<p>Here is an example of an XACML policy which addresses the following requirement: a given resource can be accessed only by a user belonging to a particular role, and all requests to access any other resource should fail.</p>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Description>Sample XACML Authorization Policy</Description>
<Target>
<Subjects>
<AnySubject />
</Subjects>
<Actions>
<AnyAction />
</Actions>
<Resources>
<AnyResource />
</Resources>
</Target>
<Rule Effect="Permit" RuleId="primary-group-rule">
<Target>
<Subjects>
<AnySubject />
</Subjects>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Apply>
<SubjectAttributeDesignator AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule" />
</Policy>
]]></ac:plain-text-body></ac:macro>
<p>The following are a few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.</p>
<h3>The first XACML request</h3>
<ul>
<li><strong>Resource</strong> - <span class="nolink">http://localhost:8280/services/echo/</span></li>
<li><strong>User</strong> - "admin" belongs only to the "admin" group</li>
<li><strong>Result</strong> - Permit</li>
</ul>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
]]></ac:plain-text-body></ac:macro>
<h3>The Second XACML request</h3>
<ul>
<li><strong>Resource</strong> - <span class="nolink">http://localhost:8280/services/echo/</span></li>
<li><strong>User</strong> - "admin" belongs to the "admin" group and the "business" group</li>
<li><strong>Result</strong> - Permit</li>
</ul>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>business</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
]]></ac:plain-text-body></ac:macro>
<h3>The third XACML request</h3>
<ul>
<li><strong>Resource</strong> - <span class="nolink">http://localhost:8280/services/test/</span></li>
<li><strong>User</strong> - "admin" belongs to the "admin" group</li>
<li><strong>Result</strong> - Deny</li>
</ul>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>http://localhost:8280/services/test/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
]]></ac:plain-text-body></ac:macro>
<h3>The forth XACML request</h3>
<ul>
<li><strong>Resource</strong> - <span class="nolink">http://localhost:8280/services/echo/</span></li>
<li><strong>User</strong> - "admin" belongs to the "business" group</li>
<li><strong>Result</strong> - Deny</li>
</ul>
<ac:macro ac:name="code"><ac:plain-text-body><![CDATA[
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>business</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment />
</Request>
]]></ac:plain-text-body></ac:macro>
<p><ac:macro ac:name="excerpt"><ac:parameter ac:name="hidden">true</ac:parameter><ac:rich-text-body>
<p>Instructions on how to write XACML policies in WSO2 Identity Server. Part 2.</p></ac:rich-text-body></ac:macro></p>
This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Manage space
Manage content
Integrations