You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 9
Next »
For entitlement management, WSO2 Identity server provides two APIs for Policy Administration and Policy Evaluation.
The following section guides you on invoking the two admin service and describes the operations available in the WSO2 Identity Server Entitlement Mangement APIs.
Policy Administration API
Policy administration includes all the actions that should be done to manage a policy. Such as adding and updating policy/policies, publishing policies, removing policies etc. For this, WSO2 Carbon Platform has provided an admin service called EntitlementPolicyAdminService to manage policy administration stuff.
You can use the following URL in your browser to see the WSDL of the EntitlementPolicyAdminService admin service.
https://localhost:9443/services/EntitlementPolicyAdminService?wsdl
By using any SoapUI, you can call this admin service.
Operations included in the API
The following operations are available in the EntitlementPolicyAdminService
addPolicy()
Description | Adds a new claim dialect. |
---|
Input Parameters | Parameter | Description |
---|
claimDialectURI | The URI which defines the new claim dialect. |
|
---|
Request | Click here to see the request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:addPolicy>
<!--Optional:-->
<xsd:policyDTO>
<!--Optional:-->
<xsd1:policy><![CDATA[
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="samplepolicy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>
]]>
</xsd1:policy>
<!--Optional:-->
<xsd1:version>1.0</xsd1:version>
</xsd:policyDTO>
</xsd:addPolicy>
</soapenv:Body>
</soapenv:Envelope>
|
---|
Response |
|
---|
Policy Evaluation API
Get API resource list
Description | Get API resource list according to XACML 3.0 Specification |
---|
Resource Path | /home |
---|
HTTP Method | GET |
---|
Request/Response Format | application/json application/xml |
---|
Authentication | Basic |
---|
Username | admin |
---|
Password | admin |
---|
Parameters | Name | Located In | Description | Required | Schema |
---|
Accept | header | Request Media Type | Yes | string | Auth_Type | header | Authentication Type | Yes | string | Authorization | header | Add HTTP Basic Authorization | Yes | string | Content-type | header | Response Media Type | Yes | string |
|
---|
Response | |
---|
Evaluate XACML request
Description | Get response by evaluating JSON/XML XACML request |
---|
Resource Path | /pdp |
---|
HTTP Method | POST |
---|
Request/Response Format | application/json application/xml |
---|
Authentication | Basic |
---|
Username | admin |
---|
Password | admin |
---|
Parameters | Name | Located In | Description | Required | Schema |
---|
Accept | header | Request Media Type | Yes | string | Auth_Type | header | Authentication Type | Yes | string | Authorization | header | Add HTTP Basic Authorization | Yes | string | Content-type | header | Response Media Type | Yes | string | body | body | XACML JSON/XML Request | Yes | string |
|
---|
Response | Code | Description | Schema |
---|
200 | XACML JSON/XML Response |
| 40010 | Error in Response | ExceptionBean {
code:integer
message:string
} | 40020 | Request parse exception | ExceptionBean {
code:integer
message:string
} |
|
---|
Evaluate XACML request by attributes
Description | Get response by evaluating attributes |
---|
Resource Path | /by-attrib |
---|
HTTP Method | POST |
---|
Request/Response Format | application/json application/xml |
---|
Authentication | Basic |
---|
Username | admin |
---|
Password | admin |
---|
Parameters | Name | Located In | Description | Required | Schema |
---|
Accept | header | Request Media Type | Yes | string | Auth_Type | header | Authentication Type | Yes | string | Authorization | header | Add HTTP Basic Authorization | Yes | string | Content-type | header | Response Media Type | Yes | string | body | body | Decision Request Model | Yes | DecisionRequestModel {
subject:string
action:string
resource:string
environment:[
string
]
} |
|
---|
Response | Code | Description | Schema |
---|
200 | Method call success |
HomeResponseModel { }
| 40010 | Error in Response | ExceptionBean {
code:integer
message:string
} | 40020 | Request parse exception | ExceptionBean {
code:integer
message:string
} |
|
---|
Evaluate XACML request by attributes and receive boolean response
Description | Get boolean response by evaluating attributes |
---|
Resource Path | /by-attrib-boolean |
---|
HTTP Method | POST |
---|
Request/Response Format | application/json application/xml |
---|
Authentication | Basic |
---|
Username | admin |
---|
Password | admin |
---|
Parameters | Name | Located In | Description | Required | Schema |
---|
Accept | header | Request Media Type | Yes | string | Auth_Type | header | Authentication Type | Yes | string | Authorization | header | Add HTTP Basic Authorization | Yes | string | Content-type | header | Response Media Type | Yes | string | body | body | Decision Request Model | Yes | DecisionRequestModel {
subject:string
action:string
resource:string
environment:[
string
]
} |
|
---|
Response | Code | Description | Schema |
---|
200 | XACML JSON/XML Response |
| 40010 | Error in Response | ExceptionBean {
code:integer
message:string
} | 40020 | Request parse exception | ExceptionBean {
code:integer
message:string
} |
|
---|
Get entitled attributes
Description | Get entitled attributes for a given set of parameters. |
---|
Resource Path | /entitled-attribs |
---|
HTTP Method | POST |
---|
Request/Response Format | application/json application/xml |
---|
Authentication | Basic |
---|
Username | admin |
---|
Password | admin |
---|
Parameters | Name | Located In | Description | Required | Schema |
---|
Accept | header | Request Media Type | Yes | string | Auth_Type | header | Authentication Type | Yes | string | Authorization | header | Add HTTP Basic Authorization | Yes | string | Content-type | header | Response Media Type | Yes | string | body | body | Decision Request Model | Yes | EntitledAttributesRequestModel {
subjectName:string
resourceName:string
subjectId:string
action:string
enableChildSearch:boolean
} |
|
---|
Response | Code | Description | Schema |
---|
200 | Entitled attributes response | EntitledAttributesResponseModel {
entitledResultSetDTO:EntitledResultSetDTO {
entitledAttributesDTOs:[
EntitledAttributesDTO {
resourceName:string
action:string
environment:string
allActions:boolean
allResources:boolean
attributeDTOs:[
AttributeDTO {
attributeValue:string
attributeDataType:string
attributeId:string
category:string
}
]
}
]
advanceResult:boolean
message:string
messageType:string
}
} | 40010 | Error in Response | ExceptionBean {
code:integer
message:string
} | 40020 | Request parse exception | ExceptionBean {
code:integer
message:string
} |
|
---|
Get all entitlements
Description | Get all entitlements for a given set of parameters |
---|
Resource Path | /entitlements-all |
---|
HTTP Method | POST |
---|
Request/Response Format | application/json application/xml |
---|
Authentication | Basic |
---|
Username | admin |
---|
Password | admin |
---|
Parameters | Name | Located In | Description | Required | Schema |
---|
Accept | header | Request Media Type | Yes | string | Auth_Type | header | Authentication Type | Yes | string | Authorization | header | Add HTTP Basic Authorization | Yes | string | Content-type | header | Response Media Type | Yes | string | body | body | All Entitlements Model | Yes | AllEntitlementsRequestModel {
identifier:string
givenAttributes:[
AttributeDTO {
attributeValue:string
attributeDataType:string
attributeId:string
category:string
}
]
} |
|
---|
Response | Code | Description | Schema |
---|
200 | All entitlements response | AllEntitlementsResponseModel {
entitledResultSetDTO:EntitledResultSetDTO {
entitledAttributesDTOs:[
EntitledAttributesDTO {
resourceName:string
action:string
environment:string
allActions:boolean
allResources:boolean
attributeDTOs:[
AttributeDTO {
attributeValue:string
attributeDataType:string
attributeId:string
category:string
}
]
}
]
advanceResult:boolean
message:string
messageType:string
}
} | 40010 | Error in Response | ExceptionBean {
code:integer
message:string
} | 40020 | Request parse exception | ExceptionBean {
code:integer
message:string
} |
|
---|