Exporting to XACML

AM only exports a policy set that contains policy definitions. No other types can be included in the policy set, such as sub-policy sets or rules.

Realm:<timestamp>(yyyy.MM.dd.HH.mm.ss.SSS)PolicySet ID
Current Time (yyyy.MM.dd.HH.mm.ss.SSS)Version
Deny OverridesPolicy Combining Algorithm ID
No targets definedTarget

When exporting AM policies to XACML 3.0 policy sets, AM maps its policies to XACML 3.0 policy elements.

AM PolicyXACML Policy
Policy NamePolicy ID
Current Time (yyyy.MM.dd.HH.mm.ss.SSS)Version
xacml rule targetentitlement excluded resource names
Rule Deny OverridesRule Combining Algorithm ID

Any of:

  • Entitlement Subject

  • Resource Names

  • Policy Set Names

  • Action Values


Any of:

  • Policy Set Name

  • Entitlement Name

  • Privilege Created By

  • Privilege Modified By

  • Privilege Creation Date

  • Privilege Last Modification Date

Variable Definitions
Single Level Permit/Deny Actions converted to Policy Rules Rules


XACML obligation is not supported. Also, only one XACML match is defined for each privilege action, and only one XACML rule for each privilege action value.

You can export policies to XACML in the following ways:

To Export Policies in XACML Format (UI)
  • In the AM console, go to Realms > Realm Name > Authorization > Policy Sets, and then select Export Policy Sets.

    All policy sets, and the policies within will be exported in XACML format.

To Export Policies in XACML Format (REST)

The export service is accessible at the /xacml/policies endpoint using a HTTP GET request at the following endpoint for the root realm or a specific realm:


where {realm} is the name of a specific realm


You can filter your XACML exports using query search filters. See "To Export Policies in XACML Format with Search Filters (REST)".

  • Use the /xacml/policies endpoint to export the AM entitlement policies into XACML 3.0 format. The following curl command exports the policies and returns the XACML response (truncated for display purposes).

    $ curl \
    --request GET \
    --header "iPlanetDirectoryPro: AQIC5..." \
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
     Version="2014." PolicySetId="/:2014.">
     <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
To Export Policies in XACML Format with Search Filters (REST)

Note the following points about the search filters:

  • LDAP-based Searches. The search filters follow the standard guidelines for LDAP searches as they are applied to the entitlements index in the LDAP configuration backend, located at: ou=default,ou=OrganizationalConfig,ou=1.0,ou=sunEntitlementIndexes, ou=services,dc=openam,dc=forgerock,dc=org.

  • Search Filter Format. You can specify a single search filter or multiple filters in the HTTP URL parameters. The format for the search filter is as follows:

    [attribute name][operator][attribute value]

    If you specify multiple search filters, they are logically ANDed: the search results meet the criteria specified in all the search filters.

    Attribute Name

    The name of the attribute to be searched for. The only permissible values are: application (keyword for policy set), createdby, lastmodifiedby, creationdate, lastmodifieddate, name, description.


    The type of comparison operation to perform.

    • = Equals (text)

    • < Less Than or Equal To (numerical)

    • > Greater Than or Equal To (numerical)

    Attribute Value

    The matching value. Asterisk wildcards are supported.

  1. Use the /xacml/policies endpoint to export the policies into XACML 3.0 format with a search filter. This command only exports policies that were created by "amadmin".

    $ curl \
    --request GET \
    --header "iPlanetDirectoryPro: AQIC5..." \
  2. You can also specify more than one search filter by logically ANDing the filters as follows:

    $ curl \
    --request GET \
    --header "iPlanetDirectoryPro: AQIC5..." \
To Export Policies in XACML Format (ssoadm)
  • Use the ssoadm list-xacml command:

    $ ssoadm \
     list-xacml \
     --realm "/" \
     --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
     --password-file /tmp/pwd.txt
    <?xml version="1.0" encoding="UTF-8"?>
    Policy definitions were returned under realm, /.

    For more information on the syntax of this command, see "ssoadm list-xacml".

Read a different version of :