Role

When an authorization policy by role is applied, an authenticated user with a specific role defined by the policy will be authorized to access all the functions of the target operation.

  • Consumer sends a request with the user name and password in HTTP header or as a UsernameToken in WS-Security header of the SOAP message.
  • Basic or UsernameToken authentication policy authenticates the request against LDAP and retrieves LDAP attributes or roles for the user.
  • After authentication policy, the gateway invokes an authorization policy. Using SOAP operation information from SOAP request and user role information retrieved from LDAP during authentication, the authorization policy determines if the user that is sending the request is authorized to invoke the SOAP operation.

Example Policy

Authorization By Role Policy

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy
    xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:All>
   <wsp:Policy>
     <wsp:All>
     <tpa:Authorization>
     <tpa:ByRole>
     <tpa:Default>
      <xacml:Rule Effect="Deny" RuleId="">
      <xacml:Condition>
      <xacml:Apply FunctionId="always-true">
      </xacml:Apply>
      </xacml:Condition>
      </xacml:Rule>
      </tpa:Default>
       <tpa:Operation>
        <xacml:Rule Effect="Permit" RuleId="">
        <xacml:Target>
        <xacml:Actions>
        <xacml:Action>
        <xacml:ActionMatch MatchId="http://tempuri.org">
        <!--
        <xacml:AttributeValue          DataType="xsd:string">GetBooks</xacml:AttributeValue>
         -->
        <xacml:AttributeValue         DataType="xsd:string">queryBookByAuthorBW</xacml:Attribute        Value>
                                                        <xacml:AttributeSelector DataType="xsd:string"
                                                             RequestContextPath="" />
        </xacml:ActionMatch>
        </xacml:Action>
        </xacml:Actions>
        </xacml:Target>
        <xacml:Condition>
        <xacml:Apply FunctionId="is-in">
        <xacml:AttributeValue DataType="xsd:string">Accounting         Managers</xacml:AttributeValue>
        </xacml:Apply>
        </xacml:Condition>
        </xacml:Rule>
        </tpa:Operation>
        </tpa:ByRole>
        </tpa:Authorization>
        </wsp:All>
   </wsp:Policy>
     </wsp:All>
     </wsp:Policy>