Saturday, January 18, 2014

How to write a multiple Permit rule policy using WSO2 IS PAP simple policy editor - WSO2 IS 4.6.0

Hi All,

Today lets look at how to resolve the following simple problem scenario :-

Problem :-

Using WSO2 IS I want to give certain users the access to a web service that I have exposed.

But the rule must be in a way that one particular user "umesha" will only be having the READ rights, while all the other users will have READ, WRITE, DELETE rights.

How can I do this? of course you might know that you can achieve this with a  XACML policy to enable fine - grained authorization.

another problem - I do not know how to write XACML policies :O

Solution :-

Using WSO2 IS Simple Policy Editor you can write a multiple rule XACML policy, and you do not need to know XACML for this. 
Any novice user can create their own policies that comes with this feature of WSO2 XACML engine :)

Now lets look at how to write this simple policy :-

[You need to have WSO2 IS 4.6.0 downloaded and running]

1. Login to Identity Server Management Console

2. Go to Home > Entitlement > PAP > Policy Administration

3. And select Simple Policy Editor

4. Give the policy a name 

5 . Select what the policy is based on - Resource

6 . The name of the resource 

7. And then we will focus on the first rule

We need to give "umesha" the READ rights and READ rights only.

Select the Child Resource / UserName under User

Give the user name as "umesha"

Give the Action as "READ"

8. Now click on that little plus sign to add the other rule

To give all the other users READ, WRITE and DELETE actions

fill the selected UserName as "{^(?!umesha$).*}" - you should give this as a string regx

then give the actions as "READ | WRITE | DELETE"

9. Save the policy 


The Created policy will look like as follows:-


                 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="SimplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">  
 <Target>  
 <AnyOf>  
 <AllOf>  
 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Match>  
 </AllOf>  
 </AnyOf>  
 </Target>  
 <Rule Effect="Permit" RuleId="Rule-1">  
 <Target>  
 <AnyOf>  
 <AllOf>  
 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Match>  
 </AllOf>  
 </AnyOf>  
 </Target>  
 <Condition>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">  
 <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">umesha</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 </Condition>  
 </Rule>  
 <Rule Effect="Permit" RuleId="Rule-2">  
 <Condition>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WRITE</AttributeValue>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DELETE</AttributeValue>  
 </Apply>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">  
 <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"/>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?!umesha$).*</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 </Apply>  
 </Condition>  
 </Rule>  
 <Rule Effect="Deny" RuleId="Deny-Rule"/>  
 </Policy>