Entitlement with APIs

For entitlement management, WSO2 Identity server provides two APIs for Policy Administration and Policy Evaluation.

The following section guides you on invoking the two admin service and describes the operations available in the WSO2 Identity Server Entitlement Mangement APIs.

Before you begin

As admin services are secured to prevent anonymous invocations, you cannot view the WSDL of the admin service by default. Follow the steps below to view and invoke it:

Set the <HideAdminServiceWSDLs> element to false in <IS_HOME>/repository/conf/carbon.xml file.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
Restart the Identity Server.
If you have started the server in default configurations, use the following URL in your browser to see the WSDL of the admin service: eg:https://localhost:9443/services/EntitlementService?wsdl

For more information on WSO2 admin services and how to invoke an admin service using either SoapUI or any other client program, see Calling Admin Services.

Policy Administration API

Policy administration includes all the actions that should be done to manage a policy. Such as adding and updating policy/policies, publishing policies, removing policies etc. For this, WSO2 Carbon Platform has provided an admin service called EntitlementPolicyAdminService to manage policy administration stuff.

You can use the following URL in your browser to see the WSDL of the EntitlementPolicyAdminService admin service.
```
  https://localhost:9443/services/EntitlementPolicyAdminService?wsdl
```
By using any SoapUI, you can call this admin service.

Operations included in the API

The following operations are available in the EntitlementPolicyAdminService

addPolicy()

Description

Adds a new claim dialect.

Input Parameters

Parameter	Description
claimDialectURI	The URI which defines the new claim dialect.

Request

Click here to see the request

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:addPolicy>
         <!--Optional:-->
         <xsd:policyDTO>
            <!--Optional:-->
            <xsd1:policy><![CDATA[
				   <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="samplepolicy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
				   <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
				   <Target>
				      <AnyOf>
				         <AllOf>
				            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				            </Match>
				         </AllOf>
				      </AnyOf>
				   </Target>
				   <Rule Effect="Permit" RuleId="permit_by_roles">
				      <Condition>
				         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
				            </Apply>
				         </Apply>
				      </Condition>
				   </Rule>
				   <Rule Effect="Deny" RuleId="deny_others"></Rule>
				</Policy>        
				]]>
			</xsd1:policy>
            <!--Optional:-->
            <xsd1:version>1.0</xsd1:version>
         </xsd:policyDTO>
      </xsd:addPolicy>
   </soapenv:Body>
</soapenv:Envelope>

Response

Policy Evaluation API

Note:

The REST APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

Build a string of the form username:password.
Encode the string you created above using Base64.
Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows:
```
Authorization: Basic YWRtaW46YWRtaW4=
```

Get API resource list

Description Get API resource list according to XACML 3.0 Specification

Resource Path /home

HTTP Method GET

Request/Response Format

application/json

application/xml

Authentication Basic

Username admin

Password admin

Parameters

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string

Response

Code	Description	Schema
200	Method call success	`HomeResponseModel { }`
40010	Authentication failed for this resource	`ExceptionBean {` `code:integer` `message:string` `}`

Evaluate XACML request

Description

Get response by evaluating JSON/XML XACML request

Resource Path

/pdp

HTTP Method

POST

Request/Response Format

application/json

application/xml

Authentication

Basic

Username

admin

Password

admin

Parameters

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	XACML JSON/XML Request	Yes	string

Response

Code	Description	Schema
200	XACML JSON/XML Response
40010	Error in Response	ExceptionBean { code:integer message:string }
40020	Request parse exception	ExceptionBean { code:integer message:string }

Evaluate XACML request by attributes

Description Get response by evaluating attributes

Resource Path /by-attrib

HTTP Method POST

Request/Response Format

application/json

application/xml

Authentication Basic

Username admin

Password admin

Parameters

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	Decision Request Model	Yes	DecisionRequestModel { subject:string action:string resource:string environment:[ string ] }

Response

Code	Description	Schema
200	Method call success	`HomeResponseModel { }`
40010	Error in Response	ExceptionBean { code:integer message:string }
40020	Request parse exception	ExceptionBean { code:integer message:string }

Evaluate XACML request by attributes and receive boolean response

Description

Get boolean response by evaluating attributes

Resource Path

/by-attrib-boolean

HTTP Method

POST

Request/Response Format

application/json

application/xml

Authentication

Basic

Username

admin

Password

admin

Parameters

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	Decision Request Model	Yes	DecisionRequestModel { subject:string action:string resource:string environment:[ string ] }

Response

Code	Description	Schema
200	XACML JSON/XML Response
40010	Error in Response	ExceptionBean { code:integer message:string }
40020	Request parse exception	ExceptionBean { code:integer message:string }

Get entitled attributes

Description

Get entitled attributes for a given set of parameters.

Resource Path

/entitled-attribs

HTTP Method

POST

Request/Response Format

application/json

application/xml

Authentication

Basic

Username

admin

Password

admin

Parameters

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	Decision Request Model	Yes	EntitledAttributesRequestModel { subjectName:string resourceName:string subjectId:string action:string enableChildSearch:boolean }

Response

Code

Description

Schema

200

Entitled attributes response

EntitledAttributesResponseModel {
	entitledResultSetDTO:EntitledResultSetDTO {
		entitledAttributesDTOs:[
			EntitledAttributesDTO {
				resourceName:string
				action:string
				environment:string
				allActions:boolean
				allResources:boolean
				attributeDTOs:[
					AttributeDTO {
						attributeValue:string
						attributeDataType:string
						attributeId:string
						category:string
					}
				]
			}
		]
		advanceResult:boolean
		message:string
		messageType:string
	}
}

40010

Error in Response

ExceptionBean {
	code:integer
	message:string
}

40020

Request parse exception

ExceptionBean {
	code:integer
	message:string
}

Get all entitlements

Description

Get all entitlements for a given set of parameters

Resource Path

/entitlements-all

HTTP Method

POST

Request/Response Format

application/json

application/xml

Authentication

Basic

Username

admin

Password

admin

Parameters

Name	Located In	Description	Required	Schema
Accept	header	Request Media Type	Yes	string
Auth_Type	header	Authentication Type	Yes	string
Authorization	header	Add HTTP Basic Authorization	Yes	string
Content-type	header	Response Media Type	Yes	string
body	body	All Entitlements Model	Yes	AllEntitlementsRequestModel { identifier:string givenAttributes:[ AttributeDTO { attributeValue:string attributeDataType:string attributeId:string category:string } ] }

Response

Code

Description

Schema

200

All entitlements response

AllEntitlementsResponseModel {
	entitledResultSetDTO:EntitledResultSetDTO {
		entitledAttributesDTOs:[
			EntitledAttributesDTO {
				resourceName:string
				action:string
				environment:string
				allActions:boolean
				allResources:boolean
				attributeDTOs:[
					AttributeDTO {
						attributeValue:string
						attributeDataType:string
						attributeId:string
						category:string
					}
				]
			}
		]
		advanceResult:boolean
		message:string
		messageType:string
	}
}

40010

Error in Response

ExceptionBean {
	code:integer
	message:string
}

40020

Request parse exception

ExceptionBean {
	code:integer
	message:string
}