Access Management 7.3.2

Import from XACML

To test an import, AM provides a dry run feature that runs an import without saving the changes to the database. The dry run feature provides a summary of the import so that you can troubleshoot any potential mismatches prior to the actual import.

Import policies in XACML format (UI)

  1. In the AM admin UI, go to Realms > Realm Name > Authorization > Policy Sets, and click Import Policy Sets.

  2. Browse to the XACML format file, select it, and click Open.

    Any policy sets, and the policies within will be imported from the selected XACML format file.

    Policy sets and resource types will be generated from the details in the XACML format file, but may not match the definitions of the originals, for example the names are auto-generated.

Import policies in XACML format (REST)

You can import a XACML policy using an HTTP POST request for the root realm or a specific realm at the following endpoints:

https://openam.example.com:8443/openam/xacml/policies https://openam.example.com:8443/openam/xacml/realm/policies

Here, realm is the name of a specific realm.

  1. You can do a dry run using the dryrun=true query to test the import. The dry run option outputs in JSON format and displays the status of each import policy, where "U" indicates "Updated"; "A" for "Added". The dry run does not actually update to the database. When you are ready for an actual import, you need to re-run the command without the dryrun=true query.

    $ curl \
    --request POST \
    --header "Content-Type: application/xml" \
    --header "iPlanetDirectoryPro: AQIC5…​" \
    --data @xacml-policy.xml \
    "https://openam.example.com:8443/openam/xacml/policies?dryrun=true"
    [
        {
            "status":"A",
            "name":"aNewPolicy"
        },
        {
            "status":"U",
            "name":"anExistingPolicy"
        },
        {
            "status":"U",
            "name":"anotherExistingPolicy"
        }
    ]
  2. Use the /xacml/policies endpoint to import a XACML policy:

    $ curl \
    --request POST \
    --header "Content-Type: application/xml" \
    --header "iPlanetDirectoryPro: AQIC5…​" \
    --data @xacml-policy.xml \
    "https://openam.example.com:8443/openam/xacml/policies"

    You can import a XACML policy into a realm as follows:

    $ curl \
    --request POST \
    --header "Content-Type: application/xml" \
    --header "iPlanetDirectoryPro: AQIC5…​" \
    --data @xacml-policy.xml \"
    "https://openam.example.com:8443/openam/xacml/realm/policies"

Import policies in XACML format (ssoadm)

Use the ssoadm create-xacml command:

$ ssoadm \
 create-xacml \
 --realm "/" \
 --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
 --password-file /tmp/pwd.txt \
 --xmlfile policy.xml
Policies were created under realm, /.

For more information on the syntax of this command, see ssoadm create-xacml.