This topic describes how XACML documents are created.
The XACML documents that are used in the sample were created by the IBM®
Tivoli® Security Policy Manager policy editor, but you can
use any text or XML editor to create such documents. To construct or modify existing XACML policies,
see the OASIS specifications:
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
The
XACML security policy that is used in the sample is contained in
storeSWPXACML.xml and
storePrivateDataXACML.xml. These
policies are used to evaluate the request coming in to the policy decision point (PDP). The request
is made up of four key elements:
- The Subjects section - Contains the details of the Distinguished Name of the request caller, as
well as the groups that the caller belongs to.
- The resource section - Contains the documents that the caller wants to have access to. Two types
of resource are used in the sample. The first type is the operation on the web service and the
second type is the authorization to the data on the response, in this case the priceInfo resource.
- The Environment section - Contains information about the environment of the request.
- The action - What the user wants to do with the authorized material. In the redaction scenario,
the action is simply to view the priceInfo data.