Use Case scenarios with WSO2 Identity Server 5.0.0 - Part 2

Hi All,

Today lets talk about database connectivity with WSO2 Identity Server.  As you know WSO2 Identity Server can be deployed over any LDAP, AD or JDBC user store. In fact, you can create write a custom user store manager , and connect to any legacy databases.

The WSO2 IS has the concept of primary database and secondary databases. If you are to change the primary database, you will have to change the configuration files and start-up the server. But , if you are going to add the secondary databases, you can do this through the IS management console. This is some background information on the product.

Now, lets talk about a common use case scenario.

Say, you have a need of connecting the IS server to many databases. Clearly you can do this by connecting all the databases as secondary databases. Therefore, if a use is trying to get authenticated, the user will be authenticated against checking all the databases connected.

Solution 1
-------------
If your user bases are located in different geographical locations, say for an example you have three offices located in three countries , and you need to connect Identity Server to the three user databases located in these countries, what  you can do is connecting these databases as secondary databases via VPN connections.

Solutions 2
----------------
Another solution would be to have 3 Identity Servers in each of these countries, and have one central Identity Server where you can provision users from other three servers to the central server where the user will be authenticated against.

Please check on following resource links for implementation of these scenarios :-

[1] https://docs.wso2.com/display/IS500/Working+with+User+Stores
[2] https://docs.wso2.com/display/IS500/Configuring+Primary+User+Stores
[3] https://docs.wso2.com/display/IS500/Configuring+Secondary+User+Stores
[4] https://docs.wso2.com/display/IS500/Identity+Provisioning+Concepts
[5] https://docs.wso2.com/display/IS500/Identity+Provisioning

Cheers ! Last post for year 2014...have a wonderful 2015 ahead...see you in the next year ;)

Product releases, and relevant information - WSO2

This is just a note + anyone who is looking for this information - not a fancy blog post :)
---------------------------------------------------------------------------------


Once a WSO2 product is released,  the release related information is recorded in the release matrix [1] :-

[1] http://wso2.com/products/carbon/release-matrix/

You can refer the relevant release dates , the released chunk , relevant P2 repo link (for feature installations), compatible carbon version, and the platform.

If you click on P2 repo link , it will redirect you to the relevant P2 repo information and the link. We use this for the feature installations for the WSO2 Products. For and example, when you need to install WSO2 Identity Server , Key Manager to WSO2 API-M, then you can install those features to API-M using the relevant P2 repo link.

If you want to refer the relevant source code for a particular release, you can check the the Chunk where the product is released.

Normally, in the WSO2 svn, there will be following categories.

1) trunk  - normal development
2) branch - getting ready for a relase development
3) tag - once released the product is available under the tag


If you want to look for the source code for a particular release you can check under the relevant released , you can check for the chunk the product is released, then check for the relevant feature source code under  components...

For an example :-

API-M 1.8.0 can be found under [1], and you can check relevant source code for API-M : Store at [2].

[1] https://svn.wso2.org/repos/wso2/carbon/platform/tags/turing-chunk14/products/apimgt/1.8.0/
[2] https://svn.wso2.org/repos/wso2/carbon/platform/tags/turing-chunk14/components/apimgt/api-store-web/

Cheers..!!!

How to enable audit logs for WSO2 API-M

In API-M there is no audit logs enabled by default. If you consider IS, start up the server and log-in as admin, you can see under [IS-HOME]/repository/logs folder there is a file called audit.log.

But this is not the case with WSO2 API-M. The audit logs are not enabled by default with API-M. You have to manually enable it in configurations files. But this can be done in few easy steps.

1) Download WSO2 API Manager
2) Then extract it to a folder
3) Go to [API-M HOME]/repository/conf/log4j.properties file and add the following configuration for the log file

log4j.logger.AUDIT_LOG=INFO, AUDIT_LOGFILE


then add the following set of configurations...

# Appender config to AUDIT_LOGFILE
log4j.appender.AUDIT_LOGFILE=org.apache.log4j.DailyRollingFileAppender
log4j.appender.AUDIT_LOGFILE.File=${carbon.home}/repository/logs/audit.log
log4j.appender.AUDIT_LOGFILE.Append=true
log4j.appender.AUDIT_LOGFILE.layout=org.wso2.carbon.utils.logging.TenantAwarePatternLayout
log4j.appender.AUDIT_LOGFILE.layout.ConversionPattern=[%d] %P%5p - %x %m %n
log4j.appender.AUDIT_LOGFILE.layout.TenantPattern=%U%@%D [%T] [%S]
log4j.appender.AUDIT_LOGFILE.threshold=INFO
log4j.additivity.AUDIT_LOG=false

4) Save the configurations and start the server

5) TA-DA now you have the audit logs in API-M :)

Use cases with WSO2 IS 5.0.0 - Part 2 - User Provisioning - Part 1

Lets discuss about a user provisioning use case with regards to the provisioning framework of WSO2 Identity Server 5.0.0.

With the introduction of the the new Identity Server, There are lot of provisioning capabilities available. There are 3 major concepts as Inbound, outbound provisioning and Just-In-Time provisioning. Inbound provisioning means , provisioning users and groups from an external system to IS. Outbound provisioning means , provisioning users from IS to other external systems. JIT provisioning means , once a user tries to login from an external IDP, a user can be created on the fly in IS with JIT. Please read this awesome blog post about Provisioning framework of WSO2 Identity Server.

Now, lets take a sample scenario and talk about provisioning would work using provisioning capabilities of WSO2 IS.

The above diagram depicts a scenario where a user will be provisioned from and external system (Inbound provisioning), and in the same flow once the user is provisioned to the IS - A, this user will be provisioned to the other external systems like Google Apps, or another IS (Out bound provisioning).

From an external system you can provision users with SCIM or SPML connector, as well as you can use SOAP admin services to add a user. Or else another option would be, if none of the above mentioned can be used, you can always write a custom provisioning connector and plug in with WSO2 Identity Server.

For provisioning users to external systems, there are OOTB connectors shipped with WSO2 IS, or else you can always write a custom connector according to your requirement.

Lets talk about how to configure such a provisioning scenario in the next related post .....

Run Time Governance Use Case with WSO2 GREG and ESB - 1

Hi Ya''ll,

Long time ...How are you all doing? It is Christmas time again....Lets try to learn a run time governance scenario with WSO2 Governance Registry today.....:)

Lets start understanding the scenario with a diagram....

We can describe the above diagram as follows :-

1. Custom security policy is uploaded via GREG.
2. GREG is mounted with ESB.
3. Security proxy is created applying the custom policy in the registry (referring the policy in the GREG)
4. Proxy is created for the service hosted in the application server.

Once the service is invoked via SoapUI, since the security policy is applied at ESB , it will refer to the policy in the Governance Registry at the rum-time. Once the security policy is properly validated, the response will be passed back to the invoking party.

In the next post lets talk about how to simply build up the above scenario......

Bye bye for now...:)

Creating a metadata file for WSO2 IS as SP in a federation scenario

In today's' post I would like to share some tips that you will need while creating a metadata file to be used with WSO2 IS.

Use Case :-

With WSO2 IS you have the capability of multiple federation. Some of the IDPs requesting a metadata file in order to register IS as a trusted SP. For this we need to generate a metadata file for IS , but auto generation of metadata file is not available as yet with IS 5.0.0 hence we will have to create this manually.

Following is a general metadata details for IS as SP.

 <EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

            Location="https://localhost:9443/commonauth"/>

        <KeyDescriptor>

    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

      <ds:X509Data>

        <ds:X509Certificate>

MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV

UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM

BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy

MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO

M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe

0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn

RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN

AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm

xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR

Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=

        </ds:X509Certificate>

      </ds:X509Data>

    </ds:KeyInfo>

  </KeyDescriptor>

    </SPSSODescriptor>

</EntityDescriptor>

However, certain IdPs might request for more details to be included in a metadata file. You can refer the metadata standard specification at http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf . The X509 data in the above example metadata are of the self signed certificate of WSO2 Identity Server. In a production deployment , you might wanna use your own certificate signed by a CA.

Therefore if you want to extract out the X509 information of your certificate , you can use the following command using java keytool :-

keytool export keystore pathToKeystore rfc alias aliasNameForCertificate


And also you might want to sign the metadata file using different algorithms. A very cool tool that you can use for this is the XmlSecTool which has lot of options.

You can check for the tool at https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool#XmlSecToolSigningSAMLMetadata


Use the following command to sign the metadata file using SHA256 algorithem (or you can use another algorithm according to the requirement ) after running the tool :-

--sign --digest SHA256 --inFile metadata.xml --outFile signedmetadata.xml --referenceIdAttributeName ID --keystore keystore.jks --keystorePassword password --key keyname --keyPassword password

Use Case scenarios with WSO2 Identity Server 5.0.0 - Part 1

Hi All,

Lets talk about few use case scenarios with new features of WSO2 IS 5.0.0 

1. Use Case 1 - SAML2 Web browser based SSO 

The above use case is explained in detail in the blog post SAML2 SSO with IS with a sample demo.

2. Use Case 2 – SAML2 Web Browse based SSO + Google authenticator + JIT Provisioning 

Lets try to understand the above scenario.

Lets think of this as an extended version of the use case 1 which would be an easy way to understand.

As I have explained in the post referred  in the use case 1, Web app acts as the SP and IS acts as the IdP. Now think that we want to be able to give access to the web app for the users who are not in the IS user store. These can be separate set of users say. How to tackle this with WSO2 IS server.

WSO2 IS can be set up with the OOTB feature of Google Authenticator for any user who has a Google email account to be logged into the web app. So how does that work?

1. User is trying to log into the web app and he is redirected to the IS login page.

2. Now there is an additional link that would be visible , therefore that as explained in the use case 1, the users who are in the user store of IS can login and also users who are not in user store of IS can also given the option to login using gmail account credentials.

3. Now when the user selects the link to be authenticated with google authenticator, he is redirected to the gmail login page. (Here, the google authenticator is is registered as a trusted IdP for the web application and the multiple login options are given for the webapp - please refer blog post at GoogleOpenId for an example setup)

4. The request that goes from the IS to the Gmail is an OpenIdConnect request and once the user is properly authenticated , an OpenIDConnect response come to the IS.

5. Now in order to be able to access the webbapp, this user must be created in the user store of IS, and this is done using Just In Time Provisioning which is enabled for the Google Authenticator. Therefore according to the response comes form the gmail , a user is created in the user store (one time user creation) with a default password.

6. And the user is given the access to the web application.

Use Case 3 – Multiple IdP federation

Now lets extend the use case 2 more to discuss more of multiple IdP federation features of IS 5.0.0.

Lets think about a scenario where there are no users exist in the IS1 user store for a particular web app, but the users of this web app can be authenticated using Gmail or IS2 IdP.

In the IS1, the Google Authenticator and IS2 can be registered as trusted IdP for IS1. And the webapp can be configured to trust the above 2 IdPs.

Therefore, some of the users can use Gmail for authentication and some can use IS2 for authentication, and some can use both.

There can be scenarios where, if the user is authenticated, he can access only some of the resources of the webapp and IS2 users some other resources depending on the authorization implementation logic of the webapp. 

See y'all!

SAML2 SSO with IS 5.0.0

Lets talk about the simple saml2 sso scenario with WSO2 IS 5.0.0 today.

Simple understanding of the concept can be grabbed with the following diagram.

WSO2 IS provides SAML2 Web browser based SSO acting as IdP or SP. In the above scenario the web app is the service provider and the IS is the identity provider. There is a pre defined trust relationship built between SP and the IdP when enabling SAML2 SSO.

How the above scenario works :-

1. The web app is registered as trusted SP in IS
2. Web app implements the saml2 sso and talks to IS using the assertion consumer url defined

NOTE :- If the authentication request / response signature validation is needed the proper importing / exporting of certificate to the trust-stores are needed.

USE CASE SCENARIO
----------------------------------

1. User comes and tries to log into the web app
2. SAML2 Web browser based SSO is configured for the web app with WSO2 IS
3. User is redirected to the IS login page
4. User enters the login credentials
5. If the user exist in the user store of the trusted IdP (IS) user is allowed to log into the web app


DEMO
---------

Lets check on how to quickly demo this using an example app and WSO2 IS.

Required :-

1. Please download the IS 5.0.0. for the product page. 
2. Checkout the following sample travelocity app and build using maven

Configurations
--------------------

1. Take the .war file of the web app and deploy it on the tomcat server (version 7)
2. Startup WSO2 IS
3. Now lets register the SP in the IS
 A. Go to management console main - > Service Providers -> Add
 B. Give an unique name for the SP and click on register
 C. Then click on the Inbound Authentication Configuration -> Configure
 D. Fill on the details as follows :-

NOTE:- you can change these properties accordingly as expected by the SP. The properties for the webapp can be found at apache-tomcat-7.0.42\webapps\travelocity.com\WEB-INF\classes\travelocity.properties file

The filled in infor in the above example as follows :-

Issuer :- travelocity.com
Assertion Consumer URL :- http://localhost:8080/travelocity.com/home.jsp
User fully qualified username in the NameID :- TRUE
Enable SLO :- TRUE

Once configured click on update on the SAML2 config page as well as the SP information page that comes next. And you are good to go.

Now paste the following url on the browser http://localhost:8080/travelocity.com/index.jsp
and click on SAML login where you will be redirected to IS login page. When you enter admin, admin (the default super user of IS) TADA you are in :)

BYE BYE for now ;)

Mutual SSL with WSO2 Enterprise Service Bus

Lets try to simply understand what is this Mutual SSL

I hope the following diagram will draw a good image in your brain to understand this

-------------------------------------------------------------------------------------------------------

Okay, lets see what happens in each step of the SSL handshake :-

(1) Client says hello and request for the Server certificate
(2) Server says hello with the certificate

That is the first handshake that happens , but when you enable mutual SSL there is a another handshake happens.

(3) Server says hello with requesting for the client certificate
(4) Client says hello back with the certificate

ONCE BOTH THE PARTIES TRUST EACH OTHER THEY ESTABLISH THE CONNECTION FOR FURTHER ACTIONS BETWEEN CLIENT AND THE SERVER.

Now lets look at what requirements should be completed into order for this to happen :)

(1) Client trust store should have the CA certificate / server certificate - signed by CA of the server - 

FOR THE CLIENT TO TRUST THE SERVER

(2) Server trust store should contain the CA certificate / client certificate - signed by CA of the client - 

FOR SERVER TO TRUST THE CLIENT

(3) The Certificate Authority who have signed the certificate should be trusted by both the parties


Now that you have an understanding of what is mutual SSL and what are the requirements needed, please have a look at the following important blog post by Asela in order to how to check the mutual SSL capability of the WSO2 ESB with an example java client :-

Enable Mutual SSL for Proxy services in WSO2ESB - I

Mutual SSL also called as two way SSL :)

THANKS !

Connecting an external LDAP as the primary LDAP for WSO2 Identity Server

Hi All,

Today I am writing this blog to clear some doubting areas on the mentioned topic.

Lets see how to connect OpenLDAP as the primary LDAP for IS.

1) Download the OpenLDAP for your O/S and install according to the steps mentioned here. [INSTALLATION STEPS HERE FOR LINUX BASED SYSTEMS]

Special Note :- Please save the configuration details somewhere you can access and remember :)

2) And connect to the OpenLDAP via Apache Directory Studio.

3) Download WSO2 Identity Server.

Please not that you only have to change configurations of two files in order to connect this ldap as the primary one.

4) Now lets go and disable the embedded ldap that comes OOTB with IS.

Go to [IS_HOME]/repository/conf/embedded-ldap.xml and set the following configuration.

<EmbeddedLDAP>

    <Property name="enable">false</Property>

    .......................

  </EmbeddedLDAP>



5) Then go to IS_HOME/repository/conf / user-mgt.xml and disable the embedded ldap by commenting out the class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManage.



6) Select whether to connect to the external ldap as Read / Write or only Read and select the proper class settings.

Read / Write - class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"



Read - class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"



7) Follow following detailed blog for configurations setting on each of the classes according to your need which describes the properties in details.


Configuring OpenLDAP as external user store of WSO2 IS


8) Pay special attention to the following settings because you need to match these settings according to your newly created OpenLDAP in order to proper integrate.

<Property name="ConnectionURL">ldap://localhost:389</Property>


<Property name="ConnectionName">cn=admin,dc=wso2,dc=com</Property>





 <Property name="ConnectionPassword">password</Property>





<Property name="UserSearchBase">ou=Users,dc=wso2qa,dc=com</Property>





<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=com</Property>





<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=com</Property>



9) Follow the following blog to proper creation of user and groups in your ldap.





LDAP - Apache Directory Studio: A Basic Tutorial




Hope the above helps to anyone who are confused in this area.



Bye bye for now from Sri Lanka :)

How to simply setup centralized logging with WSO2 Business Activity Monitor

Hi All,

Today lets look at the following simple problem:-

We have two products of WSO2 running in an environment. When we have to check events loggs we have to separately log into those two products to check the relevant events. Say we have more products running and then we will have to log in to all the product management consoles to achieve the motive.

Simple Solution:-

We can setup WSO2 BAM for centralized logging therefore that when you log into the management console of WSO2 BAM, you can check for event logs of both / several WSO2 servers in your environment setup.

The following diagram will draw a clear picture of the solution
-------------------------------------------------------------------------------

 Say in our sample scenario we have WSO2 IS and WSO2 ESB, we can save the event logs to BAM Cassandra database , therefore the logs are accessible from a central location.

Simple Steps to achieve above:-
-------------------------------------------

1. Go to the [IS HOME] / repository / conf / log4j.properties file and add the following LOGEVENT to the log4j.rootLogger

log4j.rootLogger=INFO, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY, LOGEVENT


2. Then go to [IS HOME] / repository / conf / etc / logging - config .xml and set the <archivedHost>hdfs://localhost:9000/</archivedHost>

3. Start the BAM server and then start the IS server. You can see the event logs for IS in BAM when you go to Home > Tools > Cassandra Explorer > Connect to Cluster > Explore Cluster

4 . You can follow the same steps for ESB as well to set up the above scenario

Note :-

Connect to Cassandra with following details

Connection Url* localhost:9160
User Name         admin
Password          admin


Please refer to the following detailed blog for in depth details for centralized logging with BAM 

How Distributed Logging Works in WSO2 Stratos.

How to write a multiple Permit rule policy using WSO2 IS PAP simple policy editor - WSO2 IS 4.6.0

Hi All,

Today lets look at how to resolve the following simple problem scenario :-

Problem :-

Using WSO2 IS I want to give certain users the access to a web service that I have exposed.

But the rule must be in a way that one particular user "umesha" will only be having the READ rights, while all the other users will have READ, WRITE, DELETE rights.

How can I do this? of course you might know that you can achieve this with a  XACML policy to enable fine - grained authorization.

another problem - I do not know how to write XACML policies :O

Solution :-

Using WSO2 IS Simple Policy Editor you can write a multiple rule XACML policy, and you do not need to know XACML for this. 
Any novice user can create their own policies that comes with this feature of WSO2 XACML engine :)

Now lets look at how to write this simple policy :-

[You need to have WSO2 IS 4.6.0 downloaded and running]

1. Login to Identity Server Management Console

2. Go to Home > Entitlement > PAP > Policy Administration

3. And select Simple Policy Editor

4. Give the policy a name 

5 . Select what the policy is based on - Resource

6 . The name of the resource 

7. And then we will focus on the first rule

We need to give "umesha" the READ rights and READ rights only.

Select the Child Resource / UserName under User

Give the user name as "umesha"

Give the Action as "READ"

8. Now click on that little plus sign to add the other rule

To give all the other users READ, WRITE and DELETE actions

fill the selected UserName as "{^(?!umesha$).*}" - you should give this as a string regx

then give the actions as "READ | WRITE | DELETE"

9. Save the policy 

The Created policy will look like as follows:-

                 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="SimplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">  
 <Target>  
 <AnyOf>  
 <AllOf>  
 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Match>  
 </AllOf>  
 </AnyOf>  
 </Target>  
 <Rule Effect="Permit" RuleId="Rule-1">  
 <Target>  
 <AnyOf>  
 <AllOf>  
 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Match>  
 </AllOf>  
 </AnyOf>  
 </Target>  
 <Condition>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">  
 <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">umesha</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 </Condition>  
 </Rule>  
 <Rule Effect="Permit" RuleId="Rule-2">  
 <Condition>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WRITE</AttributeValue>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DELETE</AttributeValue>  
 </Apply>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">  
 <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"/>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?!umesha$).*</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 </Apply>  
 </Condition>  
 </Rule>  
 <Rule Effect="Deny" RuleId="Deny-Rule"/>  
 </Policy>