Reputation: 23
XACML selected role authorization example - XACML for RBAC
I'm using WSO2 Identity Server with XACML for authorization.
I have users with serveral roles in IS. The user must select one of them to enter the app. So I need to grant the user based only in one of all his roles.
I used port.getDecisionByAttributes(subject, resource, action, environment); of the EntitlementService for asking with SOAP WS to the policy defined in XACML. The subject is the username. But It grants because it uses all user's roles.
Example:
- User: peter
- Roles: rolegranted, rolenotgranted, otherrole
When peter enter the app and select rolenotgranted it should not access the resource.
When peter enter the app and select rolegranted it should access the resource.
How do I define de XACML policy? and which method of the EntitlementService should I use?
Thank you
Upvotes: 0
Views: 441
Answers (2)
Reputation: 23
I finally had met the requirements passing the role in the subject arg of the getDecisionByAttributes method. WSO2 IS doesn't check if this subject exists, so I can pass anything here and test it in the policy rule.
Upvotes: 0
Reputation: 5821
Actually, you need to write role based XACML policies in the PDP. Entitlement service method that you are using is fine. You can send the username in the XACML request and verify the user's roles using user store (via PIP), I would like to suggest you to go through this blog. It explain how you can write a role based XACML policy in WSO2IS and use it property.
Upvotes: 1
Related Questions
- In wso2 IS XACML policy how to validate role and its permissions
- WSO2 Rest Api -> How to add user to role?
- Enabling Role-Based Access Control Using XACML - Error occurred while evaluating the policy
- RBAC/ABAC via XACML policies
- WSO2 - Policy Management (XACML) using API
- want to create XACML policy dynamically
- XACML PolicySet and Request with example
- How to define a XACML Policy inside a XACML PolicySet
- XACML Policy based on Resource and Child Resources
- XACML Policy and Request