Page Comparison

For entitlement management, WSO2 Identity server provides two APIs for Policy Administration and Policy Evaluation.

...

You can use the following URL in your browser to see the WSDL of the EntitlementPolicyAdminService admin service.

Code Block
https://localhost:9443/services/EntitlementPolicyAdminService?wsdl

By using any SoapUI, you can call this admin SOAP service.

Note

Note:

All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

Build a string of the form username:password.
Encode the string you created above using Base64.
Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows:
Code Block
Authorization: Basic YWRtaW46YWRtaW4=

Operations included in the EntitlementPolicyAdminService SOAP API

The following commonly used operations are available in the EntitlementPolicyAdminService.

Table of Contents

maxLevel	6
minLevel	6
include	addPolicy

...

addPolicy()

Description

Adds a new policy.

Input Parameters

Parameter	Description
policy	The policy that should be registered. The XACML policy should be embedded to the SOAP service as a CDATA.
version	Version of the policy.
policyId	The policy name that should be registered.

Request

Expand

title	Click here to see the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:addPolicy>
         <!--Optional:-->
         <xsd:policyDTO>
            <!--Optional:-->
            <xsd1:policy><![CDATA[
				   <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="sample_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
				   <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
				   <Target>
				      <AnyOf>
				         <AllOf>
				            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				            </Match>
				         </AllOf>
				      </AnyOf>
				   </Target>
				   <Rule Effect="Permit" RuleId="permit_by_roles">
				      <Condition>
				         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
				            </Apply>
				         </Apply>
				      </Condition>
				   </Rule>
				   <Rule Effect="Deny" RuleId="deny_others"></Rule>
				</Policy>        
				]]>
			</xsd1:policy>
            <!--Optional:-->
            <xsd1:version>1.0</xsd1:version>
            <xsd1:policyId>sample_policy_template</xsd1:policyId>
         </xsd:policyDTO>
      </xsd:addPolicy>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to see the sample response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:addPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:addPolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>

...

Description

Retrieve a pre-defined policy.

Input Parameters

Parameter	Description
policyId	The policy name that should be is registered.
isPDPPolicy	A boolean which tells whether the policy is published to PDP or not.

Request

Expand

title	Click here to see the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getPolicy>
         <!--Optional:-->
         <xsd:policyId>authn_time_and_user_claim_based_policy_template</xsd:policyId>
         <!--Optional:-->
         <xsd:isPDPPolicy>false</xsd:isPDPPolicy>
      </xsd:getPolicy>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to see the response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:type="ax2340:PolicyDTO" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ax2340:active>true</ax2340:active>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
               <ax2340:attributeId>http://wso2.org/identity/sp/sp-name</ax2340:attributeId>
               <ax2340:attributeValue>SP_NAME</ax2340:attributeValue>
               <ax2340:category>http://wso2.org/identity/sp</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
               <ax2340:attributeId>http://wso2.org/identity/identity-action/action-name</ax2340:attributeId>
               <ax2340:attributeValue>authenticate</ax2340:attributeValue>
               <ax2340:category>http://wso2.org/identity/identity-action</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#time</ax2340:attributeDataType>
               <ax2340:attributeId>urn:oasis:names:tc:xacml:1.0:environment:current-time</ax2340:attributeId>
               <ax2340:attributeValue>09:00:00</ax2340:attributeValue>
               <ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#time</ax2340:attributeDataType>
               <ax2340:attributeId>urn:oasis:names:tc:xacml:1.0:environment:current-time</ax2340:attributeId>
               <ax2340:attributeValue>17:00:00</ax2340:attributeValue>
               <ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
               <ax2340:attributeId>CLAIM_URI_1</ax2340:attributeId>
               <ax2340:attributeValue>CLAIM_VALUE_1</ax2340:attributeValue>
               <ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
               <ax2340:attributeId>CLAIM_URI_2</ax2340:attributeId>
               <ax2340:attributeValue>CLAIM_VALUE_2</ax2340:attributeValue>
               <ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:lastModifiedTime>1508817592043</ax2340:lastModifiedTime>
            <ax2340:lastModifiedUser xsi:nil="true"/>
            <ax2340:policy><![CDATA[<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="authn_time_and_user_claim_based_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"><Description>This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users with the given claim values and who are logged in within the given time range will be allowed and any other users will be denied.</Description><Target><AnyOf><AllOf><Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue><AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator></Match><Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue><AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator></Match></AllOf></AnyOf></Target><Rule Effect="Permit" RuleId="permit_by_claims_and_time"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"><Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"><AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#time" MustBePresent="true"></AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue></Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"><AttributeDesignator AttributeId="CLAIM_URI_1" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CLAIM_VALUE_1</AttributeValue></Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"><AttributeDesignator AttributeId="CLAIM_URI_2" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CLAIM_VALUE_2</AttributeValue></Apply></Apply></Condition></Rule><Rule Effect="Deny" RuleId="deny_others"></Rule></Policy>]]></ax2340:policy>
            <ax2340:policyEditor xsi:nil="true"/>
            <ax2340:policyId>authn_time_and_user_claim_based_policy_template</ax2340:policyId>
            <ax2340:policyOrder>12</ax2340:policyOrder>
            <ax2340:policyType>Policy</ax2340:policyType>
            <ax2340:promote>false</ax2340:promote>
            <ax2340:version>1</ax2340:version>
         </ns:return>
      </ns:getPolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>

Policy Evaluation API

Table of Contents

maxLevel	4
minLevel	4
type	flat

Note

Note:

The REST APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

Build a string of the form username:password.
Encode the string you created above using Base64.
Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows:
Code Block
Authorization: Basic YWRtaW46YWRtaW4=

Get API resource list

...

application/xml

...

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string

...

ExceptionBean {

code:integer

message:string

...

Evaluate XACML request

...

application/json

application/xml

...

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	XACML JSON/XML Request	Yes	string

...

ExceptionBean {
	code:integer
	message:string
}

...

ExceptionBean {
	code:integer
	message:string
}

Evaluate XACML request by attributes

...

application/xml

...

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	Decision Request Model	Yes	DecisionRequestModel { subject:string action:string resource:string environment:[ string ] }

...

Code	Description	Schema
200	Method call success	`HomeResponseModel { }`
40010	Error in Response	ExceptionBean { code:integer message:string }
40020	Request parse exception	ExceptionBean { code:integer message:string }

Evaluate XACML request by attributes and receive boolean response

...

application/json

application/xml

...

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	Decision Request Model	Yes	DecisionRequestModel { subject:string action:string resource:string environment:[ string ] }

...

ExceptionBean {
	code:integer
	message:string
}

...

ExceptionBean {
	code:integer
	message:string
}

Get entitled attributes

Description

Get entitled attributes for a given set of parameters.

Resource Path

/entitled-attribs

HTTP Method

POST

Request/Response Format

application/json

application/xml

Authentication

Basic

Username

admin

Password

admin

Parameters

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	Decision Request Model	Yes	EntitledAttributesRequestModel { subjectName:string resourceName:string subjectId:string action:string enableChildSearch:boolean }

Response

Code

Description

Schema

200

Entitled attributes response

EntitledAttributesResponseModel {
	entitledResultSetDTO:EntitledResultSetDTO {
		entitledAttributesDTOs:[
			EntitledAttributesDTO {
				resourceName:string
				action:string
				environment:string
				allActions:boolean
				allResources:boolean
				attributeDTOs:[
					AttributeDTO {
						attributeValue:string
						attributeDataType:string
						attributeId:string
						category:string
					}
				]
			}
		]
		advanceResult:boolean
		message:string
		messageType:string
	}
}

40010

Error in Response

ExceptionBean {
	code:integer
	message:string
}

40020

Request parse exception

ExceptionBean {
	code:integer
	message:string
}

Get all entitlements

...

application/json

application/xml

...

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	All Entitlements Model	Yes	AllEntitlementsRequestModel { identifier:string givenAttributes:[ AttributeDTO { attributeValue:string attributeDataType:string attributeId:string category:string } ] }

...

AllEntitlementsResponseModel {
	entitledResultSetDTO:EntitledResultSetDTO {
		entitledAttributesDTOs:[
			EntitledAttributesDTO {
				resourceName:string
				action:string
				environment:string
				allActions:boolean
				allResources:boolean
				attributeDTOs:[
					AttributeDTO {
						attributeValue:string
						attributeDataType:string
						attributeId:string
						category:string
					}
				]
			}
		]
		advanceResult:boolean
		message:string
		messageType:string
	}
}

...

ExceptionBean {
	code:integer
	message:string
}

...

getPolicyVersions()

Description

Get the version of a given policy.

Input Parameters

Parameter	Description
policyId	The policy name is registered.

Request

Expand

title	Click here to see the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getPolicyVersions>
         <!--Optional:-->
         <xsd:policyId>authn_time_and_user_claim_based_policy_template</xsd:policyId>
      </xsd:getPolicyVersions>
   </soapenv:Body>
</soapenv:Envelope>

Responae

Expand

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getPolicyVersionsResponse xmlns:ns="http://org.apache.axis2/xsd" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd">
         <ns:return>1</ns:return>
      </ns:getPolicyVersionsResponse>
   </soapenv:Body>
</soapenv:Envelope>

getPublisherModuleData()

Description

Get the details of the publisher

Input Parameters

None

Request

Expand

title	Click here to expand the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getPublisherModuleData/>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to expand the response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getPublisherModuleDataResponse xmlns:ns="http://org.apache.axis2/xsd" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd">
         <ns:return xsi:type="ax2340:PublisherDataHolder" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ax2340:moduleName>Carbon Basic Auth Policy Publisher Module</ax2340:moduleName>
            <ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
               <ax2340:displayName>Subscriber Password</ax2340:displayName>
               <ax2340:displayOrder>3</ax2340:displayOrder>
               <ax2340:id>subscriberPassword</ax2340:id>
               <ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
               <ax2340:required>true</ax2340:required>
               <ax2340:secret>true</ax2340:secret>
               <ax2340:value xsi:nil="true"/>
            </ax2340:propertyDTOs>
            <ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
               <ax2340:displayName>Subscriber URL</ax2340:displayName>
               <ax2340:displayOrder>1</ax2340:displayOrder>
               <ax2340:id>subscriberURL</ax2340:id>
               <ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
               <ax2340:required>true</ax2340:required>
               <ax2340:secret>false</ax2340:secret>
               <ax2340:value xsi:nil="true"/>
            </ax2340:propertyDTOs>
            <ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
               <ax2340:displayName>Subscriber User Name</ax2340:displayName>
               <ax2340:displayOrder>2</ax2340:displayOrder>
               <ax2340:id>subscriberUserName</ax2340:id>
               <ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
               <ax2340:required>true</ax2340:required>
               <ax2340:secret>false</ax2340:secret>
               <ax2340:value xsi:nil="true"/>
            </ax2340:propertyDTOs>
            <ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
               <ax2340:displayName>Subscriber Id</ax2340:displayName>
               <ax2340:displayOrder>0</ax2340:displayOrder>
               <ax2340:id>subscriberId</ax2340:id>
               <ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
               <ax2340:required>true</ax2340:required>
               <ax2340:secret>false</ax2340:secret>
               <ax2340:value xsi:nil="true"/>
            </ax2340:propertyDTOs>
         </ns:return>
      </ns:getPublisherModuleDataResponse>
   </soapenv:Body>
</soapenv:Envelope>

publishToPDP()

Description

Publish a policy to PDP

Input Parameters

Parameter	Description
policyId	The policy name that should be published to PDP.

Request

Expand

title	Click here to expand the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:publishToPDP>
         <!--Zero or more repetitions:-->
         <xsd:policyIds>provisioning_user_claim_based_policy_template</xsd:policyIds>
         <!--Optional:-->
         <xsd:version>1</xsd:version>
         <!--Optional:-->
         <xsd:enabled>false</xsd:enabled>
         <!--Optional:-->
         <xsd:order>30</xsd:order>
      </xsd:publishToPDP>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to expand the response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:publishToPDPResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:publishToPDPResponse>
   </soapenv:Body>
</soapenv:Envelope>

removePolicy()

Description

Remove policy from PDP

Input Parameters

Parameter	Description
policyId	The policy name that should be removed.

Request

Expand

title	Click here to expand the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:removePolicy>
         <!--Optional:-->
         <xsd:policyId>authn_role_based_policy_template</xsd:policyId>
         <!--Optional:-->
         <xsd:dePromote>true</xsd:dePromote>
      </xsd:removePolicy>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to expand the response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:removePolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:removePolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>

updatePolicy()

Description

Publish a policy to PDP

Input Parameters

Parameter	Description
policyId	The policy name that should be published to PDP.

Request

Expand

title	Click here to expand the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:updatePolicy>
         <!--Optional:-->
         <xsd:policyDTO>
        
            <!--Optional:-->
            <xsd1:policy>
            <![CDATA[
				   <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="samplepolicy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
				   <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
				   <Target>
				      <AnyOf>
				         <AllOf>
				            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				            </Match>
				         </AllOf>
				      </AnyOf>
				   </Target>
				   <Rule Effect="Permit" RuleId="permit_by_roles">
				      <Condition>
				         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myName</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
				            </Apply>
				         </Apply>
				      </Condition>
				   </Rule>
				   <Rule Effect="Deny" RuleId="deny_others"></Rule>
				</Policy>        
				]]>
            </xsd1:policy>
          
            <xsd1:policyEditorData>?</xsd1:policyEditorData>
            <!--Optional:-->
            <xsd1:policyId>samplepolicy_template</xsd1:policyId>
          
         </xsd:policyDTO>
      </xsd:updatePolicy>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to expand the response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:updatePolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:updatePolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>

Info
There is no REST API available for the policy management.

Policy Evaluation API

Policy evaluation includes all the actions that should be done during the policy evaluation such as getting the decision, getting all entitlement attributes, etc. For this, WSO2 Carbon Platform has provided an admin service called EntitlementService to evaluate a policy.

You can use the following URL in your browser to see the WSDL of the EntitlementService admin service.

Code Block
https://localhost:9443/services/EntitlementService?wsdl

By using any SoapUI, you can call this admin SOAP service.

Note

Note:

All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

Build a string of the form username:password.
Encode the string you created above using Base64.
Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows:
Code Block
Authorization: Basic YWRtaW46YWRtaW4=

Operations included in EntitlementService SOAP API

Note

title	Before you begin,

In order to try this EntitlementService using SOAP UI, You need to publish a Policy to the PDP. For this, you can use EntitlementPolicyAdminService or management console UI.

We use the following sample policy to evaluate using EntitlementService admin service.

Code Block

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="samplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
	<Target>
		<AnyOf>
			<AllOf>
				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
					<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
				</Match>
			</AllOf>
		</AnyOf>
	</Target>
	<Rule Effect="Permit" RuleId="permit"/>
</Policy>

The following commonly used operations are available in the EntitlementPolicyAdminService. A sample SOAP request and response will be available with each of the operation.

Table of Contents

maxLevel	6
minLevel	6
include	getDecision()\|getBooleanDecision()\|getDecisionByAttributes()\|getEntitledAttributes()

getDecision()

Description

Get the decision after evaluating the request with the policy.

Input Parameters

Parameter	Description
request	The XML request to be evaluated as a CDATA

Request

Expand

title	Click here to expand the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getDecision>
         <!--Optional:-->
         <xsd:request><![CDATA[
         <Request CombinedDecision="false" ReturnPolicyIdList="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
 <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
      <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
         <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">bs@simpsons.com</AttributeValue>
      </Attribute>
   </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://127.0.0.1/service/very_secure/ </AttributeValue>
        </Attribute>
    </Attributes>
</Request>
         ]]></xsd:request>
      </xsd:getDecision>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to expand the responase

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getDecisionResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return><![CDATA[<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Permit</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result></Response>]]></ns:return>
      </ns:getDecisionResponse>
   </soapenv:Body>
</soapenv:Envelope>

getBooleanDecision()

Description

Get the decision after evaluating the request with the policy published in a boolean format.

Input Parameters

Parameter	Description
subject	The subject/user who is using the resource.
resource	The resource which is accessed by the user.
action	The action performed by the user.

Request

Expand

title	Click here to expand the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getBooleanDecision>
         <!--Optional:-->
         <xsd:subject>admin</xsd:subject>
         <!--Optional:-->
         <xsd:resource>http://127.0.0.1/service/very_secure/</xsd:resource>
         <!--Optional:-->
         <xsd:action>read</xsd:action>
      </xsd:getBooleanDecision>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to expand the response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getBooleanDecisionResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return>true</ns:return>
      </ns:getBooleanDecisionResponse>
   </soapenv:Body>
</soapenv:Envelope>

getDecisionByAttributes()

Description

Get the decision by evaluating attributes with the policy.

Input Parameters

Parameter	Description
subject	The subject/user who is using the resource.
resource	The resource which is accessed by the user.
action	The action performed by the user.

Request

Expand

title	Click here to expand the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getDecisionByAttributes>
         <!--Optional:-->
         <xsd:subject>admin</xsd:subject>
         <!--Optional:-->
         <xsd:resource>http://127.0.0.1/service/very_secure/</xsd:resource>
         <!--Optional:-->
         <xsd:action>read</xsd:action>
      </xsd:getDecisionByAttributes>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to expand the response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getDecisionByAttributesResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return><![CDATA[<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Permit</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result></Response>]]></ns:return>
      </ns:getDecisionByAttributesResponse>
   </soapenv:Body>
</soapenv:Envelope>

getEntitledAttributes()

Description

Get all the details of the entitled attributes.

Input Parameters

Parameter	Description
subjectName	Subject/Username of the subject which access the resource.
resourceName	Name of the resource which is accessed by the subject.
subjectId	XACML id of the subject
action	Action which is performed by the subject.
enableChildSearch	Enable search over child attributes.

Request

Expand

title	Click here to expand the request

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getEntitledAttributes>
         <!--Optional:-->
         <xsd:subjectName>admin</xsd:subjectName>
         <!--Optional:-->
         <xsd:resourceName>http://127.0.0.1/service/very_secure/</xsd:resourceName>
         <!--Optional:-->
         <xsd:subjectId>urn:oasis:names:tc:xacml:1.0:subject:subject-id</xsd:subjectId>
         <!--Optional:-->
         <xsd:action>read</xsd:action>
         <!--Optional:-->
         <xsd:enableChildSearch>true</xsd:enableChildSearch>
      </xsd:getEntitledAttributes>
   </soapenv:Body>
</soapenv:Envelope>

Response

Expand

title	Click here to expand the response

Code Block

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getEntitledAttributesResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:type="ax2348:EntitledResultSetDTO" xmlns:ax2346="http://entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2348="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ax2348:advanceResult>false</ax2348:advanceResult>
            <ax2348:entitledAttributesDTOs xsi:type="ax2348:EntitledAttributesDTO">
               <ax2348:action>read</ax2348:action>
               <ax2348:allActions>false</ax2348:allActions>
               <ax2348:allResources>true</ax2348:allResources>
               <ax2348:environment xsi:nil="true"/>
               <ax2348:resourceName xsi:nil="true"/>
            </ax2348:entitledAttributesDTOs>
            <ax2348:message xsi:nil="true"/>
            <ax2348:messageType xsi:nil="true"/>
         </ns:return>
      </ns:getEntitledAttributesResponse>
   </soapenv:Body>
</soapenv:Envelope>

Info

title	REST API

WSO2 Identity Server provides a REST API and a REST endpoint for the policy evaluation. Please Read more about REST API from here.

Versions Compared

Old Version 12

New Version Current

Key

Operations included in the EntitlementPolicyAdminService SOAP API

addPolicy()

Policy Evaluation API

Get API resource list

Evaluate XACML request

Evaluate XACML request by attributes

Evaluate XACML request by attributes and receive boolean response

Get entitled attributes

Get all entitlements

getPolicyVersions()

getPublisherModuleData()

publishToPDP()

removePolicy()

updatePolicy()

Policy Evaluation API

Operations included in EntitlementService SOAP API

getDecision()

getBooleanDecision()

getDecisionByAttributes()

Parameter

Description

getEntitledAttributes()