--- title: Export to XACML description: AM only exports a policy set that contains policy definitions. No other types can be included in the policy set, such as sub-policy sets or rules. component: pingam version: 8.1 page_id: pingam:am-authorization:xacml-export canonical_url: https://docs.pingidentity.com/pingam/8.1/am-authorization/xacml-export.html keywords: ["Authorization", "Policy", "Administration", "XACML"] page_aliases: ["authorization-guide:xacml-export.adoc"] section_ids: export-policy-to-xacml-xui: Export policies in XACML format (UI) export-policies: Export policies in XACML format (REST) export-policies-search-filter: Export policies in XACML format with search filters (REST) --- # Export to XACML AM only exports a policy set that contains policy definitions. No other types can be included in the policy set, such as sub-policy sets or rules. > **Collapse: Policy sets to XACML mappings** > > | AM | XACML | > | -------------------------------------------- | ----------------------------- | > | Realm:\ (yyyy.MM.dd.HH.mm.ss.SSS) | PolicySet ID | > | Current Time (yyyy.MM.dd.HH.mm.ss.SSS) | Version | > | Deny Overrides | Policy Combining Algorithm ID | > | No targets defined | Target | When exporting AM policies to XACML 3.0 policy sets, AM maps its policies to XACML 3.0 policy elements. > **Collapse: Policies to XACML mappings** > > | AM Policy | XACML Policy | > | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | > | Policy Name | Policy ID | > | Description | Description | > | Current Time (yyyy.MM.dd.HH.mm.ss.SSS) | Version | > | xacml rule target | entitlement excluded resource names | > | Rule Deny Overrides | Rule Combining Algorithm ID | > | Any of:- Entitlement Subject > > - Resource Names > > - Policy Set Names > > - Action Values | Target | > | Any of:- Policy Set Name > > - Entitlement Name > > - Privilege Created By > > - Privilege Modified By > > - Privilege Creation Date > > - Privilege Last Modification Date | Variable Definitions | > | Single Level Permit/Deny Actions converted to Policy Rules | Rules | > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | | XACML obligation is not supported. Also, only one XACML match is defined for each privilege action, and only one XACML rule for each privilege action value. | ## Export policies in XACML format (UI) 1. In the AM admin UI, go to Realms > *realm name* > Authorization > Policy Sets, and click Export Policy Sets. All policy sets, and the policies within will be exported in XACML format. ## Export policies in XACML format (REST) The export service is accessible at the `/xacml/policies` endpoint using an HTTP GET request at the following endpoint for the root realm or a specific realm: `https://am.example.com:8443/am/xacml/policies` `https://am.example.com:8443/am/xacml/realm/policies` Here, *realm* is the name of a specific realm. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can filter your XACML exports using query search filters. See [Export policies in XACML format with search filters (REST)](#export-policies-search-filter). | 1. Use the `/xacml/policies` endpoint to export the AM entitlement policies into XACML 3.0 format. The following curl command exports the policies and returns the XACML response (truncated for display purposes). ```bash $ curl \ --request GET \ --header "iPlanetDirectoryPro: AQIC5…​" \ "https://am.example.com:8443/am/xacml/policies" …​ ``` ## Export policies in XACML format with search filters (REST) Note the following points about the search filters: * **LDAP-based searches**. The search filters follow the standard guidelines for LDAP searches as they are applied to the entitlements index in the LDAP configuration backend, located at: `ou=default,ou=OrganizationalConfig,ou=1.0,ou=sunEntitlementIndexes, ou=services,dc=am,dc=example,dc=com`. * **Search filter format**. You can specify a single search filter or multiple filters in the HTTP URL parameters. The format for the search filter is as follows: ``` [attribute name][operator][attribute value] ``` If you specify multiple search filters, they are logically ANDed: the search results meet the criteria specified in all the search filters. > **Collapse: XACML export search filter format** > > | Element | Description | > | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | Attribute Name | The name of the attribute to be searched for. The only permissible values are: `application` (keyword for policy set), `createdby`, `lastmodifiedby`, `creationdate`, `lastmodifieddate`, `name`, `description`. | > | Operator | The type of comparison operation to perform.- = Equals (text) > > - < Less Than or Equal To (numerical) > > - > Greater Than or Equal To (numerical) | > | Attribute Value | The matching value. Asterisk wildcards are supported. | 1. Use the `/xacml/policies` endpoint to export the policies into XACML 3.0 format with a search filter. This command only exports policies that were created by "amadmin". ```bash $ curl \ --request GET \ --header "iPlanetDirectoryPro: AQIC5…​" \ "https://am.example.com:8443/am/xacml/policies?filter=createdby=amadmin" ``` 2. You can also specify more than one search filter by logically ANDing the filters as follows: ```bash $ curl \ --request GET \ --header "iPlanetDirectoryPro: AQIC5…​" \ "https://am.example.com:8443/am/xacml/policies?filter=createdby=amadmin&filter=creationdate=135563832" ```