Try out XACML policies with WSO2 Identity Server
WSO2 Identity Server(IS) is rich with entitlement management based functionalities which are implemented adhering to the standards. It provides fine-grained policy based access control via XACML supporting both XACML 2.0 and XACML 3.0 specifications. Going one step further it provides a friendly user interface to define complex XACML policies in a simple way, with a Tryit tool to see the policy impact. This is a great tool not only to see whether the policy behaves exactly as we expected, but also to learn XACML as a newbie. The UI explains itself how it needs to be used and we can just learn playing with it. This is just a note if someone just need to get away with it at once.
Once we start WSO2 IS and go to management console at http://localhost:9443/carbon, the default URL and give credentials user name:'admin' and password: 'admin' we are ready to go.
In Main menu, hit circle 1 and we will be in a page as above. Here we see options to define policies, edit them, select how policies should be combined to give the final decision and also a list of available policies and there status in the system. With link 3, we can import XACML policies as XML files and with link 2 we can define policies via a UI which is easier. Once we hit it, following page will be displayed.
With circle 4 we can enable the policy for testing purposes and with circle 5 policy will be actively participate in decisions make by the PDP(Policy Decision Point).
Here we have few more options to use according to the situation. First advanced view can be used to define complex rules that are having conditions, obligations etc. XML view has been supplied, if we are interested in defining policies writing the XML and then the default simple view to define a simple policy.
Let's give some inputs for the fields as we wish, enable it via circle 4 and have a look at how to try out this policy for intended purpose. For that, hit Tryit link in Main menu as in following figure.
This will allow us to create a request to test the enabled XACML policy. Again we can give the inputs here or use the editor to write it in XML. Once we give the inputs and hit create request it will show us the request in text as follows.
Now if we hit test evaluate this request will be evaluated against the enabled policies and if we evaluate it with PDP the active policies in PDP will decide the response for the request which will be as follows.
So it has been made easier for us to define the XACML policies and also to test them for intended user cases without much trouble. Personally for me this is a great learning tool to understand the XACML policy behaviour.
Hope this will be useful to someone learning the same as me.
You can find a series of XACML2.0 polices at this blog.
I am hoping to add a series of XACML3.0 polices with my next posts.