Exporting to XACML

AM only exports a policy set that contains policy definitions. No other types can be included in the policy set, such as sub-policy sets or rules.

Policy Sets to XACML Mappings

AM	XACML
Realm:<timestamp>(yyyy.MM.dd.HH.mm.ss.SSS)	PolicySet ID
Current Time (yyyy.MM.dd.HH.mm.ss.SSS)	Version
Deny Overrides	Policy Combining Algorithm ID
No targets defined	Target

When exporting AM policies to XACML 3.0 policy sets, AM maps its policies to XACML 3.0 policy elements.

Policies to XACML Mappings

AM Policy	XACML Policy
Policy Name	Policy ID
Description	Description
Current Time (yyyy.MM.dd.HH.mm.ss.SSS)	Version
xacml rule target	entitlement excluded resource names
Rule Deny Overrides	Rule Combining Algorithm ID
Any of: Entitlement Subject Resource Names Policy Set Names Action Values	Target
Any of: Policy Set Name Entitlement Name Privilege Created By Privilege Modified By Privilege Creation Date Privilege Last Modification Date	Variable Definitions
Single Level Permit/Deny Actions converted to Policy Rules	Rules

Note

XACML obligation is not supported. Also, only one XACML match is defined for each privilege action, and only one XACML rule for each privilege action value.

You can export policies to XACML in the following ways:

To Export Policies in XACML Format (UI)

In the AM console, go to Realms > Realm Name > Authorization > Policy Sets, and then select Export Policy Sets.
All policy sets, and the policies within will be exported in XACML format.

To Export Policies in XACML Format (REST)

The export service is accessible at the /xacml/policies endpoint using a HTTP GET request at the following endpoint for the root realm or a specific realm:

https://openam.example.com:8443/openam/xacml/policies
https://openam.example.com:8443/openam/xacml/{realm}/policies

where {realm} is the name of a specific realm

Tip

You can filter your XACML exports using query search filters. See "To Export Policies in XACML Format with Search Filters (REST)".

Use the /xacml/policies endpoint to export the AM entitlement policies into XACML 3.0 format. The following curl command exports the policies and returns the XACML response (truncated for display purposes).

$ curl \
--request GET \
--header "iPlanetDirectoryPro: AQIC5..." \
"https://openam.example.com:8443/openam/xacml/policies"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
 Version="2014.10.08.21.59.39.231" PolicySetId="/:2014.10.08.21.59.39.231">
 <Target/>
 <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
  Version="2014.10.08.18.01.03.626"
  PolicyId="Rockshop_Checkout_https://forgerock-rockshop.openrock.org:443/wp-login.php*?*">
  ...

To Export Policies in XACML Format with Search Filters (REST)

Note the following points about the search filters:

LDAP-based Searches. The search filters follow the standard guidelines for LDAP searches as they are applied to the entitlements index in the LDAP configuration backend, located at: ou=default,ou=OrganizationalConfig,ou=1.0,ou=sunEntitlementIndexes, ou=services,dc=openam,dc=forgerock,dc=org.

Search Filter Format. You can specify a single search filter or multiple filters in the HTTP URL parameters. The format for the search filter is as follows:

[attribute name][operator][attribute value]

If you specify multiple search filters, they are logically ANDed: the search results meet the criteria specified in all the search filters.

XACML Export Search Filter Format

Element	Description
Attribute Name	The name of the attribute to be searched for. The only permissible values are: `application` (keyword for policy set), `createdby`, `lastmodifiedby`, `creationdate`, `lastmodifieddate`, `name`, `description`.
Operator	The type of comparison operation to perform. = Equals (text) < Less Than or Equal To (numerical) > Greater Than or Equal To (numerical)
Attribute Value	The matching value. Asterisk wildcards are supported.

Use the /xacml/policies endpoint to export the policies into XACML 3.0 format with a search filter. This command only exports policies that were created by "amadmin".
```
$ curl \
--request GET \
--header "iPlanetDirectoryPro: AQIC5..." \
"https://openam.example.com:8443/openam/xacml/policies&#63;filter=createdby=amadmin"
```

You can also specify more than one search filter by logically ANDing the filters as follows:

$ curl \
--request GET \
--header "iPlanetDirectoryPro: AQIC5..." \
"https://openam.example.com:8443/openam/xacml/policies&#63;filter=createdby=amadmin&#38;filter=creationdate=135563832"

To Export Policies in XACML Format (ssoadm)

Use the ssoadm list-xacml command:

$ ssoadm \
 list-xacml \
 --realm "/" \
 --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
 --password-file /tmp/pwd.txt

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
...
Policy definitions were returned under realm, /.

For more information on the syntax of this command, see "ssoadm list-xacml".