Table Of Contents
PEP API Quick Start Guide
IsUserAccessAllowed()
IsUserAccessAllowed(subject, resource, action)
Sample Code
GetDecisions()
GetDecisions(subject, resource, action,map,rolebundle,context,level)
Sample Code
GetPermissibleResourcesForUsers()
GetPermissibleResourcesForUsers(subject, resource)
Sample Code
GetRolesAllowedForResource()
GetRolesAllowedForResource(resource,roleBundles,context,map)
Sample Code
GetPermissibleResourcesAndResourceGroupsForUser()
GetPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)
Sample Code:
GetResourceAndResourceGroupDecisionsForUser()
GetResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)
Sample Code:
GetBulkDecisions()
GetBulkDecision(subject, resources, actions, map, rolebundles, context, level)
Sample Code:
GetAuthorizedDecisions()
PEP API Quick Start Guide
This chapter provides use cases that will teach you how to develop code with some of the more commonly used PEP API methods. This includes the newly introduced getAuthorizedDecisions() method.
For more information on how to work with the PEP APIs, refer to Appendix A, "PEP API Reference Guide." The guide contains documentation for over 50 PEP API methods. For information on the full set of PEP APIs, refer to the PEP API dotnet docs (DotNet_Docs_PAP-PEP.zip).
IsUserAccessAllowed()
This method determines whether a user is authorized to perform an action on a specific resource and returns a Boolean result (True or False). This use case uses the most common form of the IsUserAccessAllowed() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."
IsUserAccessAllowed(subject, resource, action)
•subject—String value containing user ID .
Example:
jdoe
•resource—String value containing fully qualified resource name.
Example:
Prime group:Prime portal:Account 1
•action—String value containing action for the resource.
Example:
buy, sell, read, write, delete, and any.
•Return type—Boolean (Permit = true, Deny / Not Applicable = false)
Sample Code
//Define subject, resource, and action values
String username = "jdoe";
String resource = "Prime group:Prime portal:Account 1";
//Initialize Com.Cisco.Epm Authorization Manager
IAuthorizationManager mgr =
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke IsUserAccessAllowed() method, providing user, resource, and action information
Boolean decision = mgr.IsUserAccessAllowed(username,resource,action);
Console.WriteLine("Is "+username+" allowed to access "+resource+"? "+decision);
GetDecisions()
Similar to IsUserAccessAllowed() method, determines whether a user is authorized to perform an action on a specific resource. However, GetDecisions() returns the full XACML response instead of a Boolean result. This use cases uses the most common form of the GetDecisions() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."
GetDecisions(subject, resource, action,map,rolebundle,context,level)
•subject: String value containing user ID (for example, jdoe)
•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1)
•action: String value containing action for the resource (for example, buy, sell, read, write, delete, and any)
•map: Hash map containing different message attributes.
•rolebundle: String array containing role bundle names.
•context: String value containing context.
•level: Int value for the resource level upto which the decision to be given.
•Return type: XacmlResponse containing the full XACML response from the PDP
Sample Code
//Define subject, resource, and action values
String resource = "Prime group:Prime portal:testres";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
//Initialize Com.Cisco.Epm Authorization Manager
IAuthorizationManager mgr =
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetDecisions() method, providing user, resource, and action
XacmlResponse pdpResponse =
mgr.GetDecisions(subject,resource,action,map,roleBundles,context,level);
//Use XacmlResponse methods to print the decision and the entire XACML response
Console.WriteLine("Decision: "+pdpResponse.GetDecision());
Console.WriteLine("XACML Response: ");
Console.WriteLine(pdpResponse.toString());
GetPermissibleResourcesForUsers()
This method returns a list of a user's permitted subresources for a specified resource. This use case uses the most common form of the GetPermissibleResourcesForUsers() method, which passes subject and resource information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."
GetPermissibleResourcesForUsers(subject, resource)
•subject: String value containing user ID (for example, jdoe)
•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal)
•map: Hash map containing different message attributes.
•roleBundle: String array containing role bundle names.
•context: String value containg context name.
•Return type: String[] array containing all of the permissible child resources
Sample Code
//Define subject, resource, map, role bundle and context values
String subject = "Mary";
String resource = "Prime group:Prime portal";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
//Initialize IAuthorization Manager
IAuthorizationManager mgr =
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetPermissibleResourcesForUsers() method, providing the above mentioned
parameters
String []str = mgr.GetPermissibleResourcesForUser(subject, resource, map, roleBundles,
context);
//Iterate through String array and print permissible resources for user
if(str!=null){
Console.WriteLine(username+" is allowed to access the following resources: ");
for(int i=0;i<str.length;i++){
Console.WriteLine("Resource: "+str[i]);
}
}
GetRolesAllowedForResource()
This method returns a list of permissible roles for a resource. This use case uses the most common form of the GetRolesAllowedForResource() method which passes resource information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."
GetRolesAllowedForResource(resource,roleBundles,context,map)
•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1).
•roleBundles: String array containing role bundle names.
•context: String value containing the context name.
•map: Hash map containing different message attributes.
•Return type—String[] array containing all roles allowed to access resource
Sample Code
//Define resource values
String resource = "Prime group:Prime portal:Account 1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
String context = "Global Context:Global Context";
HashMap map = new HashMap();
//Initialize Com.Cisco.Epm Authorization Manager
IAuthorizationManager mgr =
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetRolesAllowedForResource () method, providing resource name
String [] str = mgr.GetRolesAllowedForResource(resource);
//Iterate through String array and print roles allowed to access resource
if(str!=null){
Console.WriteLine("The following roles are allowed access to "+resource+":");
for(int i=0;i<str.length;i++){
Console.WriteLine("Role: "+str[i]);
}
}
GetPermissibleResourcesAndResourceGroupsForUser()
This method is used to get all permitted resources and resource groups for a given user, based on the custom attributes under the specified roleBundles and context. This method returns a list of permissible resources and resource groups for the specified user. Refer to Appendix A, "PEP API Reference Guide" for GetPermissibleResourcesAndResourceGroupsForRoles() and GetPermissibleResourcesAndResourceGroupsForGroups() methods.
GetPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)
•subject: String value containing user ID (for example, jdoe)
•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy.
•map: Hash map containing different message attributes.
•roleBundle: String array containing role bundle names.
•context: String value containg context name.
•level: Integer that refers to the resource level of child hierarchy.
•Return Type: String[] array containing multidimensional string array of two elements such as -
•The first element is an array of permissible resources.
•The second element is an array of permissible resource groups for the given resource.
Sample Code:
//Define subject, resource, map, role bundle and context values
String username = "User1";
String resource = "App Group:RGApplication:Resource1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
//Initialize IAuthorization Manager
IAuthorizationManager mgr =
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetPermissibleResourcesAndResourceGroupsForUser() method, providing the above
mentioned parameters
String[][] result = mgr.GetPermissibleResourcesAndResourceGroupsForUser("user1", "App
Group:RGApplication:Resource1", "any", map, roleBundles, "Global Context:Global Context",
-1);
//Iterate through String array and print permissible resources and resource groups for
user
for (int i = 0; i < result[0].Length; i++) {
Console.WriteLine("Permitted Resource FQN: "+result[0][i]);
for (int j = 0; j < result[1].Length; j++) {
Console.WriteLine("Permitted Resource Group FQN: "+result[1][j]);
Output:
If Child11, child12 and Child13 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child12 and Child13 as members, if the user (user1) has the permission to access 'ResourceGroup1' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below:
Permitted Resource FQN: App Group:RGApplication:Resource1:Child12
Permitted Resource FQN: App Group:RGApplication:Resource1:Child13
Permitted Resource Group FQN: App Group:RGApplication:Resource1:ResourceGroup1
GetResourceAndResourceGroupDecisionsForUser()
This method is used to get an array of the following three elements for a given user based on the custom attributes under the specified roleBundles and context:
•The first element consists of resources and resource groups that are allowed for the specified user.
•The second element consists of resources and resource groups that are denied (explicitly) for the specified user.
•The third element consists of resource groups where some of its members are not allowed for the specified user.
Refer to Appendix A, "PEP API Reference Guide" for GetResourcesAndResourceGroupsDecisonsForRoles() and GetResourcesAndResourceGroupsDecisionsForGroups() methods.
GetResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)
•subject: String value containing user ID (for example, jdoe)
•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy.
•map: Hash map containing different message attributes.
•roleBundle: String array containing role bundle names.
•context: String value containg context name.
•level: Integer that refers to the resource level of child hierarchy.
•Return Type: String[] array containing multidimensional string array of two elements such as -
•The first element is an array of resources and resource groups that are allowed.
•The second element is an array of resources and resource groups that are denied.
•The third element consists of an array of resource groups where some of its members are denied.
Sample Code:
//Define subject, resource, map, role bundle and context values
String username = "User1";
String resource = "App Group:RGApplication:Resource1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
//Initialize IAuthorization Manager
IAuthorizationManager mgr =
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
//Invoke GetResourcesAndResourceGroupsDecisionsForUser() method, providing the above
mentioned parameters
String[][] result = mgr.GetResourceAndResourceGroupDecisionsForUser("user1","App
Group:RGApplication:Resource1", "any", map, roleBundles,"Global Context:Global Context",
-1);
//Iterate through String array and print permissible resources and resoource groups for
user
for (int i = 0; i < result[0].length; i++) {
Console.WriteLine("Permitted FQN: "+result[0][i]);
//Iterate through String array and print denied resources and resoource groups for user
for (int j =0; j < result[1].length; j++) {
Console.WriteLine("Denied FQN: "+result[1][j]);
//Iterate through String array and print denied resoource groups members for user
for (int k =0; k < result[2].length; k++) {
Console.WriteLine("Resource Group FQN with denied members: "+result[2][k]);
Output:
If Child11, child12, Child13 and Child14 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child11 and Child12 as members, ResourceGroup2 is the resource group under 'Resource1' with child13 and Child14 as members and if the user (user1) has an allow policy on 'ResourceGroup1' and a deny policy on 'ResourceGroup2' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below:
Permitted FQN: App Group:RGApplication:Resource1:Child11
Permitted FQN: App Group:RGApplication:Resource1:Child12
Permitted FQN: App Group:RGApplication:Resource1:ResourceGroup1
Denied FQN: App Group:RGApplication:Resource1:Child13
Denied FQN: App Group:RGApplication:Resource1:Child13
Denied FQN: App Group:RGApplication:Resource1:ResourceGroup2
Resource Group FQN with denied members: App Group:RGApplication:Resource1:ResourceGroup2
GetBulkDecisions()
This method is used to get all decisions of the resources and its child resources. This exercise uses GetBulkDecision() method, which passes subject, resources, actions, map, role bundles, context and level.
GetBulkDecision(subject, resources, actions, map, rolebundles, context, level)
•subject: String value containing user ID (for example, jdoe)
•resources: String array containing fully qualified resource names (for example, Prime group:Prime portal:Account 1)
•actions: String array containing actions for the resource (for example, buy, sell, read, write, delete, and any)
•map: Hash map containing different message attributes.
•rolebundle: String array containing role bundle names.
•context: String value containing context.
•level: Int value for the resource level upto which the decision to be given.
•Return type: XacmlResponse object containing the full XACML response from the PDP
Sample Code:
Example 1: Passing action as "any":
//Define resource, action, map, role bundle, context and level values
String[] resources = new String[1];
resources[0] = "Prime group:Prime portal:View Reports";
String[] actions = new String[1];
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
//Invoke GetBulkDecisions() method by providing the above mentioned parameters
mgr.GetBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global
Context",level);
Output:
If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be:
//Result for the resource "View Reports:Report 6"
<Result ResourceId="Prime group:Prime portal:View Reports:Report 6">
<Decision>Permit</Decision>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
//Result for the resource "View Reports"
<Result ResourceId="Prime group:Prime portal:View Reports">
<Decision>Permit</Decision>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
//Result for the action "View Reports:Report 6:Read"
<Result ResourceId="Prime group:Prime portal:View Reports:Report 6:Read">
<Decision>Permit</Decision>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
//Result for the action "View Reports:Read"
<Result ResourceId="Prime group:Prime portal:View Reports:Read">
<Decision>Permit</Decision>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
Example 2: Passing a specific action (other than "any"):
//Define resource, action, map, role bundle, context and level values
String[] resources = new String[1];
esources[0] = "Prime group:Prime portal:View Reports";
tring[] actions = new String[1];
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
//Invoke GetBulkDecisions() method by providing the above mentioned parameters
mgr.GetBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global
Context",level);
Output:
If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be:
//Result for the action "View Reports:Read"
<Result ResourceId="Prime group:Prime portal:View Reports:Read">
<Decision>Permit</Decision>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
GetAuthorizedDecisions()
This is a generic method which takes XACML request as its input parameter. This single API method replaces all existing PEP methods such as IsUserAccessAllowed(), IsRoleAccessAllowed(), GetDecisions(), and so on.
To use this method:
Step 1 Define the following input parameters:
String resource = "Prime group:Prime portal:Send Trades";
HashTable<String, String> envMap = new HashTable<String, String>();
envMap.Add(XacmlConstant.LEVEL, "-1");
String roleBundle = "Default";
String context = "Global Context:Global Context";
Step 2 Initialize IAuthorization Manager.
IAuthorizationManager mgr =
AuthorizationManagerFactory.GetInstance().GetAuthorizationManager();
Step 3 Invoke the XacmlGenerator to create the XacmlRequest.
Com.Cisco.Epm.Xacml.XACMLGenerator generator = new XACMLGenerator();
Step 4 Create the XacmlRequest.
Com.Cisco.Epm.Xacml.XacmlRequest xacmlRequest = generator.CreateXacmlRequest(subject,
resource, action, envMap, roleBundle, context, XacmlConstant.SUBJECTID)
If the subject is a role, the XacmlConstant will be ROLEID, in case of a group, it will be GROUPID.
The Xacml Generator will consider the above mentioned parameters and generate a XacmlRequest which may look like:
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="requestor">
<AttributeValue>Mary</AttributeValue>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Prime group:Prime portal:Send Trades</AttributeValue>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>any</AttributeValue>
<Attribute AttributeId="Key" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>value</AttributeValue>
<Attribute AttributeId="urn:cisco:cepm:3.3:xacml:context-name"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Global Context:Global Context</AttributeValue>
<Attribute AttributeId="urn:cisco:cepm:3.3:xacml:rolebundle-name"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Default</AttributeValue>
Step 5 Invoke the GetAuthorizedDecisions() method by passing the XacmlRequest as an inputparameter.
Com.Cisco.Epm.Xacml.XacmlResponse xacmlResponse =
mgr.GetAuthorizedDecisions(xacmlRequest);
Step 6 Invoke the GetResults() to get the XacmlResponse.
Com.Cisco.Epm.Xacml.Result results[] = xacmlResponse.GetResults();
This response contains results of all the child resources created under the specified resource Send Trades because the value implemented for level is -1. This gives the XacmlResponse which may look like:
<Result ResourceId="Prime group:Prime portal:Send Trades:Buy Trades">
<Decision>Permit</Decision>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
<Result ResourceId="Prime group:Prime portal:Send Trades">
<Decision>Permit</Decision>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
<Result ResourceId="Prime group:Prime portal:Send Trades:Sell Trades">
<Decision>Permit</Decision>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
Step 7 Retrieve the resource ID, decisions, and obligations.
for (Result result : results) {
Console.WriteLine("Resource name[" + result.GetResourceId() + "]");
Console.WriteLine("Decision [" + result.GetDecision() + "]");
Obligation obligations[] = result.GetObligations();
foreach(Obligation obligation in obligations) {
AttributeAssignment[] assignments = obligation.GetAttributeAssignment();
foreach(AttributeAssignment assignment in assignments) {
Console.WriteLine("Attribute ID[" + assignment.GetAttributeID() + "]");
Console.WriteLine("Attribute ID[" + assignment.GetValue() + "]");
The result includes the decisions and obligations for the specified resource and its child resources, such as Buy Trades and Sell Trades.
Resource name[Prime group:Prime portal:Send Trades]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Resource name[Prime group:Prime portal:Send Trades:Buy Trades]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Resource name[Prime group:Prime portal:Send Trades:Sell Trades]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Where Decision[0] means permit decision. If the decision is deny it will be `1'.