XACML Policy Administration With WSO2 Identity Server

According to the XACML terminology, Policy administration point is the place where,  XACML policies are defined and managed.  WSO2 Identity Server is an one open source product that provides you to manage XACML policies. If you just login to management console UI of the WSO2 Identity Server v4.5.0,  you would see a PAP UI with following capabilities.

  • Create, upload, update and delete XACML policies and Policy Sets.

-> Create and Edit XACML 3.0 based Entitlement Policy using three type of policy editor, i.e Simple, Basic and Standard Policy Editors

-> Create and Edit XACML 3.0 based Entitlement Policy Sets using policy editor

-> All these policy editors are configurable. You can feed attribute ids, categories and data types.

-> Import Existing XACML based Entitlement Policy using  file system or WSO2 Carbon registry.

-> Edit and update XACML based Entitlement Policy using XML editor.

  • Try out  each policies by creating XACML 3.0 requests
  • Roll back entitlement policies to older versions
  • Publish entitlement policies to Its own PDP policy store or external PDP policy stores
  • View XACML policy status  (created , updated,  published and more audit details)
  • Policy search using regexp and attributes values.

However,  Say following scenarios…

You have an existing policies and you want to upload them in bulk.  Management console UI is not allowed to do most of bulk operations.  Then, how we are going to achieve them using WSO2 Identity Server?

All Management console operations are exposed via web service API.  Therefore basically,  you can write your own UI using these API.  We can simply automate these API to do bulk operations.

Web Service API

There are three web services that is exposed by XACML component of Identity Server. Here i am interesting in  EntitlementPolicyAdminService web service API.  It is the API that expose all policy management functions. This is an “admin service” of Identity Server.  “admin service” is a secured and hidden service. Therefore first you need to configure following property to see the WSDL of EntitlementPolicyAdminService service.

Please open carbon.xml file which can be found at <IS_HOME>/repository/conf directory and set following property to “false”

<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

Then restart server and please access following url from your browser to see the WSDL

https://{ip-address}:{port}/services/EntitlementPolicyAdminService?wsdl

Client for Policy Admin Service

If you are automating web service APIs, you can have several option.  Simple one it is to use the  web service client tools that is available in the web (such as SOAPUI  and Jmeter tools that i have used)

But i guess, best thing is it to write your own client. Here is the java client that i have written for automating web service API. It is very simple code.  you can go through it and find out API usages.

Please Note:

If you are using WSO2IS 4.5.0. Please find the java client here.

If you are using WSO2IS 5.0.0  Please find the java client here.  There is some API changes in the web service. Therefore you need to use new stub with that.  Also,  Please make sure to apply the fix for issue https://wso2.org/jira/browse/IDENTITY-2899