Re: [Dev] How to Write a XACML policy to restrict user admin operations on user stores

Tue, 05 Dec 2017 20:13:28 -0800 

Hi,

You can define userstore in XACML in follwoing format

<Rule Effect="Permit" RuleId="permit_by_userstores">
    <Condition>
        <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                <AttributeDesignator
AttributeId="*http://wso2.org/identity/user/user-store-domain
<http://wso2.org/identity/user/user-store-domain>*" Category="
http://wso2.org/identity/user"; DataType="
http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true">
            </AttributeDesignator>
        </Apply>
        *<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string
<http://www.w3.org/2001/XMLSchema#string>">SECONDARY-USERSTORE</AttributeValue>*
    </Apply>
</Condition>
</Rule>


You can get more information on XACML in blog[1].

[1]
https://medium.com/@Pushpalanka/application-wise-authorization-wso2-identity-server-user-store-per-service-provider-dfea5f9ad758

On Tue, Dec 5, 2017 at 9:51 PM, Shanika Wickramasinghe <shani...@wso2.com>
wrote:

> Hi All,
> I am implementing scenario 30 in [1]
>
> by default user store admins can perform operation on users of other user
> stores. i want to write a xacml policy to restrict user admins to perform
> operation only on his user store and they should not be able to perform
> operations on other user stores. As a example consider the following
> scenario
>
> Eg:-  There are 2 JDBC secondary user stores as foo and bar. foo user
> store has a role with admin permissions as foo admin and bar userstore has
> a role with admin permissions as bar admin. foo admin should be able to
> delete a user in foo user store and bar admin should not be able to delete
> that user. Appreciate your guidance on following questions
>
> 1. How to specify action delete user in a xacml policy
> 2. How to give the user store on which that action should happen
> 3. How to call PDP from the user store operation listener
>
>
> [1]. https://medium.facilelogin.com/thirty-solution-patterns-with-the-
> wso2-identity-server-16f9fd0c0389
>
> Thank you,
> Shanika.
> --
> *Shanika Wickramasinghe*
> Software Engineer - QA Team
>
> Email    : shani...@wso2.com
> Mobile  : +94713503563 <+94%2071%20350%203563>
> Web     : http://wso2.com
>
> <http://wso2.com/signature>
>



-- 
Denuwanthi De Silva
Senior Software Engineer;
WSO2 Inc.; http://wso2.com,
Email: denuwan...@wso2.com
Blog: https://denuwanthi.wordpress.com/

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to