Enabling REST Notifications For XACML Policy Updates

This topic provides instructions on how to enable notifications for XACML policy changes.

  1. Register EntitlementNotificationListener in order to get notifications on XACML policy changes. To do this, add the following entries to the <PRODUCT_HOME>/repository/conf/identity/entitlement.properties file.


    Note : If you already have a PAP.Status.Data.Handler.2 configured, then you must add this extension as PAP.Status.Data.Handler.3 .

  2. Configure the <PRODUCT_HOME>/repository/conf/identity/msg-mgt.properties file with your desired destination configurations and template configurations. The following is a sample configuration for sending JSON content to an endpoint when there is a XACML policy change.


    The following table lists out the properties and their description (click on the table to scroll through the description).

    Property Description
    module.name.1=json By defining this property we register the JSON sending module in the Notification-Mgt framework, so that the JSON sending module acts as a listener.

    The first subscription by the email module is ' policyUpdate '. So when a policy change happens (update, create or delete) an event is triggered from the system. Using this configuration, the JSON module is made to subscribe for that particular event and send a REST call on events.

    This subscription is defined as policyUpdate (this value must be used since this is the name of the event that is published by the publishing party) and from this point onwards you must use email.subscription.policyUpdate as the prefix for properties relevant to this subscription.


    This is the template for the REST call. You can configure your template such that it has placeholders. These placeholders are replaced with dynamic values that come from the event or you can define values for these placeholders through your configurations.

    The following is a sample REST message with place holders.

    {"TargetID":"(targetId)","Username":"(username)", "Target":"(target)","Action":"(action)"}


    The dynamic data that comes to the policyUpdate event can be of the following types.

    - operation
    - targetId
    - username
    - target
    - action

    json.subscription.policyUpdate.endpoint.1=pepEndpoint1 This is the first endpoint definition for the policyUpdate event subscription. From this point onwards, you are defining properties that are relevant to this endpoint. You can define the name of the first endpoint as pepEndpoint1 (provide any name). From this point onwards you must use email.subscription.userOperation.endpoint.pepEndpoint1 as the prefix for properties relevant to this endpoint.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.address= https://localhost:9443/restEndpoint This is an endpoint configuration that is used to define the address to which the content will be posted.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.AuthenticationRequired=true This is an optional property that you can use to authenticate to the rest endpoint you are calling using basic auth. If you set this property to true , it is essential to have the username and password defined for your endpoint.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.username=admin The username to access the endpoint.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.password=admin The password required to access the endpoint.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.address=https://localhost:9443/wso2/scim/Users This is an endpoint configuration that is used to define the address to which the content will be posted.