Evaluating a XACML Policy¶
The XACML TryIt Tool allows users to test their policies easily, without creating and sending authorization requests to Identity Server. It is a UI tool through which authorization requests can be created and evaluated against available policies in the system. Users can create simple authorization requests using the web UI of the TryIt Tool. By switching to “Create Request Using Editor” mode, you can write complex XACML 3.0 requests in XML format and try them.
Before you begin
Prior to creating a basic XACML 3.0 request for evaluation you need to create a policy.
Follow the instructions below to create a basic XACML 3.0 request for Evaluation. You can create a request using one of the following methods.
Create request using editor
- Sign in. Enter your user name and password to log on to the Management Console.
- Click Tools to access the XACML menu.
- Click TryIt.
- Click on the Create Request Using Editor link.
-
Use the "Toggle editor" to create a request in XML. The default elements are as follows:
<Resource>
<Subject>
<Action>
<Attribute>
<Attribute AttributeId>
<AttributeValue/>
<Environment>
Refer to XACML 2.0/3.0 specification for more information on XACML authorization requests.
A sample XACML XML request
\<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi=" <http://www.w3.org/2001/XMLSchema-instance> "\> \<Subject\> \<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType=" <http://www.w3.org/2001/XMLSchema#string> "\> \<AttributeValue\>admin\</AttributeValue\> \</Attribute\> \</Subject\> \<Resource\> \<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType=" <http://www.w3.org/2001/XMLSchema#string> "\> \<AttributeValue\> http://localhost:8280/services/echo/echoString \> \</Attribute\> \</Resource\> \<Action\> \<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType=" <http://www.w3.org/2001/XMLSchema#string> "\> \<AttributeValue\>read\</AttributeValue\> \</Attribute\> \</Action\> \</Request\>
-
Click on the Evaluate With PDP button to complete the process. You will receive a response to the authorization request.
Create request using UI
- Sign in. Enter your user name and password to log on to the Management Console.
- Click Tools to access the XACML menu.
- Click TryIt.
-
Fill in the following fields and click the Create Request button.
- Multiple Request - This enables you to evaluate multiple requests in order to make multiple decisions on multiple actions.
- Return Policy List - Returns a list of all fully applicable policies and policy sets that were used in the decision .
- Resource - Represents the resource that the user has requested to access.
- Subject Name - Identifies the user who is accessing the resources.
- Action Name - Action the user is trying to perform.
- Environment Name - Provides additional information to evaluate the request, such as the current date and time, etc.
Refer to XACML 2.0/3.0 specification for more information on XACML authorization requests.
-
The generated request will appear on the editor. You can further edit the request if required.
- Click on the Evaluate With PDP button to complete the process. You will receive a response to the authorization request.