Adding new Entitlement Policy in wso2is

StackOverflow https://stackoverflow.com/questions/21476525

Question

I'm using wso2is and trying to add new entitlement policy.It's configuration is as follws:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="EchoServicePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="Rule-1">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Umesha</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
         </Apply>
      </Condition>
   </Rule>
</Policy>

Now,at the time of test evaluation my request configuration is as:

Resource : *        
Subject Name : testRole
Action Name : read
Environment Name : *

When i click on test evaluate it showing Indeterminate.What is exact problem? is policy incorrect or their is problem during evaluation request? let me know..

Was it helpful?

Solution

Your policy is correct. It must return permit.. when action is "read" and username is "Umesha". But in your request you are sending some other values. If you uses Subject name as "Umesha" You would see permit decision. However, If your name is some other value. I agree that You must return a "NotApplicable" result. Not "Indeterminate". But please check whether there are some other policies in the PDP policy store. Because then overall result can be changed. What is WSO2IS version that you are using? I just try out with your policy and request with 4.5.0. It returns "NotApplicable" which is correct.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top