This topic describes how XACML documents are created.
The XACML documents used in the sample were created by the IBM® Tivoli® Security
Policy Manager policy editor, but you can use any text or XML editor
to create such documents by hand. To construct or modify existing
XACML policies, see the OASIS specifications:
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
The XACML security policy used in the
sample is contained in
storeSWPXACML.xml and
storePrivateDataXACML.xml.
These policies are utilized to evaluate the request coming in to the
policy decision point (PDP). The request is made up of four key elements:
- The Subjects section- Contains the details of the Distinguished
Name of the request caller, as well as the groups that the caller
belongs to.
- The resource section - Contains the documents that the caller
wants to have access to. Two types of resource are used in the sample;
the first is the operation on the web service and the second is the
authorization to the data on the response, in this case the priceInfo
resource.
- The Environment section - Contains information about the environment
of the request.
- The action - What the user wants to do with the authorized material.
In the redaction scenario, the action is simply to view the priceInfo
data.