Importing from XACML

To test an import, AM provides a dry run feature that runs an import without saving the changes to the database. The dry run feature provides a summary of the import so that you can troubleshoot any potential mismatches prior to the actual import.

You can import XACML policies in the following ways:

To Import Policies in XACML Format (UI)

  1. In the AM console, go to Realms > Realm Name > Authorization > Policy Sets, and then select Import Policy Sets.

  2. Browse to the XACML format file, select it, and then select Open.

    Any policy sets, and the policies within will be imported from the selected XACML format file.

    Note

    Policy sets and resource types will be generated from the details in the XACML format file, but may not match the definitions of the originals, for example the names are auto-generated.

To Import XACML Policies (REST)

You can import a XACML policy using an HTTP POST request for the root realm or a specific realm at the following endpoints: 

https://openam.example.com:8443/openam/xacml/policies
https://openam.example.com:8443/openam/xacml/{realm}/policies

where {realm} is the name of a specific realm

  1. You can do a dry run using the dryrun=true query to test the import. The dry run option outputs in JSON format and displays the status of each import policy, where "U" indicates "Updated"; "A" for "Added". The dry run does not actually update to the database. When you are ready for an actual import, you need to re-run the command without the dryrun=true query. 

    $ curl \
--request POST \
--header "Content-Type: application/xml" \
--header "iPlanetDirectoryPro: AQIC5..." \
--data @xacml-policy.xml \
"https://openam.example.com:8443/openam/xacml/policies?dryrun=true"
[
    {
        "status":"A",
        "name":"aNewPolicy"
    },
    {
        "status":"U",
        "name":"anExistingPolicy"
    },
    {
        "status":"U",
        "name":"anotherExistingPolicy"
    }
]

  2. Use the /xacml/policies endpoint to import a XACML policy: 

    $ curl \
--request POST \
--header "Content-Type: application/xml" \
--header "iPlanetDirectoryPro: AQIC5..." \
--data @xacml-policy.xml \
"https://openam.example.com:8443/openam/xacml/policies"

    Tip

    You can import a XACML policy into a realm as follows:

    $ curl \
--request POST \
--header "Content-Type: application/xml" \
--header "iPlanetDirectoryPro: AQIC5..." \
--data @xacml-policy.xml \"
"https://openam.example.com:8443/openam/xacml/{realm}/policies"
To Import Policies in XACML Format (ssoadm)

  • Use the ssoadm create-xacml command: 

    $ ssoadm \
 create-xacml \
 --realm "/" \
 --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
 --password-file /tmp/pwd.txt \
 --xmlfile policy.xml
Policies were created under realm, /.

    For more information on the syntax of this command, see "ssoadm create-xacml".

Read a different version of :