Re: [Dev] How to Write a XACML policy to restrict user admin operations on user stores

2017-12-06 Thread Denuwanthi De Silva 
You can create a custom listener by extending '
AbstractIdentityUserOperationEventListener'.

Our default provisioning listener is written in that way[1].
You can refer that and create your custom listener and overide the method
you would like to invoke the XACML PDP.

You can invoke the PDP using our 'EntitlementService' api.[2]



[1]
https://github.com/wso2/carbon-identity-framework/blob/master/components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/listener/DefaultInboundUserProvisioningListener.java#L51
[2]https://docs.wso2.com/display/IS530/Entitlement+with+APIs

Thanks,

On Wed, Dec 6, 2017 at 12:41 PM, Shanika Wickramasinghe 
wrote:

> Hi,
>
> Thank you for the clarification. This is the procedure that I followed.
>
> 1. Created a JDBC user store as JDBC1 and created a user and assigned a
> role as admin1 by giving admin permissions from the permission tree
> 2. Created another JDBC user store as JDBC2 and created a user and
> assigned a role as admin2 by giving admin permissions from the permission
> tree
> 3. Created a XACML policy as follows to allow write actions on JDBC1 for
> admin1 and restricted others
>
>
> * PolicyId="abc"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
> Version="1.0">*
> *   This is a policy to restrict admins operations on user
> stores*
> *   *
> *  *
> * *
> * MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">*
> *DataType="http://www.w3.org/2001/XMLSchema#string
> ">write*
> *AttributeId="http://wso2.org/identity/identity-action/action-name
> "
> Category="http://wso2.org/identity/identity-action
> "
> DataType="http://www.w3.org/2001/XMLSchema#string
> "
> MustBePresent="false">*
> **
> * MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">*
> *DataType="http://www.w3.org/2001/XMLSchema#string
> ">JDBC1*
> *AttributeId="http://wso2.org/identity/user/user-store-domain
> "
> Category="http://wso2.org/identity/user "
> DataType="http://www.w3.org/2001/XMLSchema#string
> "
> MustBePresent="true">*
> **
> * *
> *  *
> *   *
> *   *
> *  *
> * *
> * FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">*
> *FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">*
> *   AttributeId="http://wso2.org/claims/role "
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> DataType="http://www.w3.org/2001/XMLSchema#string
> "
> MustBePresent="true">*
> *   *
> *DataType="http://www.w3.org/2001/XMLSchema#string
> ">admin1*
> **
> * *
> *  *
> *   *
> *   *
> **
>
> Is the process that followed correct according to scenario 30 in [2].
> Correct me if I am wrong
>
>
> Also as my scenario 30 [2] is asking to create a user store operation
> listener to talk to XACML PDP I am not clear on how to do this using [1].
> Appreciate any guidance on this.
>
>
> [1]. https://docs.wso2.com/display/IS540/User+Store+Listeners
> [2]. https://medium.facilelogin.com/thirty-solution-patterns-with-the-
> wso2-identity-server-16f9fd0c0389
> [3]. actions.png
>
> Thankyou,
> Shanika.
>
>
> On Wed, Dec 6, 2017 at 9:42 AM, Denuwanthi De Silva 
> wrote:
>
>> Hi,
>>
>> You can define userstore in XACML in follwoing format
>>
>> 
>> 
>> 
>> 
>> > AttributeId="*http://wso2.org/identity/user/user-store-domain
>> *" Category="
>> http://wso2.org/identity/user; DataType="http://www.w3.org/20
>> 01/XMLSchema#string" MustBePresent="true">
>> 
>> 
>> *> DataType="http://www.w3.org/2001/XMLSchema#string
>> ">SECONDARY-USERSTORE*
>> 
>> 
>> 
>>
>>
>> You can get more information on XACML in blog[1].
>>
>> [1]https://medium.com/@Pushpalanka/application-wise-authoriz
>> ation-wso2-identity-server-user-store-per-service-provider-dfea5f9ad758
>>
>> On Tue, Dec 5, 2017 at 9:51 PM, Shanika Wickramasinghe > > wrote:
>>
>>> Hi All,
>>> I am implementing scenario 30 in [1]
>>>
>>> by default user store admins can perform operation on users of other
>>> user stores. i want to write a xacml policy to restrict user admins to
>>> perform operation only

Re: [Dev] How to Write a XACML policy to restrict user admin operations on user stores

2017-12-05 Thread Denuwanthi De Silva 
Hi,

You can define userstore in XACML in follwoing format





http://wso2.org/identity/user/user-store-domain
*" Category="
http://wso2.org/identity/user; DataType="
http://www.w3.org/2001/XMLSchema#string; MustBePresent="true">


*http://www.w3.org/2001/XMLSchema#string
">SECONDARY-USERSTORE*





You can get more information on XACML in blog[1].

[1]
https://medium.com/@Pushpalanka/application-wise-authorization-wso2-identity-server-user-store-per-service-provider-dfea5f9ad758

On Tue, Dec 5, 2017 at 9:51 PM, Shanika Wickramasinghe 
wrote:

> Hi All,
> I am implementing scenario 30 in [1]
>
> by default user store admins can perform operation on users of other user
> stores. i want to write a xacml policy to restrict user admins to perform
> operation only on his user store and they should not be able to perform
> operations on other user stores. As a example consider the following
> scenario
>
> Eg:-  There are 2 JDBC secondary user stores as foo and bar. foo user
> store has a role with admin permissions as foo admin and bar userstore has
> a role with admin permissions as bar admin. foo admin should be able to
> delete a user in foo user store and bar admin should not be able to delete
> that user. Appreciate your guidance on following questions
>
> 1. How to specify action delete user in a xacml policy
> 2. How to give the user store on which that action should happen
> 3. How to call PDP from the user store operation listener
>
>
> [1]. https://medium.facilelogin.com/thirty-solution-patterns-with-the-
> wso2-identity-server-16f9fd0c0389
>
> Thank you,
> Shanika.
> --
> *Shanika Wickramasinghe*
> Software Engineer - QA Team
>
> Email: shani...@wso2.com
> Mobile  : +94713503563 <+94%2071%20350%203563>
> Web : http://wso2.com
>
> 
>



-- 
Denuwanthi De Silva
Senior Software Engineer;
WSO2 Inc.; http://wso2.com,
Email: denuwan...@wso2.com
Blog: https://denuwanthi.wordpress.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev