Exporting to XACML
AM only exports a policy set that contains policy definitions. No other types can be included in the policy set, such as sub-policy sets or rules.
AM | XACML |
---|---|
Realm:<timestamp>(yyyy.MM.dd.HH.mm.ss.SSS) | PolicySet ID |
Current Time (yyyy.MM.dd.HH.mm.ss.SSS) | Version |
Deny Overrides | Policy Combining Algorithm ID |
No targets defined | Target |
When exporting AM policies to XACML 3.0 policy sets, AM maps its policies to XACML 3.0 policy elements.
AM Policy | XACML Policy |
---|---|
Policy Name | Policy ID |
Description | Description |
Current Time (yyyy.MM.dd.HH.mm.ss.SSS) | Version |
xacml rule target | entitlement excluded resource names |
Rule Deny Overrides | Rule Combining Algorithm ID |
Any of:
| Target |
Any of:
| Variable Definitions |
Single Level Permit/Deny Actions converted to Policy Rules | Rules |
Note
XACML obligation is not supported. Also, only one XACML match is defined for each privilege action, and only one XACML rule for each privilege action value.
You can export policies to XACML in the following ways:
In the AM console, select Realms > Realm Name > Authorization > Policy Sets, and then select Export Policy Sets.
All policy sets, and the policies within will be exported in XACML format.
The export service is accessible at the /xacml/policies
endpoint using a HTTP GET request at the following endpoint for the root realm or a specific realm:
https://openam.example.com:8443/openam/xacml/policies https://openam.example.com:8443/openam/xacml/{realm}/policies where {realm} is the name of a specific realm
Tip
You can filter your XACML exports using query search filters. See "To Export Policies in XACML Format with Search Filters (REST)".
Use the
/xacml/policies
endpoint to export the AM entitlement policies into XACML 3.0 format. The following curl command exports the policies and returns the XACML response (truncated for display purposes).$
curl \ --request GET \ --header "iPlanetDirectoryPro: AQIC5..." \ "https://openam.example.com:8443/openam/xacml/policies"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="2014.10.08.21.59.39.231" PolicySetId="/:2014.10.08.21.59.39.231"> <Target/> <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="2014.10.08.18.01.03.626" PolicyId="Rockshop_Checkout_https://forgerock-rockshop.openrock.org:443/wp-login.php*?*"> ...
Note the following points about the search filters:
LDAP-based Searches. The search filters follow the standard guidelines for LDAP searches as they are applied to the entitlements index in the LDAP configuration backend, located at:
ou=default,ou=OrganizationalConfig,ou=1.0,ou=sunEntitlementIndexes, ou=services,dc=openam,dc=forgerock,dc=org
.Search Filter Format. You can specify a single search filter or multiple filters in the HTTP URL parameters. The format for the search filter is as follows:
[attribute name][operator][attribute value]
If you specify multiple search filters, they are logically ANDed: the search results meet the criteria specified in all the search filters.
Element Description Attribute Name The name of the attribute to be searched for. The only permissible values are:
application
(keyword for policy set),createdby
,lastmodifiedby
,creationdate
,lastmodifieddate
,name
,description
.Operator The type of comparison operation to perform.
= Equals (text)
< Less Than or Equal To (numerical)
> Greater Than or Equal To (numerical)
Attribute Value The matching value. Asterisk wildcards are supported.
Use the
/xacml/policies
endpoint to export the policies into XACML 3.0 format with a search filter. This command only exports policies that were created by "amadmin".$
curl \ --request GET \ --header "iPlanetDirectoryPro: AQIC5..." \ "https://openam.example.com:8443/openam/xacml/policies?filter=createdby=amadmin"
You can also specify more than one search filter by logically ANDing the filters as follows:
$
curl \ --request GET \ --header "iPlanetDirectoryPro: AQIC5..." \ "https://openam.example.com:8443/openam/xacml/policies?filter=createdby=amadmin&filter=creationdate=135563832"
Use the ssoadm list-xacml command:
$
ssoadm \ list-xacml \ --realm "/" \ --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \ --password-file /tmp/pwd.txt
<?xml version="1.0" encoding="UTF-8"?> <PolicySet .... Policy definitions were returned under realm, /.
For more information on the syntax of this command, see "ssoadm list-xacml".