-1

Is it possible to download all (or subset of) XACML policies/entitlements through REST API?

Community
  • 1
  • 1
Lambda Koenig
  • 1
  • I have found a link to retrieve all the entitlements [link](https://docs.wso2.com/display/IS530/Entitlement+with+REST+APIs), however the docs does not provide any examples esp. for the **/entitlements-all** – Lambda Koenig Jul 03 '17 at 15:42

2 Answers2

0

Your question is very vague. You have to clarify.

XACML is a policy-based authorization solution. It does not maintain user entitlements directly per se. Instead of saying that Alice is a doctor and can do "viewMedicalRecord", a XACML policy states that

Doctors can view medical records

You then ask a Yes / No question e.g.

Can Alice view medical record #123?

Axiomatics provides 2 APIs (SOAP and REST) for that.

Reverse Querying

In addition to the binary approach, it is also possible to do a reverse query of the authorization policies. Rather than asking for a Yes/No question, you can ask:

What can Alice do?

This API would let you generate and download entitlements from a XACML API.

David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • Thanks for the reply! and sorry for being vague :(. The requirement is: there are distributed applications in my usecase which can only send request to their "local" PDPs (i.e. policy engines), hence the repositories. Having said that, those applications should not be sending requests to the wso2 identity server. This is due to the performance as well as policy management reasons. The bottom line is, to have an exact snapshot of all the policies through REST or SOAP at the remote application side and probably the required XACML configuration. – Lambda Koenig Jun 27 '17 at 14:28
  • ...as working on a publicly funded research project, I am bound to evaluate/deploy/test open source projects, which axiomatics is not, though very promising. – Lambda Koenig Jun 27 '17 at 14:40
  • So you want access to the policies? I would argue it is a breach of the contract. Are policies sensitive? Not sensitive? Is it ok to share them? – David Brossard Jun 27 '17 at 15:40
  • No, neither the policies are sensitive nor is the breach of contract. They are supposed to be shared within our infrastructure SP federation - so there is a domain of trust. – Lambda Koenig Jun 28 '17 at 08:50
0

Here you can find the /entitlements-all REST API details

https://is.docs.wso2.com/en/latest/develop/entitlement-with-rest-apis/#get-all-entitlements

senthalan
  • 1,936
  • 3
  • 10
  • 19