Entitlement with REST APIs
Entitlement management is the process that grants, resolves, enforces,
revokes and administers fine-grained access privileges.
The WSO2 Identity Server supports REST APIs for entitlement management via the
https://{IS_IP}:{IS_PORT}/api/identity/entitlement/decision/
endpoint.
If your WSO2 Identity Server is running on localhost (127.0.0.1) and on the default port, the entitlement endpoint is:
https://localhost:9443/api/identity/entitlement/decision/
Note
The REST APIs are secured with basic authentication. Follow
the steps below to add a basic auth header when calling these methods.
- Build a string of the form username:password and encode it using Base64.
-
Define an authorization header with the term Basic
, followed by the encoded
string.
For example, the basic authorization header for admin
user with password admin
is:
Authorization: Basic YWRtaW46YWRtaW4=
Get API resource list
Description |
Get the API resource list according to XACML 3.0 specification. |
Resource Path |
/home |
HTTP Method |
GET |
Request/Response Format |
application/json
application/xml |
Authentication |
Basic |
Username |
admin |
Password |
admin |
Parameters |
Accept |
header |
Request Media Type |
Yes |
string |
Auth_Type |
header |
Authentication Type |
Yes |
string |
Authorization |
header |
Add HTTP Basic Authorization |
Yes |
string |
Content-type |
header |
Response Media Type |
Yes |
string |
|
Response |
200 |
XACML JSON/XML Response |
|
40010 |
Error in response |
ExceptionBean {
code:integer
message:string
}
|
40020 |
Request parse exception |
ExceptionBean {
code:integer
message:string
}
|
|
A sample request and response is as follows:
Sample request |
|
Sample Response |
|
Evaluate XACML request
Description |
Get a response by evaluating the JSON/XML XACML request. |
Resource Path |
/pdp |
HTTP Method |
POST |
Request/Response Format |
application/json
application/xml |
Authentication |
Basic |
Username |
admin |
Password |
admin |
Parameters |
Accept |
header |
Request Media Type |
Yes |
string |
Auth_Type |
header |
Authentication Type |
Yes |
string |
Authorization |
header |
Add HTTP Basic Authorization |
Yes |
string |
Content-type |
header |
Response Media Type |
Yes |
string |
body |
body |
XACML JSON/XML Request |
Yes |
string |
|
Response |
200 |
XACML JSON/XML Response |
|
40010 |
Error in response |
ExceptionBean {
code:integer
message:string
}
|
40020 |
Request parse exception |
ExceptionBean {
code:integer
message:string
}
|
|
A sample request and response is as follows:
XACML Policy Evaluated |
|
Sample Request |
|
Sample Response |
|
Evaluate XACML request by attributes
Description |
Get a response by evaluating attributes. |
Resource Path |
/by-attrib |
HTTP Method |
POST |
Request/Response Format |
application/json
application/xml |
Authentication |
Basic |
Username |
admin |
Password |
admin |
Parameters |
Accept |
header |
Request Media Type |
Yes |
string |
Auth_Type |
header |
Authentication Type |
Yes |
string |
Authorization |
header |
Add HTTP Basic Authorization |
Yes |
string |
Content-type |
header |
Response Media Type |
Yes |
string |
body |
body |
Decision Request Model |
Yes |
DecisionRequestModel {
subject:string
action:string
resource:string
environment:[
string
]
}
|
|
Response |
200 |
Method call success |
HomeResponseModel { } |
40010 |
Error in response |
ExceptionBean {
code:integer
message:string
}
|
40020 |
Request parse exception |
ExceptionBean {
code:integer
message:string
}
|
|
A sample request and response are as follows,
A sample request |
|
A sample response |
|
Evaluate XACML request by attributes and receive boolean response
Description |
Get a boolean response by evaluating attributes. |
Resource Path |
/by-attrib-boolean |
HTTP Method |
POST |
Request/Response Format |
application/json
application/xml |
Authentication |
Basic |
Username |
admin |
Password |
admin |
Parameters |
Accept |
header |
Request Media Type |
Yes |
string |
Auth_Type |
header |
Authentication Type |
Yes |
string |
Authorization |
header |
Add HTTP Basic Authorization |
Yes |
string |
Content-type |
header |
Response Media Type |
Yes |
string |
body |
body |
Decision Request Model |
Yes |
DecisionRequestModel {
subject:string
action:string
resource:string
environment:[
string
]
}
|
|
Response |
200 |
XACML JSON/XML Response |
|
40010 |
Error in response |
ExceptionBean {
code:integer
message:string
}
|
40020 |
Request parse exception |
ExceptionBean {
code:integer
message:string
}
|
|
A sample request and response are as follows,
A sample request |
|
A sample response |
|
Get entitled attributes
Description |
Get entitled attributes for a given set of parameters. |
Resource Path |
/entitled-attribs |
HTTP Method |
POST |
Request/Response Format |
application/json
application/xml |
Authentication |
Basic |
Username |
admin |
Password |
admin |
Parameters |
Accept |
header |
Request Media Type |
Yes |
string |
Auth_Type |
header |
Authentication Type |
Yes |
string |
Authorization |
header |
Add HTTP Basic Authorization |
Yes |
string |
Content-type |
header |
Response Media Type |
Yes |
string |
body |
body |
Decision Request Model |
Yes |
EntitledAttributesRequestModel {
subjectName:string
resourceName:string
subjectId:string
action:string
enableChildSearch:boolean
}
|
|
Response |
200 |
Entitled attributes response |
EntitledAttributesResponseModel {
entitledResultSetDTO:EntitledResultSetDTO {
entitledAttributesDTOs:[
EntitledAttributesDTO {
resourceName:string
action:string
environment:string
allActions:boolean
allResources:boolean
attributeDTOs:[
AttributeDTO {
attributeValue:string
attributeDataType:string
attributeId:string
category:string
}
]
}
]
advanceResult:boolean
message:string
messageType:string
}
}
|
40010 |
Error in response |
ExceptionBean {
code:integer
message:string
}
|
40020 |
Request parse exception |
ExceptionBean {
code:integer
message:string
}
|
|
A sample request and response are as follows,
A sample request |
|
A sample response |
|
Get all entitlements
Description |
Get all entitlements for a given set of parameters |
Resource Path |
/entitlements-all |
HTTP Method |
POST |
Request/Response Format |
application/json
application/xml |
Authentication |
Basic |
Username |
admin |
Password |
admin |
Parameters |
Accept |
header |
Request Media Type |
Yes |
string |
Auth_Type |
header |
Authentication Type |
Yes |
string |
Authorization |
header |
Add HTTP Basic Authorization |
Yes |
string |
Content-type |
header |
Response Media Type |
Yes |
string |
body |
body |
All Entitlements Model |
Yes |
AllEntitlementsRequestModel {
identifier:string
givenAttributes:[
AttributeDTO {
attributeValue:string
attributeDataType:string
attributeId:string
category:string
}
]
}
|
|
Response |
200 |
All entitlements response |
AllEntitlementsResponseModel {
entitledResultSetDTO:EntitledResultSetDTO {
entitledAttributesDTOs:[
EntitledAttributesDTO {
resourceName:string
action:string
environment:string
allActions:boolean
allResources:boolean
attributeDTOs:[
AttributeDTO {
attributeValue:string
attributeDataType:string
attributeId:string
category:string
}
]
}
]
advanceResult:boolean
message:string
messageType:string
}
}
|
40010 |
Error in response |
ExceptionBean {
code:integer
message:string
}
|
40020 |
Request parse exception |
ExceptionBean {
code:integer
message:string
}
|
|