Importing from XACML
To test an import, AM provides a dry run feature that runs an import without saving the changes to the database. The dry run feature provides a summary of the import so that you can troubleshoot any potential mismatches prior to the actual import.
You can import XACML policies in the following ways:
In the AM console, select Realms > Realm Name > Authorization > Policy Sets, and then select Import Policy Sets.
Browse to the XACML format file, select it, and then select Open.
Any policy sets, and the policies within will be imported from the selected XACML format file.
Note
Policy sets and resource types will be generated from the details in the XACML format file, but may not match the definitions of the originals, for example the names are auto-generated.
You can import a XACML policy using an HTTP POST request for the root realm or a specific realm at the following endpoints:
https://openam.example.com:8443/openam/xacml/policies https://openam.example.com:8443/openam/xacml/{realm}/policies where {realm} is the name of a specific realm
You can do a dry run using the
dryrun=true
query to test the import. The dry run option outputs in JSON format and displays the status of each import policy, where "U" indicates "Updated"; "A" for "Added". The dry run does not actually update to the database. When you are ready for an actual import, you need to re-run the command without thedryrun=true
query.$
curl \ --request POST \ --header "Content-Type: application/xml" \ --header "iPlanetDirectoryPro: AQIC5..." \ --data @xacml-policy.xml \ "https://openam.example.com:8443/openam/xacml/policies?dryrun=true"
[ { "status":"A", "name":"aNewPolicy" }, { "status":"U", "name":"anExistingPolicy" }, { "status":"U", "name":"anotherExistingPolicy" } ]
Use the
/xacml/policies
endpoint to import a XACML policy:$
curl \ --request POST \ --header "Content-Type: application/xml" \ --header "iPlanetDirectoryPro: AQIC5..." \ --data @xacml-policy.xml \ "https://openam.example.com:8443/openam/xacml/policies"
Tip
You can import a XACML policy into a realm as follows:
$
curl \ --request POST \ --header "Content-Type: application/xml" \ --header "iPlanetDirectoryPro: AQIC5..." \ --data @xacml-policy.xml \" "https://openam.example.com:8443/openam/xacml/{realm}/policies"
Use the ssoadm create-xacml command:
$
ssoadm \ create-xacml \ --realm "/" \ --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \ --password-file /tmp/pwd.txt \ --xmlfile policy.xml
Policies were created under realm, /.
For more information on the syntax of this command, see "ssoadm create-xacml".