You can create a custom listener by extending ' AbstractIdentityUserOperationEventListener'.
Our default provisioning listener is written in that way[1]. You can refer that and create your custom listener and overide the method you would like to invoke the XACML PDP. You can invoke the PDP using our 'EntitlementService' api.[2] [1] https://github.com/wso2/carbon-identity-framework/blob/master/components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/listener/DefaultInboundUserProvisioningListener.java#L51 [2]https://docs.wso2.com/display/IS530/Entitlement+with+APIs Thanks, On Wed, Dec 6, 2017 at 12:41 PM, Shanika Wickramasinghe <shani...@wso2.com> wrote: > Hi, > > Thank you for the clarification. This is the procedure that I followed. > > 1. Created a JDBC user store as JDBC1 and created a user and assigned a > role as admin1 by giving admin permissions from the permission tree > 2. Created another JDBC user store as JDBC2 and created a user and > assigned a role as admin2 by giving admin permissions from the permission > tree > 3. Created a XACML policy as follows to allow write actions on JDBC1 for > admin1 and restricted others > > > *<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" > PolicyId="abc" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" > Version="1.0">* > * <Description>This is a policy to restrict admins operations on user > stores</Description>* > * <Target>* > * <AnyOf>* > * <AllOf>* > * <Match > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">* > * <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string > <http://www.w3.org/2001/XMLSchema#string>">write</AttributeValue>* > * <AttributeDesignator > AttributeId="http://wso2.org/identity/identity-action/action-name > <http://wso2.org/identity/identity-action/action-name>" > Category="http://wso2.org/identity/identity-action > <http://wso2.org/identity/identity-action>" > DataType="http://www.w3.org/2001/XMLSchema#string > <http://www.w3.org/2001/XMLSchema#string>" > MustBePresent="false"></AttributeDesignator>* > * </Match>* > * <Match > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">* > * <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string > <http://www.w3.org/2001/XMLSchema#string>">JDBC1</AttributeValue>* > * <AttributeDesignator > AttributeId="http://wso2.org/identity/user/user-store-domain > <http://wso2.org/identity/user/user-store-domain>" > Category="http://wso2.org/identity/user <http://wso2.org/identity/user>" > DataType="http://www.w3.org/2001/XMLSchema#string > <http://www.w3.org/2001/XMLSchema#string>" > MustBePresent="true"></AttributeDesignator>* > * </Match>* > * </AllOf>* > * </AnyOf>* > * </Target>* > * <Rule Effect="Permit" RuleId="permit_by_userstores">* > * <Condition>* > * <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">* > * <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">* > * <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">* > * <AttributeDesignator > AttributeId="http://wso2.org/claims/role <http://wso2.org/claims/role>" > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > DataType="http://www.w3.org/2001/XMLSchema#string > <http://www.w3.org/2001/XMLSchema#string>" > MustBePresent="true"></AttributeDesignator>* > * </Apply>* > * <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string > <http://www.w3.org/2001/XMLSchema#string>">admin1</AttributeValue>* > * </Apply>* > * </Apply>* > * </Condition>* > * </Rule>* > * <Rule Effect="Deny" RuleId="deny_others"></Rule>* > *</Policy> * > > Is the process that followed correct according to scenario 30 in [2]. > Correct me if I am wrong > > > Also as my scenario 30 [2] is asking to create a user store operation > listener to talk to XACML PDP I am not clear on how to do this using [1]. > Appreciate any guidance on this. > > > [1]. https://docs.wso2.com/display/IS540/User+Store+Listeners > [2]. https://medium.facilelogin.com/thirty-solution-patterns-with-the- > wso2-identity-server-16f9fd0c0389 > [3]. actions.png > > Thankyou, > Shanika. > > > On Wed, Dec 6, 2017 at 9:42 AM, Denuwanthi De Silva <denuwan...@wso2.com> > wrote: > >> Hi, >> >> You can define userstore in XACML in follwoing format >> >> <Rule Effect="Permit" RuleId="permit_by_userstores"> >> <Condition> >> <Apply FunctionId="urn:oasis:names:tc >> :xacml:1.0:function:string-equal"> >> <Apply FunctionId="urn:oasis:names:tc >> :xacml:1.0:function:string-one-and-only"> >> <AttributeDesignator >> AttributeId="*http://wso2.org/identity/user/user-store-domain >> <http://wso2.org/identity/user/user-store-domain>*" Category=" >> http://wso2.org/identity/user"; DataType="http://www.w3.org/20 >> 01/XMLSchema#string" MustBePresent="true"> >> </AttributeDesignator> >> </Apply> >> *<AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string >> <http://www.w3.org/2001/XMLSchema#string>">SECONDARY-USERSTORE</AttributeValue>* >> </Apply> >> </Condition> >> </Rule> >> >> >> You can get more information on XACML in blog[1]. >> >> [1]https://medium.com/@Pushpalanka/application-wise-authoriz >> ation-wso2-identity-server-user-store-per-service-provider-dfea5f9ad758 >> >> On Tue, Dec 5, 2017 at 9:51 PM, Shanika Wickramasinghe <shani...@wso2.com >> > wrote: >> >>> Hi All, >>> I am implementing scenario 30 in [1] >>> >>> by default user store admins can perform operation on users of other >>> user stores. i want to write a xacml policy to restrict user admins to >>> perform operation only on his user store and they should not be able to >>> perform operations on other user stores. As a example consider the >>> following scenario >>> >>> Eg:- There are 2 JDBC secondary user stores as foo and bar. foo user >>> store has a role with admin permissions as foo admin and bar userstore has >>> a role with admin permissions as bar admin. foo admin should be able to >>> delete a user in foo user store and bar admin should not be able to delete >>> that user. Appreciate your guidance on following questions >>> >>> 1. How to specify action delete user in a xacml policy >>> 2. How to give the user store on which that action should happen >>> 3. How to call PDP from the user store operation listener >>> >>> >>> [1]. https://medium.facilelogin.com/thirty-solution-patterns >>> -with-the-wso2-identity-server-16f9fd0c0389 >>> >>> Thank you, >>> Shanika. >>> -- >>> *Shanika Wickramasinghe* >>> Software Engineer - QA Team >>> >>> Email : shani...@wso2.com >>> Mobile : +94713503563 <+94%2071%20350%203563> >>> Web : http://wso2.com >>> >>> <http://wso2.com/signature> >>> >> >> >> >> -- >> Denuwanthi De Silva >> Senior Software Engineer; >> WSO2 Inc.; http://wso2.com, >> Email: denuwan...@wso2.com >> Blog: https://denuwanthi.wordpress.com/ >> > > > > -- > *Shanika Wickramasinghe* > Software Engineer - QA Team > > Email : shani...@wso2.com > Mobile : +94713503563 <+94%2071%20350%203563> > Web : http://wso2.com > > <http://wso2.com/signature> > -- Denuwanthi De Silva Senior Software Engineer; WSO2 Inc.; http://wso2.com, Email: denuwan...@wso2.com Blog: https://denuwanthi.wordpress.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
