WSO2 Identity Server comes with XACML support for fine-grained authorization. It includes full support for policies based on XACML 2.0 and 3.0.
For more information on XACML and the concept of XACML engine, see Access Control and Entitlement Management.
The following steps describe how you can configure the Identity Server as an XACML engine.
- Log in to the Management Console using your username and password.
- Navigate to the Main menu to access the Entitlement menu. Click Policy Administration under PAP. For more information on policy administration, see Configuring the Policy Administration Point.
- Add a new policy or import external policy files to the system. Once you click Add, a policy will be added. You can edit a template policy it to suit your requirements, or you may add a completely new policy.
- After adding you can publish the policy to Policy Decision Point(PDP).
- Now try to evaluate the published policy by using Try It tool.
Here you can build your own XACML request to evaluate the policy you just added. Copy and paste the following on the above screen and click "Evaluate."
The above request means that the "admin" user is trying to access the
echoString operation of the
The template policy evaluates the above in the following manner:
Find the following section of the template policy:
In this policy, we use
function:string-regexp-match to validate the service name and operation name combination. You can modify it to suit your own requirements.
For example, if you want to allow users to access all of the services deployed on a certain server, then simply change it to
http://localhost:8280/. Or, if you want a user to access only a certain set of operations, you can simply change the
The following code is used to evaluate the username :
Here we validate the "admin" user.