax2340:propertyDTOs>
<ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
<ax2340:displayName>Subscriber User Name</ax2340:displayName>
<ax2340:displayOrder>2</ax2340:displayOrder>
<ax2340:id>subscriberUserName</ax2340:id>
<ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
<ax2340:required>true</ax2340:required>
<ax2340:secret>false</ax2340:secret>
<ax2340:value xsi:nil="true"/>
</ax2340:propertyDTOs>
<ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
<ax2340:displayName>Subscriber Id</ax2340:displayName>
<ax2340:displayOrder>0</ax2340:displayOrder>
<ax2340:id>subscriberId</ax2340:id>
<ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
<ax2340:required>true</ax2340:required>
<ax2340:secret>false</ax2340:secret>
<ax2340:value xsi:nil="true"/>
</ax2340:propertyDTOs>
</ns:return>
</ns:getPublisherModuleDataResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
publishToPDP()
| Description | Publish a policy to PDP |
|---|
| Input Parameters | | Parameter | Description |
|---|
policyId | The policy name that should be published to PDP. |
|
|---|
| Request | | Expand |
|---|
| title | Click here to expand the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:publishToPDP>
<!--Zero or more repetitions:-->
<xsd:policyIds>provisioning_user_claim_based_policy_template</xsd:policyIds>
<!--Optional:-->
<xsd:version>1</xsd:version>
<!--Optional:-->
<xsd:enabled>false</xsd:enabled>
<!--Optional:-->
<xsd:order>30</xsd:order>
</xsd:publishToPDP>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to expand the response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:publishToPDPResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:publishToPDPResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
removePolicy()
| Description | Remove policy from PDP |
|---|
| Input Parameters | | Parameter | Description |
|---|
policyId | The policy name that should be removed. |
|
|---|
| Request | | Expand |
|---|
| title | Click here to expand the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:removePolicy>
<!--Optional:-->
<xsd:policyId>authn_role_based_policy_template</xsd:policyId>
<!--Optional:-->
<xsd:dePromote>true</xsd:dePromote>
</xsd:removePolicy>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to expand the response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:removePolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:removePolicyResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
...
| Table of Contents |
|---|
| maxLevel | 6 |
|---|
| minLevel | 6 |
|---|
| include | getDecision()|getBooleanDecision()|getDecisionByAttributes()|getEntitledAttributes() |
|---|
|
getDecision()
| Description | Get the decision after evaluating the request with the policy. |
|---|
| Input Parameters | | Parameter | Description |
|---|
request | The XML request to be evaluated as a CDATA |
|
|---|
| Request | | Expand |
|---|
| title | Click here to expand the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getDecision>
<!--Optional:-->
<xsd:request><![CDATA[
<Request CombinedDecision="false" ReturnPolicyIdList="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">bs@simpsons.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://127.0.0.1/service/very_secure/ </AttributeValue>
</Attribute>
</Attributes>
</Request>
]]></xsd:request>
</xsd:getDecision>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to expand the responase |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getDecisionResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return><![CDATA[<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Permit</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result></Response>]]></ns:return>
</ns:getDecisionResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
...
| Description | Get the decision by evaluating attributes with the policy. |
|---|
| Input Parameters | Parameter | Description |
|---|
subject | The subject/user who is using the resource. | resource | The resource which is accessed by the user. | action | |
|
|---|
| Request | | Expand |
|---|
| title | Click here to expand the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getDecisionByAttributes>
<!--Optional:-->
<xsd:subject>admin</xsd:subject>
<!--Optional:-->
<xsd:resource>http://127.0.0.1/service/very_secure/</xsd:resource>
<!--Optional:-->
<xsd:action>read</xsd:action>
</xsd:getDecisionByAttributes>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to expand the response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getDecisionByAttributesResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return><![CDATA[<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Permit</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result></Response>]]></ns:return>
</ns:getDecisionByAttributesResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
getEntitledAttributes()
| Description | Get all the details of the entitled attributes. |
|---|
| Input Parameters | | Parameter | Description |
|---|
subjectName | Subject/Username of the subject which access the resource. | resourceName | Name of the resource which is accessed by the subject. | subjectId | XACML id of the subject | action | Action which is performed by the subject. | enableChildSearch | Enable search over child attributes. |
|
|---|
| Request | | Expand |
|---|
| title | Click here to expand the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getEntitledAttributes>
<!--Optional:-->
<xsd:subjectName>admin</xsd:subjectName>
<!--Optional:-->
<xsd:resourceName>http://127.0.0.1/service/very_secure/</xsd:resourceName>
<!--Optional:-->
<xsd:subjectId>urn:oasis:names:tc:xacml:1.0:subject:subject-id</xsd:subjectId>
<!--Optional:-->
<xsd:action>read</xsd:action>
<!--Optional:-->
<xsd:enableChildSearch>true</xsd:enableChildSearch>
</xsd:getEntitledAttributes>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to expand the response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getEntitledAttributesResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2348:EntitledResultSetDTO" xmlns:ax2346="http://entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2348="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2348:advanceResult>false</ax2348:advanceResult>
<ax2348:entitledAttributesDTOs xsi:type="ax2348:EntitledAttributesDTO">
<ax2348:action>read</ax2348:action>
<ax2348:allActions>false</ax2348:allActions>
<ax2348:allResources>true</ax2348:allResources>
<ax2348:environment xsi:nil="true"/>
<ax2348:resourceName xsi:nil="true"/>
</ax2348:entitledAttributesDTOs>
<ax2348:message xsi:nil="true"/>
<ax2348:messageType xsi:nil="true"/>
</ns:return>
</ns:getEntitledAttributesResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Info |
|---|
|
WSO2 Identity Server provides a REST API and a REST endpoint for the policy evaluation. Please Read more about REST API from here. |
...