XACML security policy

This topic describes how XACML documents are created.

The XACML documents that are used in the sample were created by the IBM® Tivoli® Security Policy Manager policy editor, but you can use any text or XML editor to create such documents. To construct or modify existing XACML policies, see the OASIS specifications: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
The XACML security policy that is used in the sample is contained in storeSWPXACML.xml and storePrivateDataXACML.xml. These policies are used to evaluate the request coming in to the policy decision point (PDP). The request is made up of four key elements:
  1. The Subjects section - Contains the details of the Distinguished Name of the request caller, as well as the groups that the caller belongs to.
  2. The resource section - Contains the documents that the caller wants to have access to. Two types of resource are used in the sample. The first type is the operation on the web service and the second type is the authorization to the data on the response, in this case the priceInfo resource.
  3. The Environment section - Contains information about the environment of the request.
  4. The action - What the user wants to do with the authorized material. In the redaction scenario, the action is simply to view the priceInfo data.

Concept Concept

Feedback

Timestamp icon Last updated: Thursday, 3 July 2014
http://publib.boulder.ibm.com/infocenter/prodconn/v1r0m0/topic/com.ibm.scenarios.soawdpwsrr25.doc/topics/csoa2_sample_xacml_security_policy.htm