CEPM Dotnet Developers Guide V 3.3.1.0 - PEP API Quick Start Guide [Cisco Policy Administration Point]

Table Of Contents

PEP API Quick Start Guide

IsUserAccessAllowed()

IsUserAccessAllowed(subject, resource, action)

Sample Code

GetDecisions()

GetDecisions(subject, resource, action,map,rolebundle,context,level)

Sample Code

GetPermissibleResourcesForUsers()

GetPermissibleResourcesForUsers(subject, resource)

Sample Code

GetRolesAllowedForResource()

GetRolesAllowedForResource(resource,roleBundles,context,map)

Sample Code

GetPermissibleResourcesAndResourceGroupsForUser()

GetPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)

Sample Code:

GetResourceAndResourceGroupDecisionsForUser()

GetResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)

Sample Code:

GetBulkDecisions()

GetBulkDecision(subject, resources, actions, map, rolebundles, context, level)

Sample Code:

GetAuthorizedDecisions()

PEP API Quick Start Guide

This chapter provides use cases that will teach you how to develop code with some of the more commonly used PEP API methods. This includes the newly introduced getAuthorizedDecisions() method.

For more information on how to work with the PEP APIs, refer to Appendix A, "PEP API Reference Guide." The guide contains documentation for over 50 PEP API methods. For information on the full set of PEP APIs, refer to the PEP API dotnet docs (DotNet_Docs_PAP-PEP.zip).

IsUserAccessAllowed()

This method determines whether a user is authorized to perform an action on a specific resource and returns a Boolean result (True or False). This use case uses the most common form of the IsUserAccessAllowed() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."

IsUserAccessAllowed(subject, resource, action)

•subject—String value containing user ID .

Example:

jdoe

•resource—String value containing fully qualified resource name.

Example:

Prime group:Prime portal:Account 1

•action—String value containing action for the resource.

Example:

buy, sell, read, write, delete, and any.

•Return type—Boolean (Permit = true, Deny / Not Applicable = false)

Sample Code
//Define subject, resource, and action values
String username = "jdoe";
String resource = "Prime group:Prime portal:Account 1";
String action = "any";
//Initialize Com.Cisco.Epm Authorization Manager
IAuthorizationManager mgr = 
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke IsUserAccessAllowed() method, providing user, resource, and action information
Boolean decision = mgr.IsUserAccessAllowed(username,resource,action);
//Print decision
Console.WriteLine("Is "+username+" allowed to access "+resource+"? "+decision);
GetDecisions()

Similar to IsUserAccessAllowed() method, determines whether a user is authorized to perform an action on a specific resource. However, GetDecisions() returns the full XACML response instead of a Boolean result. This use cases uses the most common form of the GetDecisions() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."

GetDecisions(subject, resource, action,map,rolebundle,context,level)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1)

•action: String value containing action for the resource (for example, buy, sell, read, write, delete, and any)

•map: Hash map containing different message attributes.

•rolebundle: String array containing role bundle names.

•context: String value containing context.

•level: Int value for the resource level upto which the decision to be given.

•Return type: XacmlResponse containing the full XACML response from the PDP

Sample Code
//Define subject, resource, and action values
String subject = "Mary";
String resource = "Prime group:Prime portal:testres";
String action = "any";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();                    
String context = "Global Context:Global Context";
int level = -1;
//Initialize Com.Cisco.Epm Authorization Manager
IAuthorizationManager mgr = 
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetDecisions() method, providing user, resource, and action
XacmlResponse pdpResponse = 
mgr.GetDecisions(subject,resource,action,map,roleBundles,context,level);
//Use XacmlResponse methods to print the decision and the entire XACML response
Console.WriteLine("Decision: "+pdpResponse.GetDecision());
Console.WriteLine("XACML Response: ");
Console.WriteLine(pdpResponse.toString());
GetPermissibleResourcesForUsers()

This method returns a list of a user's permitted subresources for a specified resource. This use case uses the most common form of the GetPermissibleResourcesForUsers() method, which passes subject and resource information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."

GetPermissibleResourcesForUsers(subject, resource)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal)

•map: Hash map containing different message attributes.

•roleBundle: String array containing role bundle names.

•context: String value containg context name.

•Return type: String[] array containing all of the permissible child resources

Sample Code
//Define subject, resource, map, role bundle and context values 
String subject = "Mary";
String resource = "Prime group:Prime portal";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
//Initialize IAuthorization Manager 
IAuthorizationManager mgr = 
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetPermissibleResourcesForUsers() method, providing the above mentioned 
parameters 
String []str = mgr.GetPermissibleResourcesForUser(subject, resource, map, roleBundles, 
context);
//Iterate through String array and print permissible resources for user  
if(str!=null){ 
   Console.WriteLine(username+" is allowed to access the following resources: ");
   for(int i=0;i<str.length;i++){ 
      Console.WriteLine("Resource: "+str[i]); 
   } 
}
GetRolesAllowedForResource()

This method returns a list of permissible roles for a resource. This use case uses the most common form of the GetRolesAllowedForResource() method which passes resource information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."

GetRolesAllowedForResource(resource,roleBundles,context,map)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1).

•roleBundles: String array containing role bundle names.

•context: String value containing the context name.

•map: Hash map containing different message attributes.

•Return type—String[] array containing all roles allowed to access resource

Sample Code
//Define resource values 
String resource = "Prime group:Prime portal:Account 1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
String context = "Global Context:Global Context";
HashMap map = new HashMap();
//Initialize Com.Cisco.Epm Authorization Manager 
IAuthorizationManager mgr = 
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetRolesAllowedForResource () method, providing resource name 
String [] str = mgr.GetRolesAllowedForResource(resource);
//Iterate through String array and print roles allowed to access resource 
if(str!=null){ 
   Console.WriteLine("The following roles are allowed access to "+resource+":");
   for(int i=0;i<str.length;i++){ 
      Console.WriteLine("Role: "+str[i]); 
   } 
}
GetPermissibleResourcesAndResourceGroupsForUser()

This method is used to get all permitted resources and resource groups for a given user, based on the custom attributes under the specified roleBundles and context. This method returns a list of permissible resources and resource groups for the specified user. Refer to Appendix A, "PEP API Reference Guide" for GetPermissibleResourcesAndResourceGroupsForRoles() and GetPermissibleResourcesAndResourceGroupsForGroups() methods.

GetPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy.

•map: Hash map containing different message attributes.

•roleBundle: String array containing role bundle names.

•context: String value containg context name.

•level: Integer that refers to the resource level of child hierarchy.

•Return Type: String[] array containing multidimensional string array of two elements such as -

•The first element is an array of permissible resources.

•The second element is an array of permissible resource groups for the given resource.

Sample Code:
//Define subject, resource, map, role bundle and context values 
String username = "User1";
String resource = "App Group:RGApplication:Resource1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
int level = -1;
//Initialize IAuthorization Manager 
IAuthorizationManager mgr = 
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetPermissibleResourcesAndResourceGroupsForUser() method, providing the above 
mentioned parameters 
String[][] result = mgr.GetPermissibleResourcesAndResourceGroupsForUser("user1", "App 
Group:RGApplication:Resource1", "any", map, roleBundles, "Global Context:Global Context", 
-1);
//Iterate through String array and print permissible resources and resource groups for 
user  
for (int i = 0; i < result[0].Length; i++) {
Console.WriteLine("Permitted Resource FQN: "+result[0][i]);
}
for (int j = 0; j < result[1].Length; j++) {
Console.WriteLine("Permitted Resource Group FQN: "+result[1][j]);
}
Output:

If Child11, child12 and Child13 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child12 and Child13 as members, if the user (user1) has the permission to access 'ResourceGroup1' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below:
Permitted Resource FQN: App Group:RGApplication:Resource1:Child12
Permitted Resource FQN: App Group:RGApplication:Resource1:Child13
Permitted Resource Group FQN: App Group:RGApplication:Resource1:ResourceGroup1
GetResourceAndResourceGroupDecisionsForUser()

This method is used to get an array of the following three elements for a given user based on the custom attributes under the specified roleBundles and context:

•The first element consists of resources and resource groups that are allowed for the specified user.

•The second element consists of resources and resource groups that are denied (explicitly) for the specified user.

•The third element consists of resource groups where some of its members are not allowed for the specified user.

Refer to Appendix A, "PEP API Reference Guide" for GetResourcesAndResourceGroupsDecisonsForRoles() and GetResourcesAndResourceGroupsDecisionsForGroups() methods.

GetResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy.

•map: Hash map containing different message attributes.

•roleBundle: String array containing role bundle names.

•context: String value containg context name.

•level: Integer that refers to the resource level of child hierarchy.

•Return Type: String[] array containing multidimensional string array of two elements such as -

•The first element is an array of resources and resource groups that are allowed.

•The second element is an array of resources and resource groups that are denied.

•The third element consists of an array of resource groups where some of its members are denied.

Sample Code:
//Define subject, resource, map, role bundle and context values 
String username = "User1";
String resource = "App Group:RGApplication:Resource1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
int level = -1;
//Initialize IAuthorization Manager 
IAuthorizationManager mgr = 
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetResourcesAndResourceGroupsDecisionsForUser() method, providing the above 
mentioned parameters 
String[][] result =  mgr.GetResourceAndResourceGroupDecisionsForUser("user1","App 
Group:RGApplication:Resource1", "any", map, roleBundles,"Global Context:Global Context", 
-1);
//Iterate through String array and print permissible resources and resoource groups for 
user  
for (int i = 0; i < result[0].length; i++) {
Console.WriteLine("Permitted FQN: "+result[0][i]); 
} 
//Iterate through String array and print denied resources and resoource groups for user  
for (int j =0; j < result[1].length; j++) { 
Console.WriteLine("Denied FQN: "+result[1][j]); 
}
//Iterate through String array and print denied resoource groups members for user  
for (int k =0; k < result[2].length; k++) { 
Console.WriteLine("Resource Group FQN with denied members: "+result[2][k]);
}
Output:

If Child11, child12, Child13 and Child14 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child11 and Child12 as members, ResourceGroup2 is the resource group under 'Resource1' with child13 and Child14 as members and if the user (user1) has an allow policy on 'ResourceGroup1' and a deny policy on 'ResourceGroup2' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below:
Permitted FQN: App Group:RGApplication:Resource1:Child11
Permitted FQN: App Group:RGApplication:Resource1:Child12
Permitted FQN: App Group:RGApplication:Resource1:ResourceGroup1
Denied FQN: App Group:RGApplication:Resource1:Child13
Denied FQN: App Group:RGApplication:Resource1:Child13
Denied FQN: App Group:RGApplication:Resource1:ResourceGroup2
Resource Group FQN with denied members: App Group:RGApplication:Resource1:ResourceGroup2
GetBulkDecisions()

This method is used to get all decisions of the resources and its child resources. This exercise uses GetBulkDecision() method, which passes subject, resources, actions, map, role bundles, context and level.

GetBulkDecision(subject, resources, actions, map, rolebundles, context, level)

•subject: String value containing user ID (for example, jdoe)

•resources: String array containing fully qualified resource names (for example, Prime group:Prime portal:Account 1)

•actions: String array containing actions for the resource (for example, buy, sell, read, write, delete, and any)

•map: Hash map containing different message attributes.

•rolebundle: String array containing role bundle names.

•context: String value containing context.

•level: Int value for the resource level upto which the decision to be given.

•Return type: XacmlResponse object containing the full XACML response from the PDP

Sample Code:

Example 1: Passing action as "any":
//Define resource, action, map, role bundle, context and level values 
String[] resources = new String[1];
resources[0] = "Prime group:Prime portal:View Reports";
String[] actions = new String[1];
actions[0] = "any";
Map map = new HashMap();
map.put("sum", "10");
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
int level = -1;
//Invoke GetBulkDecisions() method by providing the above mentioned parameters 
mgr.GetBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global 
Context",level);
Output:

If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be:
<xml>
<Response>
//Result for the resource "View Reports:Report 6"
<Result ResourceId="Prime group:Prime portal:View Reports:Report 6">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
//Result for the resource "View Reports"
<Result ResourceId="Prime group:Prime portal:View Reports">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
//Result for the action "View Reports:Report 6:Read"
</Result>
<Result ResourceId="Prime group:Prime portal:View Reports:Report 6:Read">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
//Result for the action "View Reports:Read"
<Result ResourceId="Prime group:Prime portal:View Reports:Read">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
</Response>
</xml>
Example 2: Passing a specific action (other than "any"):
//Define resource, action, map, role bundle, context and level values 
String[] resources = new String[1];
esources[0] = "Prime group:Prime portal:View Reports";
tring[] actions = new String[1];
actions[0] = "Read";
Map map = new HashMap();
map.put("sum", "10");
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
int level = 1;
//Invoke GetBulkDecisions() method by providing the above mentioned parameters 
mgr.GetBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global 
Context",level);
Output:

If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be:
<xml>
<Response>
//Result for the action "View Reports:Read"
<Result ResourceId="Prime group:Prime portal:View Reports:Read">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
</Response>
</xml>
GetAuthorizedDecisions()

This is a generic method which takes XACML request as its input parameter. This single API method replaces all existing PEP methods such as IsUserAccessAllowed(), IsRoleAccessAllowed(), GetDecisions(), and so on.

To use this method:

Step 1 Define the following input parameters:
String subject = "Mary";
String resource = "Prime group:Prime portal:Send Trades";
String action = "any";
HashTable<String, String> envMap = new HashTable<String, String>();
envMap.Add(XacmlConstant.LEVEL, "-1");
String roleBundle = "Default";
String context = "Global Context:Global Context";
Step 2 Initialize IAuthorization Manager.
IAuthorizationManager mgr = 
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
Step 3 Invoke the XacmlGenerator to create the XacmlRequest.
Com.Cisco.Epm.Xacml.XACMLGenerator generator = new XACMLGenerator();
Step 4 Create the XacmlRequest.
Com.Cisco.Epm.Xacml.XacmlRequest xacmlRequest = generator.CreateXacmlRequest(subject, 
resource, action, envMap, roleBundle, context, XacmlConstant.SUBJECTID)
If the subject is a role, the XacmlConstant will be ROLEID, in case of a group, it will be GROUPID.

The Xacml Generator will consider the above mentioned parameters and generate a XacmlRequest which may look like:
<Request>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="requestor">
<AttributeValue>Mary</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Prime group:Prime portal:Send Trades</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>any</AttributeValue>
</Attribute>
</Action>
<Environment>
<Attribute AttributeId="Key" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:cisco:cepm:3.3:xacml:context-name" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Global Context:Global Context</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:cisco:cepm:3.3:xacml:rolebundle-name" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Default</AttributeValue>
</Attribute>
</Environment>
</Request>
Step 5 Invoke the GetAuthorizedDecisions() method by passing the XacmlRequest as an inputparameter.
Com.Cisco.Epm.Xacml.XacmlResponse xacmlResponse = 
mgr.GetAuthorizedDecisions(xacmlRequest);
Step 6 Invoke the GetResults() to get the XacmlResponse.
Com.Cisco.Epm.Xacml.Result results[] = xacmlResponse.GetResults();
This response contains results of all the child resources created under the specified resource Send Trades because the value implemented for level is -1. This gives the XacmlResponse which may look like:
<Response>
<Result ResourceId="Prime group:Prime portal:Send Trades:Buy Trades">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
<Result ResourceId="Prime group:Prime portal:Send Trades">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
<Result ResourceId="Prime group:Prime portal:Send Trades:Sell Trades">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
</Response>
Step 7 Retrieve the resource ID, decisions, and obligations.
for (Result result : results) {
	Console.WriteLine("Resource name[" + result.GetResourceId() + "]");
	Console.WriteLine("Decision [" + result.GetDecision() + "]");
Obligation obligations[] = result.GetObligations();
	foreach(Obligation obligation in obligations) {
	AttributeAssignment[] assignments = obligation.GetAttributeAssignment();
			foreach(AttributeAssignment assignment in assignments) {
			Console.WriteLine("Attribute ID[" + assignment.GetAttributeID() + "]");
			Console.WriteLine("Attribute ID[" + assignment.GetValue() + "]");
The result includes the decisions and obligations for the specified resource and its child resources, such as Buy Trades and Sell Trades.
Resource name[Prime group:Prime portal:Send Trades]
Decision [0]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Attribute ID[0]
Resource name[Prime group:Prime portal:Send Trades:Buy Trades]
Decision [0]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Attribute ID[0]
Resource name[Prime group:Prime portal:Send Trades:Sell Trades]
Decision [0]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Attribute ID[0]
Where Decision[0] means permit decision. If the decision is deny it will be `1'.

	CEPM Dotnet Developers Guide V 3.3.1.0
	PEP API Quick Start Guide
CEPM Dotnet Developers Guide V 3.3.1.0 Preface Introduction PEP API Quick Start Guide PAP API Quickstart Guide PEP API Reference Guide	Download this chapter PEP API Quick Start Guide Download the complete book CEPM DotNet Developer Guide (PDF - 1 MB) Feedback Table Of Contents PEP API Quick Start Guide IsUserAccessAllowed() IsUserAccessAllowed(subject, resource, action) Sample Code GetDecisions() GetDecisions(subject, resource, action,map,rolebundle,context,level) Sample Code GetPermissibleResourcesForUsers() GetPermissibleResourcesForUsers(subject, resource) Sample Code GetRolesAllowedForResource() GetRolesAllowedForResource(resource,roleBundles,context,map) Sample Code GetPermissibleResourcesAndResourceGroupsForUser() GetPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level) Sample Code: GetResourceAndResourceGroupDecisionsForUser() GetResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level) Sample Code: GetBulkDecisions() GetBulkDecision(subject, resources, actions, map, rolebundles, context, level) Sample Code: GetAuthorizedDecisions() PEP API Quick Start Guide This chapter provides use cases that will teach you how to develop code with some of the more commonly used PEP API methods. This includes the newly introduced getAuthorizedDecisions() method. For more information on how to work with the PEP APIs, refer to Appendix A, "PEP API Reference Guide." The guide contains documentation for over 50 PEP API methods. For information on the full set of PEP APIs, refer to the PEP API dotnet docs (DotNet_Docs_PAP-PEP.zip). IsUserAccessAllowed() This method determines whether a user is authorized to perform an action on a specific resource and returns a Boolean result (True or False). This use case uses the most common form of the IsUserAccessAllowed() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide." IsUserAccessAllowed(subject, resource, action) •subject—String value containing user ID . Example: jdoe •resource—String value containing fully qualified resource name. Example: Prime group:Prime portal:Account 1 •action—String value containing action for the resource. Example: buy, sell, read, write, delete, and any. •Return type—Boolean (Permit = true, Deny / Not Applicable = false) Sample Code //Define subject, resource, and action values String username = "jdoe"; String resource = "Prime group:Prime portal:Account 1"; String action = "any"; //Initialize Com.Cisco.Epm Authorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.GetInstance().GetAuthorizationManager(); //Invoke IsUserAccessAllowed() method, providing user, resource, and action information Boolean decision = mgr.IsUserAccessAllowed(username,resource,action); //Print decision Console.WriteLine("Is "+username+" allowed to access "+resource+"? "+decision); GetDecisions() Similar to IsUserAccessAllowed() method, determines whether a user is authorized to perform an action on a specific resource. However, GetDecisions() returns the full XACML response instead of a Boolean result. This use cases uses the most common form of the GetDecisions() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide." GetDecisions(subject, resource, action,map,rolebundle,context,level) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1) •action: String value containing action for the resource (for example, buy, sell, read, write, delete, and any) •map: Hash map containing different message attributes. •rolebundle: String array containing role bundle names. •context: String value containing context. •level: Int value for the resource level upto which the decision to be given. •Return type: XacmlResponse containing the full XACML response from the PDP Sample Code //Define subject, resource, and action values String subject = "Mary"; String resource = "Prime group:Prime portal:testres"; String action = "any"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; HashMap map = new HashMap(); String context = "Global Context:Global Context"; int level = -1; //Initialize Com.Cisco.Epm Authorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.GetInstance().GetAuthorizationManager(); //Invoke GetDecisions() method, providing user, resource, and action XacmlResponse pdpResponse = mgr.GetDecisions(subject,resource,action,map,roleBundles,context,level); //Use XacmlResponse methods to print the decision and the entire XACML response Console.WriteLine("Decision: "+pdpResponse.GetDecision()); Console.WriteLine("XACML Response: "); Console.WriteLine(pdpResponse.toString()); GetPermissibleResourcesForUsers() This method returns a list of a user's permitted subresources for a specified resource. This use case uses the most common form of the GetPermissibleResourcesForUsers() method, which passes subject and resource information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide." GetPermissibleResourcesForUsers(subject, resource) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal) •map: Hash map containing different message attributes. •roleBundle: String array containing role bundle names. •context: String value containg context name. •Return type: String[] array containing all of the permissible child resources Sample Code //Define subject, resource, map, role bundle and context values String subject = "Mary"; String resource = "Prime group:Prime portal"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; HashMap map = new HashMap(); String context = "Global Context:Global Context"; //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.GetInstance().GetAuthorizationManager(); //Invoke GetPermissibleResourcesForUsers() method, providing the above mentioned parameters String []str = mgr.GetPermissibleResourcesForUser(subject, resource, map, roleBundles, context); //Iterate through String array and print permissible resources for user if(str!=null){ Console.WriteLine(username+" is allowed to access the following resources: "); for(int i=0;i<str.length;i++){ Console.WriteLine("Resource: "+str[i]); } } GetRolesAllowedForResource() This method returns a list of permissible roles for a resource. This use case uses the most common form of the GetRolesAllowedForResource() method which passes resource information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide." GetRolesAllowedForResource(resource,roleBundles,context,map) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1). •roleBundles: String array containing role bundle names. •context: String value containing the context name. •map: Hash map containing different message attributes. •Return type—String[] array containing all roles allowed to access resource Sample Code //Define resource values String resource = "Prime group:Prime portal:Account 1"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; String context = "Global Context:Global Context"; HashMap map = new HashMap(); //Initialize Com.Cisco.Epm Authorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.GetInstance().GetAuthorizationManager(); //Invoke GetRolesAllowedForResource () method, providing resource name String [] str = mgr.GetRolesAllowedForResource(resource); //Iterate through String array and print roles allowed to access resource if(str!=null){ Console.WriteLine("The following roles are allowed access to "+resource+":"); for(int i=0;i<str.length;i++){ Console.WriteLine("Role: "+str[i]); } } GetPermissibleResourcesAndResourceGroupsForUser() This method is used to get all permitted resources and resource groups for a given user, based on the custom attributes under the specified roleBundles and context. This method returns a list of permissible resources and resource groups for the specified user. Refer to Appendix A, "PEP API Reference Guide" for GetPermissibleResourcesAndResourceGroupsForRoles() and GetPermissibleResourcesAndResourceGroupsForGroups() methods. GetPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy. •map: Hash map containing different message attributes. •roleBundle: String array containing role bundle names. •context: String value containg context name. •level: Integer that refers to the resource level of child hierarchy. •Return Type: String[] array containing multidimensional string array of two elements such as - •The first element is an array of permissible resources. •The second element is an array of permissible resource groups for the given resource. Sample Code: //Define subject, resource, map, role bundle and context values String username = "User1"; String resource = "App Group:RGApplication:Resource1"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; HashMap map = new HashMap(); String context = "Global Context:Global Context"; int level = -1; //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.GetInstance().GetAuthorizationManager(); //Invoke GetPermissibleResourcesAndResourceGroupsForUser() method, providing the above mentioned parameters String[][] result = mgr.GetPermissibleResourcesAndResourceGroupsForUser("user1", "App Group:RGApplication:Resource1", "any", map, roleBundles, "Global Context:Global Context", -1); //Iterate through String array and print permissible resources and resource groups for user for (int i = 0; i < result[0].Length; i++) { Console.WriteLine("Permitted Resource FQN: "+result[0][i]); } for (int j = 0; j < result[1].Length; j++) { Console.WriteLine("Permitted Resource Group FQN: "+result[1][j]); } Output: If Child11, child12 and Child13 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child12 and Child13 as members, if the user (user1) has the permission to access 'ResourceGroup1' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below: Permitted Resource FQN: App Group:RGApplication:Resource1:Child12 Permitted Resource FQN: App Group:RGApplication:Resource1:Child13 Permitted Resource Group FQN: App Group:RGApplication:Resource1:ResourceGroup1 GetResourceAndResourceGroupDecisionsForUser() This method is used to get an array of the following three elements for a given user based on the custom attributes under the specified roleBundles and context: •The first element consists of resources and resource groups that are allowed for the specified user. •The second element consists of resources and resource groups that are denied (explicitly) for the specified user. •The third element consists of resource groups where some of its members are not allowed for the specified user. Refer to Appendix A, "PEP API Reference Guide" for GetResourcesAndResourceGroupsDecisonsForRoles() and GetResourcesAndResourceGroupsDecisionsForGroups() methods. GetResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy. •map: Hash map containing different message attributes. •roleBundle: String array containing role bundle names. •context: String value containg context name. •level: Integer that refers to the resource level of child hierarchy. •Return Type: String[] array containing multidimensional string array of two elements such as - •The first element is an array of resources and resource groups that are allowed. •The second element is an array of resources and resource groups that are denied. •The third element consists of an array of resource groups where some of its members are denied. Sample Code: //Define subject, resource, map, role bundle and context values String username = "User1"; String resource = "App Group:RGApplication:Resource1"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; HashMap map = new HashMap(); String context = "Global Context:Global Context"; int level = -1; //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.GetInstance().GetAuthorizationManager(); //Invoke GetResourcesAndResourceGroupsDecisionsForUser() method, providing the above mentioned parameters String[][] result = mgr.GetResourceAndResourceGroupDecisionsForUser("user1","App Group:RGApplication:Resource1", "any", map, roleBundles,"Global Context:Global Context", -1); //Iterate through String array and print permissible resources and resoource groups for user for (int i = 0; i < result[0].length; i++) { Console.WriteLine("Permitted FQN: "+result[0][i]); } //Iterate through String array and print denied resources and resoource groups for user for (int j =0; j < result[1].length; j++) { Console.WriteLine("Denied FQN: "+result[1][j]); } //Iterate through String array and print denied resoource groups members for user for (int k =0; k < result[2].length; k++) { Console.WriteLine("Resource Group FQN with denied members: "+result[2][k]); } Output: If Child11, child12, Child13 and Child14 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child11 and Child12 as members, ResourceGroup2 is the resource group under 'Resource1' with child13 and Child14 as members and if the user (user1) has an allow policy on 'ResourceGroup1' and a deny policy on 'ResourceGroup2' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below: Permitted FQN: App Group:RGApplication:Resource1:Child11 Permitted FQN: App Group:RGApplication:Resource1:Child12 Permitted FQN: App Group:RGApplication:Resource1:ResourceGroup1 Denied FQN: App Group:RGApplication:Resource1:Child13 Denied FQN: App Group:RGApplication:Resource1:Child13 Denied FQN: App Group:RGApplication:Resource1:ResourceGroup2 Resource Group FQN with denied members: App Group:RGApplication:Resource1:ResourceGroup2 GetBulkDecisions() This method is used to get all decisions of the resources and its child resources. This exercise uses GetBulkDecision() method, which passes subject, resources, actions, map, role bundles, context and level. GetBulkDecision(subject, resources, actions, map, rolebundles, context, level) •subject: String value containing user ID (for example, jdoe) •resources: String array containing fully qualified resource names (for example, Prime group:Prime portal:Account 1) •actions: String array containing actions for the resource (for example, buy, sell, read, write, delete, and any) •map: Hash map containing different message attributes. •rolebundle: String array containing role bundle names. •context: String value containing context. •level: Int value for the resource level upto which the decision to be given. •Return type: XacmlResponse object containing the full XACML response from the PDP Sample Code: Example 1: Passing action as "any": //Define resource, action, map, role bundle, context and level values String[] resources = new String[1]; resources[0] = "Prime group:Prime portal:View Reports"; String[] actions = new String[1]; actions[0] = "any"; Map map = new HashMap(); map.put("sum", "10"); String[] roleBundles = new String[1]; roleBundles[0] = "Default"; int level = -1; //Invoke GetBulkDecisions() method by providing the above mentioned parameters mgr.GetBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global Context",level); Output: If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be: <xml> <Response> //Result for the resource "View Reports:Report 6" <Result ResourceId="Prime group:Prime portal:View Reports:Report 6"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> //Result for the resource "View Reports" <Result ResourceId="Prime group:Prime portal:View Reports"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> //Result for the action "View Reports:Report 6:Read" </Result> <Result ResourceId="Prime group:Prime portal:View Reports:Report 6:Read"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> //Result for the action "View Reports:Read" <Result ResourceId="Prime group:Prime portal:View Reports:Read"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> </Response> </xml> Example 2: Passing a specific action (other than "any"): //Define resource, action, map, role bundle, context and level values String[] resources = new String[1]; esources[0] = "Prime group:Prime portal:View Reports"; tring[] actions = new String[1]; actions[0] = "Read"; Map map = new HashMap(); map.put("sum", "10"); String[] roleBundles = new String[1]; roleBundles[0] = "Default"; int level = 1; //Invoke GetBulkDecisions() method by providing the above mentioned parameters mgr.GetBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global Context",level); Output: If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be: <xml> <Response> //Result for the action "View Reports:Read" <Result ResourceId="Prime group:Prime portal:View Reports:Read"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> </Response> </xml> GetAuthorizedDecisions() This is a generic method which takes XACML request as its input parameter. This single API method replaces all existing PEP methods such as IsUserAccessAllowed(), IsRoleAccessAllowed(), GetDecisions(), and so on. To use this method: Step 1 Define the following input parameters: String subject = "Mary"; String resource = "Prime group:Prime portal:Send Trades"; String action = "any"; HashTable<String, String> envMap = new HashTable<String, String>(); envMap.Add(XacmlConstant.LEVEL, "-1"); String roleBundle = "Default"; String context = "Global Context:Global Context"; Step 2 Initialize IAuthorization Manager. IAuthorizationManager mgr = AuthorizationManagerFactory.GetInstance().GetAuthorizationManager(); Step 3 Invoke the XacmlGenerator to create the XacmlRequest. Com.Cisco.Epm.Xacml.XACMLGenerator generator = new XACMLGenerator(); Step 4 Create the XacmlRequest. Com.Cisco.Epm.Xacml.XacmlRequest xacmlRequest = generator.CreateXacmlRequest(subject, resource, action, envMap, roleBundle, context, XacmlConstant.SUBJECTID) If the subject is a role, the XacmlConstant will be ROLEID, in case of a group, it will be GROUPID. The Xacml Generator will consider the above mentioned parameters and generate a XacmlRequest which may look like: <Request> <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="requestor"> <AttributeValue>Mary</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Prime group:Prime portal:Send Trades</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>any</AttributeValue> </Attribute> </Action> <Environment> <Attribute AttributeId="Key" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>value</AttributeValue> </Attribute> <Attribute AttributeId="urn:cisco:cepm:3.3:xacml:context-name" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Global Context:Global Context</AttributeValue> </Attribute> <Attribute AttributeId="urn:cisco:cepm:3.3:xacml:rolebundle-name" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Default</AttributeValue> </Attribute> </Environment> </Request> Step 5 Invoke the GetAuthorizedDecisions() method by passing the XacmlRequest as an inputparameter. Com.Cisco.Epm.Xacml.XacmlResponse xacmlResponse = mgr.GetAuthorizedDecisions(xacmlRequest); Step 6 Invoke the GetResults() to get the XacmlResponse. Com.Cisco.Epm.Xacml.Result results[] = xacmlResponse.GetResults(); This response contains results of all the child resources created under the specified resource Send Trades because the value implemented for level is -1. This gives the XacmlResponse which may look like: <Response> <Result ResourceId="Prime group:Prime portal:Send Trades:Buy Trades"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> <Result ResourceId="Prime group:Prime portal:Send Trades"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> <Result ResourceId="Prime group:Prime portal:Send Trades:Sell Trades"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> </Response> Step 7 Retrieve the resource ID, decisions, and obligations. for (Result result : results) { Console.WriteLine("Resource name[" + result.GetResourceId() + "]"); Console.WriteLine("Decision [" + result.GetDecision() + "]"); Obligation obligations[] = result.GetObligations(); foreach(Obligation obligation in obligations) { AttributeAssignment[] assignments = obligation.GetAttributeAssignment(); foreach(AttributeAssignment assignment in assignments) { Console.WriteLine("Attribute ID[" + assignment.GetAttributeID() + "]"); Console.WriteLine("Attribute ID[" + assignment.GetValue() + "]"); The result includes the decisions and obligations for the specified resource and its child resources, such as Buy Trades and Sell Trades. Resource name[Prime group:Prime portal:Send Trades] Decision [0] Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource] Attribute ID[resource] Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name] Attribute ID[GLOBAL:UNTYPE] Attribute ID[urn:cisco:cepm:3.3:xacml:ttl] Attribute ID[0] Resource name[Prime group:Prime portal:Send Trades:Buy Trades] Decision [0] Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource] Attribute ID[resource] Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name] Attribute ID[GLOBAL:UNTYPE] Attribute ID[urn:cisco:cepm:3.3:xacml:ttl] Attribute ID[0] Resource name[Prime group:Prime portal:Send Trades:Sell Trades] Decision [0] Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource] Attribute ID[resource] Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name] Attribute ID[GLOBAL:UNTYPE] Attribute ID[urn:cisco:cepm:3.3:xacml:ttl] Attribute ID[0] Where Decision[0] means permit decision. If the decision is deny it will be `1'.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks