Re: How to Write a XACML policy to restrict user admin operations on user stores

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: How to Write a XACML policy to restrict user admin operations on user stores

Denuwanthi De Silva
Hi,

You can define userstore in XACML in follwoing format

<Rule Effect="Permit" RuleId="permit_by_userstores">
    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                <AttributeDesignator AttributeId="http://wso2.org/identity/user/user-store-domain" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true">
            </AttributeDesignator>
        </Apply>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SECONDARY-USERSTORE</AttributeValue>
    </Apply>
</Condition>
</Rule>



On Tue, Dec 5, 2017 at 9:51 PM, Shanika Wickramasinghe <[hidden email]> wrote:
Hi All,
I am implementing scenario 30 in [1]

by default user store admins can perform operation on users of other user stores. i want to write a xacml policy to restrict user admins to perform operation only on his user store and they should not be able to perform operations on other user stores. As a example consider the following scenario

Eg:-  There are 2 JDBC secondary user stores as foo and bar. foo user store has a role with admin permissions as foo admin and bar userstore has a role with admin permissions as bar admin. foo admin should be able to delete a user in foo user store and bar admin should not be able to delete that user. Appreciate your guidance on following questions

1. How to specify action delete user in a xacml policy
2. How to give the user store on which that action should happen 
3. How to call PDP from the user store operation listener



Thank you,
Shanika.
--
Shanika Wickramasinghe
Software Engineer - QA Team

Email    : [hidden email]
Mobile  : <a href="tel:+94%2071%20350%203563" value="+94713503563" target="_blank">+94713503563
Web     : http://wso2.com

 



--
Denuwanthi De Silva
Senior Software Engineer;
WSO2 Inc.; http://wso2.com,
Email: [hidden email]
Blog: https://denuwanthi.wordpress.com/

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: How to Write a XACML policy to restrict user admin operations on user stores

Denuwanthi De Silva
You can create a custom listener by extending 'AbstractIdentityUserOperationEventListener'.

Our default provisioning listener is written in that way[1].
You can refer that and create your custom listener and overide the method you would like to invoke the XACML PDP.

You can invoke the PDP using our 'EntitlementService' api.[2]

On Wed, Dec 6, 2017 at 12:41 PM, Shanika Wickramasinghe <[hidden email]> wrote:
Hi,

Thank you for the clarification. This is the procedure that I followed.

1. Created a JDBC user store as JDBC1 and created a user and assigned a role as admin1 by giving admin permissions from the permission tree
2. Created another JDBC user store as JDBC2 and created a user and assigned a role as admin2 by giving admin permissions from the permission tree
3. Created a XACML policy as follows to allow write actions on JDBC1 for admin1 and restricted others


<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="abc" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" Version="1.0">
   <Description>This is a policy to restrict admins operations on user stores</Description>
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
            </Match>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">JDBC1</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/identity/user/user-store-domain" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="permit_by_userstores">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                  <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Apply>
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin1</AttributeValue>
            </Apply>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>        

Is the process that followed correct according to scenario 30 in [2]. Correct me if I am wrong


Also as my scenario 30 [2] is asking to create a user store operation listener to talk to XACML PDP I am not clear on how to do this using [1]. Appreciate any guidance on this. 


[3]. actions.png

Thankyou,
Shanika.


On Wed, Dec 6, 2017 at 9:42 AM, Denuwanthi De Silva <[hidden email]> wrote:
Hi,

You can define userstore in XACML in follwoing format

<Rule Effect="Permit" RuleId="permit_by_userstores">
    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                <AttributeDesignator AttributeId="http://wso2.org/identity/user/user-store-domain" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true">
            </AttributeDesignator>
        </Apply>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SECONDARY-USERSTORE</AttributeValue>
    </Apply>
</Condition>
</Rule>



On Tue, Dec 5, 2017 at 9:51 PM, Shanika Wickramasinghe <[hidden email]> wrote:
Hi All,
I am implementing scenario 30 in [1]

by default user store admins can perform operation on users of other user stores. i want to write a xacml policy to restrict user admins to perform operation only on his user store and they should not be able to perform operations on other user stores. As a example consider the following scenario

Eg:-  There are 2 JDBC secondary user stores as foo and bar. foo user store has a role with admin permissions as foo admin and bar userstore has a role with admin permissions as bar admin. foo admin should be able to delete a user in foo user store and bar admin should not be able to delete that user. Appreciate your guidance on following questions

1. How to specify action delete user in a xacml policy
2. How to give the user store on which that action should happen 
3. How to call PDP from the user store operation listener



Thank you,
Shanika.
--
Shanika Wickramasinghe
Software Engineer - QA Team

Email    : [hidden email]
Mobile  : <a href="tel:+94%2071%20350%203563" value="+94713503563" target="_blank">+94713503563
Web     : http://wso2.com

 



--
Denuwanthi De Silva
Senior Software Engineer;
WSO2 Inc.; http://wso2.com,
Email: [hidden email]
Blog: https://denuwanthi.wordpress.com/



--
Shanika Wickramasinghe
Software Engineer - QA Team

Email    : [hidden email]
Mobile  : <a href="tel:+94%2071%20350%203563" value="+94713503563" target="_blank">+94713503563
Web     : http://wso2.com





--
Denuwanthi De Silva
Senior Software Engineer;
WSO2 Inc.; http://wso2.com,
Email: [hidden email]
Blog: https://denuwanthi.wordpress.com/

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev