This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

For entitlement management, WSO2 Identity server provides two APIs for Policy Administration and Policy Evaluation.

The following section guides you on invoking the two admin service and describes the operations available in the WSO2 Identity Server Entitlement Mangement APIs. 

Before you begin

As admin services are secured to prevent anonymous invocations, you cannot view the WSDL of the admin service by default. Follow the steps below to view and invoke it:

  1. Set the <HideAdminServiceWSDLs> element to false in <IS_HOME>/repository/conf/carbon.xml file.


    <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
  2. Restart the Identity Server.
  3. If you have started the server in default configurations, use the following URL in your browser to see the WSDL of the admin service:  eg:https://localhost:9443/services/EntitlementService?wsdl

For more information on WSO2 admin services and how to invoke an admin service using either SoapUI or any other client program, see Calling Admin Services.

The following section guides you on entitlement management in two different areas,  

Policy Administration API

Policy administration includes all the actions that should be done to manage a policy. Such as adding and updating policy/policies, publishing policies, removing policies etc. For this, WSO2 Carbon Platform has provided an admin service called EntitlementPolicyAdminService to manage policy administration stuff.

  • You can use the following URL in your browser to see the WSDL of the EntitlementPolicyAdminService  admin service.


      https://localhost:9443/services/EntitlementPolicyAdminService?wsdl

    By using any SoapUI, you can call this admin SOAP service.


    Note:

    All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

    1. Build a string of the form username:password.
    2. Encode the string you created above using Base64.
    3. Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows: 

      Authorization: Basic YWRtaW46YWRtaW4=



Operations included in the API

The following commonly used operations are available in the EntitlementPolicyAdminService. A sample SOAP request and response will be available with each of the operation.


addPolicy()


DescriptionAdds a new policy.
Input Parameters
ParameterDescription
policy
The policy that should be registered. The XACML policy should be embedded to the SOAP service as a CDATA.
version
Version of the policy.
policyId
The policy name that should be registered.
Request
 Click here to see the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:addPolicy>
         <!--Optional:-->
         <xsd:policyDTO>
            <!--Optional:-->
            <xsd1:policy><![CDATA[
				   <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="sample_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
				   <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
				   <Target>
				      <AnyOf>
				         <AllOf>
				            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				            </Match>
				         </AllOf>
				      </AnyOf>
				   </Target>
				   <Rule Effect="Permit" RuleId="permit_by_roles">
				      <Condition>
				         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
				            </Apply>
				         </Apply>
				      </Condition>
				   </Rule>
				   <Rule Effect="Deny" RuleId="deny_others"></Rule>
				</Policy>        
				]]>
			</xsd1:policy>
            <!--Optional:-->
            <xsd1:version>1.0</xsd1:version>
            <xsd1:policyId>sample_policy_template</xsd1:policyId>
         </xsd:policyDTO>
      </xsd:addPolicy>
   </soapenv:Body>
</soapenv:Envelope>
Response
 Click here to see the sample response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:addPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:addPolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>
getAllPolicyIds()


DescriptionRetrieve all policy names or policy Ids.
Input Parameters

None


Request
 Click here to see the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getAllPolicyIds>    
      </xsd:getAllPolicyIds>
   </soapenv:Body>
</soapenv:Envelope>
Response
 Click here to see the response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getAllPolicyIdsResponse xmlns:ns="http://org.apache.axis2/xsd" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd">
         <ns:return>authn_role_based_policy_template</ns:return>
         <ns:return>authn_scope_based_policy_template</ns:return>
         <ns:return>authn_time_and_role_based_policy_template</ns:return>
         <ns:return>authn_time_and_scope_based_policy_template</ns:return>
         <ns:return>authn_time_and_user_claim_based_policy_template</ns:return>
         <ns:return>authn_time_and_user_store_based_policy_template</ns:return>
         <ns:return>authn_time_based_policy_template</ns:return>
         <ns:return>authn_user_claim_based_policy_template</ns:return>
         <ns:return>authn_user_store_based_policy_template</ns:return>
         <ns:return>provisioning_role_based_policy</ns:return>
         <ns:return>provisioning_role_based_policy_template</ns:return>
         <ns:return>provisioning_time_and_role_based_policy_template</ns:return>
         <ns:return>provisioning_time_and_user_claim_based_policy_template</ns:return>
         <ns:return>provisioning_time_based_policy_template</ns:return>
         <ns:return>provisioning_user_claim_based_policy_template</ns:return>
         <ns:return>samplePolicy</ns:return>
         <ns:return>samplePolicy1</ns:return>
         <ns:return>samplepolicy_template</ns:return>
      </ns:getAllPolicyIdsResponse>
   </soapenv:Body>
</soapenv:Envelope>


getPolicy()


DescriptionRetrieve a pre-defined policy.
Input Parameters
ParameterDescription
policyId
The policy name that is registered.
isPDPPolicy
A boolean which tells whether the policy is published to PDP or not.
Request
 Click here to see the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getPolicy>
         <!--Optional:-->
         <xsd:policyId>authn_time_and_user_claim_based_policy_template</xsd:policyId>
         <!--Optional:-->
         <xsd:isPDPPolicy>false</xsd:isPDPPolicy>
      </xsd:getPolicy>
   </soapenv:Body>
</soapenv:Envelope>
Response
 Click here to see the response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:type="ax2340:PolicyDTO" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ax2340:active>true</ax2340:active>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
               <ax2340:attributeId>http://wso2.org/identity/sp/sp-name</ax2340:attributeId>
               <ax2340:attributeValue>SP_NAME</ax2340:attributeValue>
               <ax2340:category>http://wso2.org/identity/sp</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
               <ax2340:attributeId>http://wso2.org/identity/identity-action/action-name</ax2340:attributeId>
               <ax2340:attributeValue>authenticate</ax2340:attributeValue>
               <ax2340:category>http://wso2.org/identity/identity-action</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#time</ax2340:attributeDataType>
               <ax2340:attributeId>urn:oasis:names:tc:xacml:1.0:environment:current-time</ax2340:attributeId>
               <ax2340:attributeValue>09:00:00</ax2340:attributeValue>
               <ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#time</ax2340:attributeDataType>
               <ax2340:attributeId>urn:oasis:names:tc:xacml:1.0:environment:current-time</ax2340:attributeId>
               <ax2340:attributeValue>17:00:00</ax2340:attributeValue>
               <ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
               <ax2340:attributeId>CLAIM_URI_1</ax2340:attributeId>
               <ax2340:attributeValue>CLAIM_VALUE_1</ax2340:attributeValue>
               <ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
               <ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
               <ax2340:attributeId>CLAIM_URI_2</ax2340:attributeId>
               <ax2340:attributeValue>CLAIM_VALUE_2</ax2340:attributeValue>
               <ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</ax2340:category>
            </ax2340:attributeDTOs>
            <ax2340:lastModifiedTime>1508817592043</ax2340:lastModifiedTime>
            <ax2340:lastModifiedUser xsi:nil="true"/>
            <ax2340:policy><![CDATA[<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="authn_time_and_user_claim_based_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"><Description>This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users with the given claim values and who are logged in within the given time range will be allowed and any other users will be denied.</Description><Target><AnyOf><AllOf><Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue><AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator></Match><Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue><AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator></Match></AllOf></AnyOf></Target><Rule Effect="Permit" RuleId="permit_by_claims_and_time"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"><Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"><AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#time" MustBePresent="true"></AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue></Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"><AttributeDesignator AttributeId="CLAIM_URI_1" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CLAIM_VALUE_1</AttributeValue></Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"><AttributeDesignator AttributeId="CLAIM_URI_2" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CLAIM_VALUE_2</AttributeValue></Apply></Apply></Condition></Rule><Rule Effect="Deny" RuleId="deny_others"></Rule></Policy>]]></ax2340:policy>
            <ax2340:policyEditor xsi:nil="true"/>
            <ax2340:policyId>authn_time_and_user_claim_based_policy_template</ax2340:policyId>
            <ax2340:policyOrder>12</ax2340:policyOrder>
            <ax2340:policyType>Policy</ax2340:policyType>
            <ax2340:promote>false</ax2340:promote>
            <ax2340:version>1</ax2340:version>
         </ns:return>
      </ns:getPolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>


getPolicyVersions()


DescriptionGet the version of a given policy.
Input Parameters
ParameterDescription
policyId
The policy name is registered.
Request
 Click here to see the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getPolicyVersions>
         <!--Optional:-->
         <xsd:policyId>authn_time_and_user_claim_based_policy_template</xsd:policyId>
      </xsd:getPolicyVersions>
   </soapenv:Body>
</soapenv:Envelope>
Responae
 Click here to expand...
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getPolicyVersionsResponse xmlns:ns="http://org.apache.axis2/xsd" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd">
         <ns:return>1</ns:return>
      </ns:getPolicyVersionsResponse>
   </soapenv:Body>
</soapenv:Envelope>
getPublisherModuleData()


DescriptionGet the details of the publisher
Input Parameters

None

Request
 Click here to expand the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getPublisherModuleData/>
   </soapenv:Body>
</soapenv:Envelope>
Response
 Click here to expand the response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:getPublisherModuleDataResponse xmlns:ns="http://org.apache.axis2/xsd" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd">
         <ns:return xsi:type="ax2340:PublisherDataHolder" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ax2340:moduleName>Carbon Basic Auth Policy Publisher Module</ax2340:moduleName>
            <ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
               <ax2340:displayName>Subscriber Password</ax2340:displayName>
               <ax2340:displayOrder>3</ax2340:displayOrder>
               <ax2340:id>subscriberPassword</ax2340:id>
               <ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
               <ax2340:required>true</ax2340:required>
               <ax2340:secret>true</ax2340:secret>
               <ax2340:value xsi:nil="true"/>
            </ax2340:propertyDTOs>
            <ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
               <ax2340:displayName>Subscriber URL</ax2340:displayName>
               <ax2340:displayOrder>1</ax2340:displayOrder>
               <ax2340:id>subscriberURL</ax2340:id>
               <ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
               <ax2340:required>true</ax2340:required>
               <ax2340:secret>false</ax2340:secret>
               <ax2340:value xsi:nil="true"/>
            </ax2340:propertyDTOs>
            <ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
               <ax2340:displayName>Subscriber User Name</ax2340:displayName>
               <ax2340:displayOrder>2</ax2340:displayOrder>
               <ax2340:id>subscriberUserName</ax2340:id>
               <ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
               <ax2340:required>true</ax2340:required>
               <ax2340:secret>false</ax2340:secret>
               <ax2340:value xsi:nil="true"/>
            </ax2340:propertyDTOs>
            <ax2340:propertyDTOs xsi:type="ax2340:PublisherPropertyDTO">
               <ax2340:displayName>Subscriber Id</ax2340:displayName>
               <ax2340:displayOrder>0</ax2340:displayOrder>
               <ax2340:id>subscriberId</ax2340:id>
               <ax2340:module>Carbon Basic Auth Policy Publisher Module</ax2340:module>
               <ax2340:required>true</ax2340:required>
               <ax2340:secret>false</ax2340:secret>
               <ax2340:value xsi:nil="true"/>
            </ax2340:propertyDTOs>
         </ns:return>
      </ns:getPublisherModuleDataResponse>
   </soapenv:Body>
</soapenv:Envelope>
publishToPDP()


DescriptionPublish a policy to PDP
Input Parameters
ParameterDescription
policyId
The policy name that should be published to PDP.
Request
 Click here to expand the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:publishToPDP>
         <!--Zero or more repetitions:-->
         <xsd:policyIds>provisioning_user_claim_based_policy_template</xsd:policyIds>
         <!--Optional:-->
         <xsd:version>1</xsd:version>
         <!--Optional:-->
         <xsd:enabled>false</xsd:enabled>
         <!--Optional:-->
         <xsd:order>30</xsd:order>
      </xsd:publishToPDP>
   </soapenv:Body>
</soapenv:Envelope>
Response
 Click here to expand the response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:publishToPDPResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:publishToPDPResponse>
   </soapenv:Body>
</soapenv:Envelope>
removePolicy()


DescriptionRemove policy from PDP
Input Parameters
ParameterDescription
policyId
The policy name that should be removed.
Request
 Click here to expand the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:removePolicy>
         <!--Optional:-->
         <xsd:policyId>authn_role_based_policy_template</xsd:policyId>
         <!--Optional:-->
         <xsd:dePromote>true</xsd:dePromote>
      </xsd:removePolicy>
   </soapenv:Body>
</soapenv:Envelope>
Response
 Click here to expand the response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:removePolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:removePolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>
updatePolicy()


DescriptionPublish a policy to PDP
Input Parameters
ParameterDescription
policyId
The policy name that should be published to PDP.
Request
 Click here to expand the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:updatePolicy>
         <!--Optional:-->
         <xsd:policyDTO>
        
            <!--Optional:-->
            <xsd1:policy>
            <![CDATA[
				   <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="samplepolicy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
				   <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
				   <Target>
				      <AnyOf>
				         <AllOf>
				            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				            </Match>
				         </AllOf>
				      </AnyOf>
				   </Target>
				   <Rule Effect="Permit" RuleId="permit_by_roles">
				      <Condition>
				         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
				               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myName</AttributeValue>
				               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
				            </Apply>
				         </Apply>
				      </Condition>
				   </Rule>
				   <Rule Effect="Deny" RuleId="deny_others"></Rule>
				</Policy>        
				]]>
            </xsd1:policy>
          
            <xsd1:policyEditorData>?</xsd1:policyEditorData>
            <!--Optional:-->
            <xsd1:policyId>samplepolicy_template</xsd1:policyId>
          
         </xsd:policyDTO>
      </xsd:updatePolicy>
   </soapenv:Body>
</soapenv:Envelope>
Response
 Click here to expand the response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:updatePolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
      </ns:updatePolicyResponse>
   </soapenv:Body>
</soapenv:Envelope>

There is no REST API available for the policy management.


Policy Evaluation API

Policy evaluation includes all the actions that should be done during the policy evaluation such as getting the decision, getting all entitlement attributes, etc. For this, WSO2 Carbon Platform has provided an admin service called EntitlementService to evaluate a policy.

  • You can use the following URL in your browser to see the WSDL of the EntitlementService  admin service.


      https://localhost:9443/services/EntitlementService?wsdl

    By using any SoapUI, you can call this admin SOAP service.


    Note:

    All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

    1. Build a string of the form username:password.
    2. Encode the string you created above using Base64.
    3. Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows: 

      Authorization: Basic YWRtaW46YWRtaW4=



Operations included in the API

The following commonly used operations are available in the EntitlementPolicyAdminService. A sample SOAP request and response will be available with each of the operation.


Note:

The REST APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods.

  1. Build a string of the form username:password.
  2. Encode the string you created above using Base64.
  3. Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows: 

    Authorization: Basic YWRtaW46YWRtaW4=

Get API resource list

DescriptionGet API resource list according to XACML 3.0 Specification
Resource Path/home
HTTP MethodGET
Request/Response Formatapplication/json

application/xml

AuthenticationBasic
Usernameadmin
Passwordadmin
Parameters
NameLocated InDescriptionRequiredSchema
AcceptheaderRequest Media TypeYesstring
Auth_TypeheaderAuthentication TypeYesstring
AuthorizationheaderAdd HTTP Basic AuthorizationYesstring
Content-typeheaderResponse Media TypeYesstring
Response
CodeDescriptionSchema
200Method call success HomeResponseModel { }
40010Authentication failed for this resource

ExceptionBean {

code:integer
message:string

}

Evaluate XACML request

DescriptionGet response by evaluating JSON/XML XACML request
Resource Path/pdp
HTTP MethodPOST
Request/Response Format

application/json

application/xml

AuthenticationBasic
Usernameadmin
Passwordadmin
Parameters
NameLocated InDescriptionRequiredSchema
AcceptheaderRequest Media TypeYesstring
Auth_TypeheaderAuthentication TypeYesstring
AuthorizationheaderAdd HTTP Basic AuthorizationYesstring
Content-typeheaderResponse Media TypeYesstring
bodybodyXACML JSON/XML RequestYesstring
Response
CodeDescriptionSchema
200XACML JSON/XML Response
40010Error in Response
ExceptionBean {
	code:integer
	message:string
}
40020Request parse exception
ExceptionBean {
	code:integer
	message:string
}

Evaluate XACML request by attributes

DescriptionGet response by evaluating attributes
Resource Path/by-attrib
HTTP MethodPOST
Request/Response Formatapplication/json

application/xml

AuthenticationBasic
Usernameadmin
Passwordadmin
Parameters
NameLocated InDescriptionRequiredSchema
AcceptheaderRequest Media TypeYesstring
Auth_TypeheaderAuthentication TypeYesstring
AuthorizationheaderAdd HTTP Basic AuthorizationYesstring
Content-typeheaderResponse Media TypeYesstring
bodybodyDecision Request ModelYes
DecisionRequestModel {
 
	subject:string
	action:string
	resource:string
	environment:[
			string
	]
}
Response
CodeDescriptionSchema
200Method call success HomeResponseModel { }
40010Error in Response
ExceptionBean {
	code:integer
	message:string
}
40020Request parse exception
ExceptionBean {
	code:integer
	message:string
}

Evaluate XACML request by attributes and receive boolean response

DescriptionGet boolean response by evaluating attributes
Resource Path/by-attrib-boolean
HTTP MethodPOST
Request/Response Format

application/json

application/xml

AuthenticationBasic
Usernameadmin
Passwordadmin
Parameters
NameLocated InDescriptionRequiredSchema
AcceptheaderRequest Media TypeYesstring
Auth_TypeheaderAuthentication TypeYesstring
AuthorizationheaderAdd HTTP Basic AuthorizationYesstring
Content-typeheaderResponse Media TypeYesstring
bodybodyDecision Request ModelYes
DecisionRequestModel {
 
	subject:string
	action:string
	resource:string
	environment:[
			string
	]
}
Response
CodeDescriptionSchema
200XACML JSON/XML Response
40010Error in Response
ExceptionBean {
	code:integer
	message:string
}
40020Request parse exception
ExceptionBean {
	code:integer
	message:string
}

Get entitled attributes

DescriptionGet entitled attributes for a given set of parameters.
Resource Path/entitled-attribs
HTTP MethodPOST
Request/Response Format

application/json

application/xml

AuthenticationBasic
Usernameadmin
Passwordadmin
Parameters
NameLocated InDescriptionRequiredSchema
AcceptheaderRequest Media TypeYesstring
Auth_TypeheaderAuthentication TypeYesstring
AuthorizationheaderAdd HTTP Basic AuthorizationYesstring
Content-typeheaderResponse Media TypeYesstring
bodybodyDecision Request ModelYes
EntitledAttributesRequestModel {
	subjectName:string
	resourceName:string
	subjectId:string
	action:string
	enableChildSearch:boolean
}
Response
CodeDescriptionSchema
200Entitled attributes response
EntitledAttributesResponseModel {
	entitledResultSetDTO:EntitledResultSetDTO {
		entitledAttributesDTOs:[
			EntitledAttributesDTO {
				resourceName:string
				action:string
				environment:string
				allActions:boolean
				allResources:boolean
				attributeDTOs:[
					AttributeDTO {
						attributeValue:string
						attributeDataType:string
						attributeId:string
						category:string
					}
				]
			}
		]
		advanceResult:boolean
		message:string
		messageType:string
	}
}
40010Error in Response
ExceptionBean {
	code:integer
	message:string
}
40020Request parse exception
ExceptionBean {
	code:integer
	message:string
}

Get all entitlements

DescriptionGet all entitlements for a given set of parameters
Resource Path/entitlements-all
HTTP MethodPOST
Request/Response Format

application/json

application/xml

AuthenticationBasic
Usernameadmin
Passwordadmin
Parameters
NameLocated InDescriptionRequiredSchema
AcceptheaderRequest Media TypeYesstring
Auth_TypeheaderAuthentication TypeYesstring
AuthorizationheaderAdd HTTP Basic AuthorizationYesstring
Content-typeheaderResponse Media TypeYesstring
bodybodyAll Entitlements ModelYes
AllEntitlementsRequestModel {
	identifier:string
	givenAttributes:[
		AttributeDTO {
			attributeValue:string
			attributeDataType:string
			attributeId:string
			category:string
		}
	]
}
Response
CodeDescriptionSchema
200All entitlements response
AllEntitlementsResponseModel {
	entitledResultSetDTO:EntitledResultSetDTO {
		entitledAttributesDTOs:[
			EntitledAttributesDTO {
				resourceName:string
				action:string
				environment:string
				allActions:boolean
				allResources:boolean
				attributeDTOs:[
					AttributeDTO {
						attributeValue:string
						attributeDataType:string
						attributeId:string
						category:string
					}
				]
			}
		]
		advanceResult:boolean
		message:string
		messageType:string
	}
}
40010Error in Response
ExceptionBean {
	code:integer
	message:string
}
40020Request parse exception
ExceptionBean {
	code:integer
	message:string
}
  • No labels