This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Writing XACML policies in WSO2 Identity Server - 7

This article addresses the following authorization requirements.

1. The operations getVesrion1 and getVersion2 in the service "http://localhost:8280/services/Customers" should be accessed by any user.
2. Requests to any other service or operation should only be accessed by users belonging to the group(s) admin_emps and/or admin.

<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
      RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
      <Description>Sample XACML Authorization Policy</Description>
      <Target>
        <Subjects>
          <AnySubject/>
        </Subjects>
        <Actions>
          <AnyAction/>
        </Actions>
        <Resources>
          <AnyResource/>
        </Resources>
      </Target>
      <Rule Effect="Permit" RuleId="primary-resource-rule">
        <Target>
          <Subjects>
            <AnySubject/>
          </Subjects>
          <Resources>
            <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <ResourceAttributeDesignator
                AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion1</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue>
              </Apply>
            </ResourceMatch>
          </Resources>
          <Actions>
            <AnyAction/>
          </Actions>
        </Target>
        <Condition>
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
            <ResourceAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion1</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue>
            </Apply>
          </Apply>
        </Condition>
      </Rule>
      <Rule Effect="Permit" RuleId="primary-group-emps-rule">
        <Target>
          <Subjects>
            <AnySubject/>
          </Subjects>
          <Resources>
              <AnyResource/>
          </Resources>
          <Actions>
            <Action>
              <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                <ActionAttributeDesignator
                  AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
              </ActionMatch>
            </Action>
          </Actions>
        </Target>
        <Condition>
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
            <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
            </Apply>
          </Apply>
        </Condition>
      </Rule>
      <Rule Effect="Deny" RuleId="deny-rule"/>
    </Policy>