XACML Policy Editor in WSO2 Identity Server V 3.2.X
[This blog post describes the policy editor of WSO2 Identity Server 3.2.X Which is now older version. Please find new details about policy editors from here]
WSO2 Identity server provides a XACML policy editor UI for creating XACML policies. Actually Identity server 3.2.X is shipped with two policy editors. One is basic policy editor and other one is advance policy editor. We can use basically policy editor to create XACML policies with out any knowledge of XACML. You can not create complex policies using it. But it is a great editor to start on XACML. One of the nice feature of this UI, is that you can plug any attribute value sources and select those attribute values when creating the policy; rather than filling text boxes by your own. By default, WSO2 registry resources, Roles of the under line user store and some pre-defined actions are the attribute value sources for resource, subject and action attributes respectively.
Lets go through step by step and create authorization policy based on following requirement.
- Policy is defined for accessing “foo” resource
- All users are kept in the LDAP based user store and it has been plugged with the WSO2 Identity Server.
following are the access control rules that policy needs to be satisfy
- Resources under “foo” collection can be read, written, edited and deleted by the users in admin role.
- Resources under “foo/wso2″ collection can be read by only the users in the WSO2 (whose email address is wso2.com domain)
- Resources under “foo/everyone” collection can be read by any registered user (any user that is in the user store)
- All other access request to “foo” resource must be denied.
Lets use basic XACML editor….
Step1 . Lets define name for the policy and a some description.
Step2. Under “Policy Applies to “, you can define; for what attribute values, this policy is going to be applied (or picked) . This is similar as defining the policy target element. lets configure it such as ”policy is applied for resource attribute value foo with reg-ex match”
Step3. Define the 1st rule. rule name must be given. you can select your “admin” role from user attribute source. So just click on “Select Subject Names” icon
Step4. You can select only the “admin” role from the attribute source.
Step5. You can see, text box has been filled with the selected admin role name. Then click on icon to select actions from the attribute source.
Step6. Select all action values for the admin role
Step7. Make the function name as “at-least-one” under the Action Names. Then this rule would be satisfied even when at least one action is going to perform on this foo resource. Finally lets add this rule in to the policy
Step8. Create 2nd rule as follows. here select email address as user attribute and we can do a reg-ex match for email address.
Step9. Create 3rd rule as follows. just given read access to foo/everyone resource, for all users. All users are members of the everyone role. So you can select everyone role from the attribute source.
Step10. Create 4th rule by selecting “deny” as the effect.
Step11. Define rule combining algorithm for defined four rules. Here we can use “first-applicable”
Step12. Finish and create the policy.
You can view the XML view of the XACML policy that has been created, by using XML policy editor. You can also do modification using it or just using the basic editor…. Here is the policy that is created. Hope XACML editor makes really easy for you to create simple XACML policies…. Any feedbacks are really appreciated. Also this editor is going to be improved in next Identity Server release…