Upload your existing XACML policies in to WSO2 Identity Server

Most of my earlier blog posts,  i have gone through that how we can create XACML policies from policy editors.  In this blog post,  let see how we import an existing XACML policy in to WSO2 Identity Server PDP runtime.  But this would not be an straightforward process. It would take two-three steps.  Because, with WSO2 Identity server 4.5.0,  PAP (Policy Administration Point) and PDP (Policy Decision Point)  components are clearly decouple with each other (More details can be found from my older post)

To understand things better, we can have some look on Identity server management console UI.  If you use WSO2 Identity server’s management console UI for XACML policy management,  you would notice that following behavior.

1. When you upload an exiting policy from file system,  It would directly  store in the PAP policy store. Or  when you create a policy from policy editor, it would directly save in the PAP store.
2. Then you need to publish policy to the PDP policy store.
3. To make it available for PDP evaluation,  you need to make it as enabled policy in PDP policy store.

So  there must be at least three steps to go through.

Step 1.  Import Policy

Step 2. Publish to its own PDP policy store


Step 3. Enable policy in the PDP policy store


Step 4. Now it is time to evaluate

This is the way you have to proceed,  if you are trying to import an existing policy using management console. Say, you already have many exiting policies and you need to load them in to PDP run time directly. How are  we going to achieve it?

There are some ways to achieve it. Here i am going to show,  how we can do it using EntitlementPolicyAdminService API,  which is web service API that is exposed by PAP of WSO2 Identity Server. You can find the sample client that can be use to automate the policy importing scenario  from here.  Using one web service call;  you can import, publish and enable the policy.  Also here is the sample bulk policy upload client that i used to load test the Identity Server.

Discuss this article on Stack Overflow

Leave a Reply

Your email address will not be published. Required fields are marked *