CEPM Java Developers Guide V 3.3.1.0 - PEP API Quick Start Guide [Cisco Policy Administration Point]

Table Of Contents

PEP API Quick Start Guide

Exercise 1: Compile and Run the PEP Simulator

Exercise 2: isUserAccessAllowed()

isUserAccessAllowed(subject, resource, action)

Sample Code

Sample Code for In-process PDP

Exercise 3: getDecisions()

getDecisions(subject, resource, action, map, rolebundle, context, level)

Sample Code

Exercise 4: getPermissibleResourcesForUsers()

getPermissibleResourcesForUsers(subject, resource,map, roleBundles, context)

Sample Code

Exercise 5: getRolesAllowedForResource()

getRolesAllowedForResource(resource,roleBundles,context,map)

Sample Code

Exercise 6: getPermissibleResourcesAndResourceGroupsForUser()

getPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)

Sample Code:

Exercise 7: getResourceAndResourceGroupDecisionsForUser()

getResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)

Sample Code:

Exercise 8: getBulkDecisions()

getBulkDecision(subject, resources, actions, map, rolebundles, context, level)

Sample Code:

Exercise 9: getAuthorizedDecisions()

PEP API Quick Start Guide

In CEPM, the PEP APIs can be implemented in two frameworks, such as, old and new. You can call the old APIs using net.securent package, and using com.cisco.epm package for the new APIs. This chapter provides exercises that will teach you how to work with the PEP Simulator and develop code with some of the more commonly used PEP API methods This includes the newly introduced getAuthorizedDecisions() method which takes a Xacml request as the input parameter and the PEP makes a SOAP call to the PDP.

Note XACML request containing I18N characters: If you are using I18N characters in a XACML request, when writing the data to a file you must select the encoding format as UTF-8. Because while parsing the data the default parser (SAX parser) identifies the characters in UTF-8 format only. By default, the data files (XACML request) are saved in ANSI format, which may cause the PDP giving erroneous results or throwing exceptions while parsing.

For more information on how to work with the PEP APIs, refer to Appendix A, "PEP API Reference Guide." The guide contains documentation for over 50 PEP API methods. For more information on the full set of PEP APIs, refer to the PEP API Javadocs.

Exercise 1: Compile and Run the PEP Simulator

The PEP Simulator is a CEPM utility that allows developers to quickly test entitlement policies defined within the administration console. The utility also serves as test bed for working with the PEP APIs.

To edit, compile, and run the PEP Simulator, follow these steps:

Step 1 Unzip CEPM_PEPClient-V3.3.1.0GA_XXXXX.zip.

Step 2 Verify that JDK (1.6 or higher) is installed on the local machine.

Step 3 Open the command prompt and navigate to the PEP Simulator directory.

Step 4 Edit the pep.java file, replacing username and resource values with the user and resource names you want to test. For example:
String username = "jdoe";
String resource = "Prime group:Prime portal:Account 1";
Step 5 Save the updated PEP.java file.

Step 6 Type: compile

Step 7 Type: run

The PEP Simulator should return a true or false result based on the applicable policies for the user and resource.

Step 8 Repeat steps 4 through 7 to test different user and resource combinations.

Exercise 2: isUserAccessAllowed()

This method determines whether a user is authorized to perform an action on a specific resource and returns a Boolean result (true or false). This exercise uses the most common form of the isUserAccessAllowed() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."

isUserAccessAllowed(subject, resource, action)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1)

•action: String value containing action for the resource (for example, buy, sell, read, write, delete, and any)

•Return type: boolean (Permit = true, Deny / Not Applicable = false)

Sample Code
//Define subject, resource, and action values
String username = "jdoe";
String resource = "Prime group:Prime portal:Account 1";
String action = "any";
//Initialize IAuthorization Manager
IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();
//Invoke isUserAccessAllowed() method, providing user, resource, and action information
boolean decision = mgr.isUserAccessAllowed(username,resource,action);
//Print decision
System.out.println("Is "+username+" allowed to access "+resource+"? "+decision);
To perform this check, follow these steps:

Step 1 Open PEP .java in a text editor.

Step 2 Edit the file, using the sample code as a guide.

Step 3 Save changes.

Step 4 Type: compile

Step 5 Type: run

Sample Code for In-process PDP

If you are using the In-process PDP instead of the regular PDP, you must add an additional piece of code in the above mentioned sample as given below:
//Define subject, resource, and action values
String username = "jdoe";
String resource = "Prime group:Prime portal:Account 1";
String action = "any";
//If you are using the In-process PDP, initialize the PDPEngine
PDPEngine.getInstance().init();
//Initialize IAuthorization Manager
IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();
//Invoke isUserAccessAllowed() method, providing user, resource, and action information
boolean decision = mgr.isUserAccessAllowed(username,resource,action);
//Print decision
System.out.println("Is "+username+" allowed to access "+resource+"? "+decision);
Refer to CEPM In-Process PDP Deployment Guide V3.3.1.0 for more information on how to deploy the In-process PDP in your standalone (desktop) application.

Exercise 3: getDecisions()

Similar to isUserAccessAllowed(), this method determines whether a user is authorized to perform an action on a specific resource. However, getDecisions() returns the full XACML response instead of a Boolean result. This exercise uses the most common form of the getDecisions() method, which passes subject, resource, action, map, role bundle, context and level information.

getDecisions(subject, resource, action, map, rolebundle, context, level)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1)

•action: String value containing action for the resource (for example, buy, sell, read, write, delete, and any)

•map: Hash map containing different message attributes.

•rolebundle: String array containing role bundle names.

•context: String value containing context.

•level: Int value for the resource level upto which the decision to be given.

•Return type: XacmlResponse containing the full XACML response from the PDP

Sample Code
//Define subject, resource, and action values
String subject = "Mary";
String resource = "Prime group:Prime portal:testres";
String action = "any";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();                    
String context = "Global Context:Global Context";
int level = -1;
//Initialize IAuthorization Manager
IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();
//Invoke getDecisions() method, providing the above mentioned parameters.
XacmlResponse pdpResponse = 
mgr.getDecisions(subject,resource,action,map,roleBundles,context,level);
//Use XacmlResponse methods to print the decision and the entire XACML response
System.out.println("XACML Response: ");
System.out.println(pdpResponse.toXml());
To perform this check, follow these steps:

Step 1 Open PEP.java in a text editor.

Step 2 Edit the file, using the sample code as a guide.

Step 3 Save changes.

Step 4 Type: compile

Step 5 Type: run

Exercise 4: getPermissibleResourcesForUsers()

This method returns a list of a user's permitted subresources for a given resource. This exercise uses the most common form of the getPermissibleResourcesForUsers() method, which passes subject, resource, map, role bundle and context information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."

getPermissibleResourcesForUsers(subject, resource,map, roleBundles, context)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal)

•map: Hash map containing different message attributes.

•roleBundle: String array containing role bundle names.

•context: String value containg context name.

•Return type: String[] array containing all of the permissible child resources

Sample Code
//Define subject, resource, map, role bundle and context values 
String subject = "Mary";
String resource = "Prime group:Prime portal";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
String context = "Global Context:Global Context";
HashMap map = new HashMap();
//Initialize IAuthorization Manager 
IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();
//Invoke getPermissibleResourcesForUsers() method, providing the above mentioned 
parameters 
String []str = mgr.getPermissibleResourcesForUser(subject, resource, map, roleBundles, 
context);
//Iterate through String array and print permissible resources for user  
if(str!=null){ 
   System.out.println(username+" is allowed to access the following resources: ");
   for(int i=0;i<str.length;i++){ 
      System.out.println("Resource: "+str[i]); 
   } 
}
To list a user's permitted subresources for a given resource, follow these steps:

Step 1 Open PEP.java in a text editor.

Step 2 Edit the file, using the sample code as a guide.

Step 3 Save changes.

Step 4 Type: compile

Step 5 Type: run

Exercise 5: getRolesAllowedForResource()

This method returns a list of permissible roles for a resource. This exercise uses the most common form of the getRolesAllowedForResource() method, which passes resource and context information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide."

getRolesAllowedForResource(resource,roleBundles,context,map)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1).

•roleBundles: String array containing role bundle names.

•context: String value containing the context name.

•map: Hash map containing different message attributes.

•Return type: String[] array containing all roles allowed to access resource

Sample Code
//Define resource and context values 
String resource = "Prime group:Prime portal:Account 1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
String context = "Global Context:Global Context";
HashMap map = new HashMap();
//Initialize IAuthorization Manager 
IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();
//Invoke getRolesAllowedForResource () method by providing resource, rolebundles, and 
context names 
String[] str = mgr.getRolesAllowedForResource(resource,roleBundles,context,map);
//Iterate through String array and print roles allowed to access resource 
if(str!=null){ 
   System.out.println("The following roles are allowed access to "+resource+":");
   for(int i=0;i<str.length;i++){ 
      System.out.println("Role: "+str[i]); 
   } 
}
To list the permissible roles of a resource, follow these steps:

Step 1 Open PEP.java in a text editor.

Step 2 Edit the file, using the sample code as a guide.

Step 3 Save changes.

Step 4 Type: compile

Step 5 Type: run

Exercise 6: getPermissibleResourcesAndResourceGroupsForUser()

This method is used to get all permitted resources and resource groups for a given user, based on the custom attributes under the specified roleBundles and context. This method returns a list of permissible resources and resource groups for the specified user. Refer to Appendix A, "PEP API Reference Guide." for getPermissibleResourcesAndResourceGroupsForRoles() and getPermissibleResourcesAndResourceGroupsForGroups() methods.

getPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy.

•map: Hash map containing different message attributes.

•roleBundle: String array containing role bundle names.

•context: String value containg context name.

•level: Integer that refers to the resource level of child hierarchy.

•Return Type: String[] array containing multidimensional string array of two elements such as -

•The first element is an array of permissible resources.

•The second element is an array of permissible resource groups for the given resource.

Sample Code:
//Define subject, resource, map, role bundle and context values 
String username = "User1";
String resource = "App Group:RGApplication:Resource1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
int level = -1;
//Initialize IAuthorization Manager 
IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();
//Invoke getPermissibleResourcesAndResourceGroupsForUser() method, providing the above 
mentioned parameters 
String[][] result = mgr.getPermissibleResourcesAndResourceGroupsForUser("user1", "App 
Group:RGApplication:Resource1", "any", map, roleBundles, "Global Context:Global Context", 
-1);
//Iterate through String array and print permissible resources and resource groups for 
user  
for (int i = 0; i < result[0].length; i++) {
System.out.println("Permitted Resource FQN: "+result[0][i]);
}
for (int j = 0; j < result[1].length; j++) {
System.out.println("Permitted Resource Group FQN: "+result[1][j]);
}
Output:

If Child11, child12 and Child13 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child12 and Child13 as members, if the user (user1) has the permission to access 'ResourceGroup1' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below:
Permitted Resource FQN: App Group:RGApplication:Resource1:Child12
Permitted Resource FQN: App Group:RGApplication:Resource1:Child13
Permitted Resource Group FQN: App Group:RGApplication:Resource1:ResourceGroup1
To list the permissible roles of a resource, follow these steps:

Step 1 Open PEP.java in a text editor.

Step 2 Edit the file, using the sample code as a guide.

Step 3 Save changes.

Step 4 Type: compile

Step 5 Type: run

Exercise 7: getResourceAndResourceGroupDecisionsForUser()

This method is used to get an array of the following three elements for a given user based on the custom attributes under the specified roleBundles and context:

•The first element consists of resources and resource groups that are allowed for the specified user.

•The second element consists of resources and resource groups that are denied (explicitly) for the specified user.

•The third element consists of resource groups where some of its members are not allowed for the specified user.

Refer to Appendix A, "PEP API Reference Guide." for getResourcesAndResourceGroupsDecisonsForRoles() and getResourcesAndResourceGroupsDecisionsForGroups() methods.

getResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level)

•subject: String value containing user ID (for example, jdoe)

•resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy.

•map: Hash map containing different message attributes.

•roleBundle: String array containing role bundle names.

•context: String value containg context name.

•level: Integer that refers to the resource level of child hierarchy.

•Return Type: String[] array containing multidimensional string array of two elements such as -

•The first element is an array of resources and resource groups that are allowed.

•The second element is an array of resources and resource groups that are denied.

•The third element consists of an array of resource groups where some of its members are denied.

Sample Code:
//Define subject, resource, map, role bundle and context values 
String username = "User1";
String resource = "App Group:RGApplication:Resource1";
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
HashMap map = new HashMap();
String context = "Global Context:Global Context";
int level = -1;
//Initialize IAuthorization Manager 
IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();
//Invoke getResourcesAndResourceGroupsDecisionsForUser() method, providing the above 
mentioned parameters 
String[][] result =  mgr.getResourceAndResourceGroupDecisionsForUser("user1","App 
Group:RGApplication:Resource1", "any", map, roleBundles,"Global Context:Global Context", 
-1);
//Iterate through String array and print permissible resources and resoource groups for 
user  
for (int i = 0; i < result[0].length; i++) {
System.out.println("Permitted FQN: "+result[0][i]); 
} 
//Iterate through String array and print denied resources and resoource groups for user  
for (int j =0; j < result[1].length; j++) { 
System.out.println("Denied FQN: "+result[1][j]); 
}
//Iterate through String array and print denied resoource groups members for user  
for (int k =0; k < result[2].length; k++) { 
System.out.println("Resource Group FQN with denied members: "+result[2][k]);
}
Output:

If Child11, child12, Child13 and Child14 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child11 and Child12 as members, ResourceGroup2 is the resource group under 'Resource1' with child13 and Child14 as members and if the user (user1) has an allow policy on 'ResourceGroup1' and a deny policy on 'ResourceGroup2' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below:
Permitted FQN: App Group:RGApplication:Resource1:Child11
Permitted FQN: App Group:RGApplication:Resource1:Child12
Permitted FQN: App Group:RGApplication:Resource1:ResourceGroup1
Denied FQN: App Group:RGApplication:Resource1:Child13
Denied FQN: App Group:RGApplication:Resource1:Child13
Denied FQN: App Group:RGApplication:Resource1:ResourceGroup2
Resource Group FQN with denied members: App Group:RGApplication:Resource1:ResourceGroup2
To list the permissible roles of a resource, follow these steps:

Step 1 Open PEP.java in a text editor.

Step 2 Edit the file, using the sample code as a guide.

Step 3 Save changes.

Step 4 Type: compile

Step 5 Type: run

Exercise 8: getBulkDecisions()

This method is used to get all decisions of the resources and its child resources. This exercise uses getBulkDecision() method, which passes subject, resources, actions, map, role bundles, context and level.

getBulkDecision(subject, resources, actions, map, rolebundles, context, level)

•subject: String value containing user ID (for example, jdoe)

•resources: String array containing fully qualified resource names (for example, Prime group:Prime portal:Account 1)

•actions: String array containing actions for the resource (for example, buy, sell, read, write, delete, and any)

•map: Hash map containing different message attributes.

•rolebundle: String array containing role bundle names.

•context: String value containing context.

•level: Int value for the resource level upto which the decision to be given.

•Return type: XacmlResponse object containing the full XACML response from the PDP

Sample Code:

Example 1: Passing action as "any":
//Define resource, action, map, role bundle, context and level values 
String[] resources = new String[1];
resources[0] = "Prime group:Prime portal:View Reports";
String[] actions = new String[1];
actions[0] = "any";
Map map = new HashMap();
map.put("sum", "10");
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
int level = -1;
//Invoke getBulkDecisions() method by providing the above mentioned parameters 
mgr.getBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global 
Context",level);
Output:

If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be:
<xml>
<Response>
//Result for the resource "View Reports:Report 6"
<Result ResourceId="Prime group:Prime portal:View Reports:Report 6">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:Action</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
//Result for the resource "View Reports"
<Result ResourceId="Prime group:Prime portal:View Reports">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
//Result for the action "View Reports:Report 6:Read"
</Result>
<Result ResourceId="Prime group:Prime portal:View Reports:Report 6:Read">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
//Result for the action "View Reports:Read"
<Result ResourceId="Prime group:Prime portal:View Reports:Read">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
</Response>
</xml>
Example 2: Passing a specific action (other than "any"):
//Define resource, action, map, role bundle, context and level values 
String[] resources = new String[1];
esources[0] = "Prime group:Prime portal:View Reports";
tring[] actions = new String[1];
actions[0] = "Read";
Map map = new HashMap();
map.put("sum", "10");
String[] roleBundles = new String[1];
roleBundles[0] = "Default";
int level = 1;
//Invoke getBulkDecisions() method by providing the above mentioned parameters 
mgr.getBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global 
Context",level);
Output:

If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be:
<xml>
<Response>
//Result for the action "View Reports:Read"
<Result ResourceId="Prime group:Prime portal:View Reports:Read">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
</Response>
</xml>
Exercise 9: getAuthorizedDecisions()

This is a generic method which takes XACML request as its input parameter. This single API method replaces all existing PEP methods such as isUserAccessAllowed(), isRoleAccessAllowed(), getDecisions() etc. To use this method:

Step 1 Define the following input parameters.
String subject = "Mary";
String resource = "Prime group:Prime portal:Send Trades";
String action = "any";
HashMap<String, String> envMap = new HashMap<String, String>();
envMap.put(XacmlConstant.LEVEL, "-1");
String roleBundle = "Default";
String context = "Global Context:Global Context";
Step 2 Initialize IAuthorization Manager.
IAuthorizationManager mgr = 
AuthorizationManagerFactory.getInstance().getAuthorizationManager();
Step 3 Call the XacmlGenerator to create the XacmlRequest.
com.cisco.epm.xacml.XACMLGenerator generator = new XACMLGenerator();
Step 4 Create the XacmlRequest
com.cisco.epm.xacml.XacmlRequest xacmlRequest = generator.createXacmlRequest(subject, 
resource, action, envMap, roleBundle, context, XacmlConstant.SUBJECTID)
If the subject is a role, the XacmlConstant will be ROLEID, in case of a group, it will be GROUPID.

The Xacml Generator will consider the above mentioned parameters and generate a XacmlRequest which may look like:
<Request>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="requestor">
<AttributeValue>Mary</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Prime group:Prime portal:Send Trades</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>any</AttributeValue>
</Attribute>
</Action>
<Environment>
<Attribute AttributeId="Key" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:cisco:cepm:3.3:xacml:context-name" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Global Context:Global Context</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:cisco:cepm:3.3:xacml:rolebundle-name" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Default</AttributeValue>
</Attribute>
</Environment>
</Request>
Step 5 Invoke getAuthorizedDecision() method by passing the above XacmlRequest as inputparameter.
com.cisco.epm.xacml.XacmlResponse xacmlResponse = 
mgr.getAuthorizedDecisions(xacmlRequest);
Step 6 Invoke getResults() to get the XacmlResponse.
com.cisco.epm.xacml.Result results[] = xacmlResponse.getResults();
This response contains results of all the child resources created under the specified resource `Send Trades' because the vlaue passed for level is `-1'. This gives the XacmlResponse which may look like:
<Response>
<Result ResourceId="Prime group:Prime portal:Send Trades:Buy Trades">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
<Result ResourceId="Prime group:Prime portal:Send Trades">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
<Result ResourceId="Prime group:Prime portal:Send Trades:Sell Trades">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/>
<StatusMessage>Request is successful</StatusMessage>
<StatusDetail>Response from PDP</StatusDetail>
</Status>
<Obligations>
<Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier">
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue>
</AttributeAssignment>
<AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue>
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
</Response>
Step 7 Retrive the resource ID, decisions and obligations:
for (Result result : results) {
	System.out.println("Resource name[" + result.getResourceId() + "]");
	System.out.println("Decision [" + result.getDecision() + "]");
Obligation obligations[] = result.getObligations();
	for (Obligation obligation : obligations) {
	AttributeAssignment[] assignments = obligation.getAttributeAssignment();
			for (AttributeAssignment assignment : assignments) {
			System.out.println("Attribute ID[" + assignment.getAttributeID() + "]");
			System.out.println("Attribute ID[" + assignment.getValue() + "]");
The result will include the decisions and obligation for the specified resource and its child resources, such as, `Buy Trades' and `Sell Trades'. It may look like:
Resource name[Prime group:Prime portal:Send Trades]
Decision [0]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Attribute ID[0]
Resource name[Prime group:Prime portal:Send Trades:Buy Trades]
Decision [0]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Attribute ID[0]
Resource name[Prime group:Prime portal:Send Trades:Sell Trades]
Decision [0]
Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource]
Attribute ID[resource]
Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name]
Attribute ID[GLOBAL:UNTYPE]
Attribute ID[urn:cisco:cepm:3.3:xacml:ttl]
Attribute ID[0]
Where Decision[0] means permit decision. If the decision is deny it will be `1'.

	CEPM Java Developers Guide V 3.3.1.0
	PEP API Quick Start Guide
CEPM Java Developers Guide V 3.3.1.0 Preface Introduction PEP API Quick Start Guide PAP API Quickstart Guide PDP WSDL Using PEP Taglib PEP API Reference Guide	Download this chapter PEP API Quick Start Guide Download the complete book CEPM Java Developers Guide V 3.3.1.0 (PDF - 1 MB) Feedback Table Of Contents PEP API Quick Start Guide Exercise 1: Compile and Run the PEP Simulator Exercise 2: isUserAccessAllowed() isUserAccessAllowed(subject, resource, action) Sample Code Sample Code for In-process PDP Exercise 3: getDecisions() getDecisions(subject, resource, action, map, rolebundle, context, level) Sample Code Exercise 4: getPermissibleResourcesForUsers() getPermissibleResourcesForUsers(subject, resource,map, roleBundles, context) Sample Code Exercise 5: getRolesAllowedForResource() getRolesAllowedForResource(resource,roleBundles,context,map) Sample Code Exercise 6: getPermissibleResourcesAndResourceGroupsForUser() getPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level) Sample Code: Exercise 7: getResourceAndResourceGroupDecisionsForUser() getResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level) Sample Code: Exercise 8: getBulkDecisions() getBulkDecision(subject, resources, actions, map, rolebundles, context, level) Sample Code: Exercise 9: getAuthorizedDecisions() PEP API Quick Start Guide In CEPM, the PEP APIs can be implemented in two frameworks, such as, old and new. You can call the old APIs using net.securent package, and using com.cisco.epm package for the new APIs. This chapter provides exercises that will teach you how to work with the PEP Simulator and develop code with some of the more commonly used PEP API methods This includes the newly introduced getAuthorizedDecisions() method which takes a Xacml request as the input parameter and the PEP makes a SOAP call to the PDP. Note XACML request containing I18N characters: If you are using I18N characters in a XACML request, when writing the data to a file you must select the encoding format as UTF-8. Because while parsing the data the default parser (SAX parser) identifies the characters in UTF-8 format only. By default, the data files (XACML request) are saved in ANSI format, which may cause the PDP giving erroneous results or throwing exceptions while parsing. For more information on how to work with the PEP APIs, refer to Appendix A, "PEP API Reference Guide." The guide contains documentation for over 50 PEP API methods. For more information on the full set of PEP APIs, refer to the PEP API Javadocs. Exercise 1: Compile and Run the PEP Simulator The PEP Simulator is a CEPM utility that allows developers to quickly test entitlement policies defined within the administration console. The utility also serves as test bed for working with the PEP APIs. To edit, compile, and run the PEP Simulator, follow these steps: Step 1 Unzip CEPM_PEPClient-V3.3.1.0GA_XXXXX.zip. Step 2 Verify that JDK (1.6 or higher) is installed on the local machine. Step 3 Open the command prompt and navigate to the PEP Simulator directory. Step 4 Edit the pep.java file, replacing username and resource values with the user and resource names you want to test. For example: String username = "jdoe"; String resource = "Prime group:Prime portal:Account 1"; Step 5 Save the updated PEP.java file. Step 6 Type: compile Step 7 Type: run The PEP Simulator should return a true or false result based on the applicable policies for the user and resource. Step 8 Repeat steps 4 through 7 to test different user and resource combinations. Exercise 2: isUserAccessAllowed() This method determines whether a user is authorized to perform an action on a specific resource and returns a Boolean result (true or false). This exercise uses the most common form of the isUserAccessAllowed() method, which passes subject, resource, and action information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide." isUserAccessAllowed(subject, resource, action) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1) •action: String value containing action for the resource (for example, buy, sell, read, write, delete, and any) •Return type: boolean (Permit = true, Deny / Not Applicable = false) Sample Code //Define subject, resource, and action values String username = "jdoe"; String resource = "Prime group:Prime portal:Account 1"; String action = "any"; //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager(); //Invoke isUserAccessAllowed() method, providing user, resource, and action information boolean decision = mgr.isUserAccessAllowed(username,resource,action); //Print decision System.out.println("Is "+username+" allowed to access "+resource+"? "+decision); To perform this check, follow these steps: Step 1 Open PEP .java in a text editor. Step 2 Edit the file, using the sample code as a guide. Step 3 Save changes. Step 4 Type: compile Step 5 Type: run Sample Code for In-process PDP If you are using the In-process PDP instead of the regular PDP, you must add an additional piece of code in the above mentioned sample as given below: //Define subject, resource, and action values String username = "jdoe"; String resource = "Prime group:Prime portal:Account 1"; String action = "any"; //If you are using the In-process PDP, initialize the PDPEngine PDPEngine.getInstance().init(); //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager(); //Invoke isUserAccessAllowed() method, providing user, resource, and action information boolean decision = mgr.isUserAccessAllowed(username,resource,action); //Print decision System.out.println("Is "+username+" allowed to access "+resource+"? "+decision); Refer to CEPM In-Process PDP Deployment Guide V3.3.1.0 for more information on how to deploy the In-process PDP in your standalone (desktop) application. Exercise 3: getDecisions() Similar to isUserAccessAllowed(), this method determines whether a user is authorized to perform an action on a specific resource. However, getDecisions() returns the full XACML response instead of a Boolean result. This exercise uses the most common form of the getDecisions() method, which passes subject, resource, action, map, role bundle, context and level information. getDecisions(subject, resource, action, map, rolebundle, context, level) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1) •action: String value containing action for the resource (for example, buy, sell, read, write, delete, and any) •map: Hash map containing different message attributes. •rolebundle: String array containing role bundle names. •context: String value containing context. •level: Int value for the resource level upto which the decision to be given. •Return type: XacmlResponse containing the full XACML response from the PDP Sample Code //Define subject, resource, and action values String subject = "Mary"; String resource = "Prime group:Prime portal:testres"; String action = "any"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; HashMap map = new HashMap(); String context = "Global Context:Global Context"; int level = -1; //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager(); //Invoke getDecisions() method, providing the above mentioned parameters. XacmlResponse pdpResponse = mgr.getDecisions(subject,resource,action,map,roleBundles,context,level); //Use XacmlResponse methods to print the decision and the entire XACML response System.out.println("XACML Response: "); System.out.println(pdpResponse.toXml()); To perform this check, follow these steps: Step 1 Open PEP.java in a text editor. Step 2 Edit the file, using the sample code as a guide. Step 3 Save changes. Step 4 Type: compile Step 5 Type: run Exercise 4: getPermissibleResourcesForUsers() This method returns a list of a user's permitted subresources for a given resource. This exercise uses the most common form of the getPermissibleResourcesForUsers() method, which passes subject, resource, map, role bundle and context information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide." getPermissibleResourcesForUsers(subject, resource,map, roleBundles, context) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal) •map: Hash map containing different message attributes. •roleBundle: String array containing role bundle names. •context: String value containg context name. •Return type: String[] array containing all of the permissible child resources Sample Code //Define subject, resource, map, role bundle and context values String subject = "Mary"; String resource = "Prime group:Prime portal"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; String context = "Global Context:Global Context"; HashMap map = new HashMap(); //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager(); //Invoke getPermissibleResourcesForUsers() method, providing the above mentioned parameters String []str = mgr.getPermissibleResourcesForUser(subject, resource, map, roleBundles, context); //Iterate through String array and print permissible resources for user if(str!=null){ System.out.println(username+" is allowed to access the following resources: "); for(int i=0;i<str.length;i++){ System.out.println("Resource: "+str[i]); } } To list a user's permitted subresources for a given resource, follow these steps: Step 1 Open PEP.java in a text editor. Step 2 Edit the file, using the sample code as a guide. Step 3 Save changes. Step 4 Type: compile Step 5 Type: run Exercise 5: getRolesAllowedForResource() This method returns a list of permissible roles for a resource. This exercise uses the most common form of the getRolesAllowedForResource() method, which passes resource and context information. For more information on the other overloaded variations of this method, refer to Appendix A, "PEP API Reference Guide." getRolesAllowedForResource(resource,roleBundles,context,map) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal:Account 1). •roleBundles: String array containing role bundle names. •context: String value containing the context name. •map: Hash map containing different message attributes. •Return type: String[] array containing all roles allowed to access resource Sample Code //Define resource and context values String resource = "Prime group:Prime portal:Account 1"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; String context = "Global Context:Global Context"; HashMap map = new HashMap(); //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager(); //Invoke getRolesAllowedForResource () method by providing resource, rolebundles, and context names String[] str = mgr.getRolesAllowedForResource(resource,roleBundles,context,map); //Iterate through String array and print roles allowed to access resource if(str!=null){ System.out.println("The following roles are allowed access to "+resource+":"); for(int i=0;i<str.length;i++){ System.out.println("Role: "+str[i]); } } To list the permissible roles of a resource, follow these steps: Step 1 Open PEP.java in a text editor. Step 2 Edit the file, using the sample code as a guide. Step 3 Save changes. Step 4 Type: compile Step 5 Type: run Exercise 6: getPermissibleResourcesAndResourceGroupsForUser() This method is used to get all permitted resources and resource groups for a given user, based on the custom attributes under the specified roleBundles and context. This method returns a list of permissible resources and resource groups for the specified user. Refer to Appendix A, "PEP API Reference Guide." for getPermissibleResourcesAndResourceGroupsForRoles() and getPermissibleResourcesAndResourceGroupsForGroups() methods. getPermissibleResourcesAndResourceGroupsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy. •map: Hash map containing different message attributes. •roleBundle: String array containing role bundle names. •context: String value containg context name. •level: Integer that refers to the resource level of child hierarchy. •Return Type: String[] array containing multidimensional string array of two elements such as - •The first element is an array of permissible resources. •The second element is an array of permissible resource groups for the given resource. Sample Code: //Define subject, resource, map, role bundle and context values String username = "User1"; String resource = "App Group:RGApplication:Resource1"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; HashMap map = new HashMap(); String context = "Global Context:Global Context"; int level = -1; //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager(); //Invoke getPermissibleResourcesAndResourceGroupsForUser() method, providing the above mentioned parameters String[][] result = mgr.getPermissibleResourcesAndResourceGroupsForUser("user1", "App Group:RGApplication:Resource1", "any", map, roleBundles, "Global Context:Global Context", -1); //Iterate through String array and print permissible resources and resource groups for user for (int i = 0; i < result[0].length; i++) { System.out.println("Permitted Resource FQN: "+result[0][i]); } for (int j = 0; j < result[1].length; j++) { System.out.println("Permitted Resource Group FQN: "+result[1][j]); } Output: If Child11, child12 and Child13 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child12 and Child13 as members, if the user (user1) has the permission to access 'ResourceGroup1' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below: Permitted Resource FQN: App Group:RGApplication:Resource1:Child12 Permitted Resource FQN: App Group:RGApplication:Resource1:Child13 Permitted Resource Group FQN: App Group:RGApplication:Resource1:ResourceGroup1 To list the permissible roles of a resource, follow these steps: Step 1 Open PEP.java in a text editor. Step 2 Edit the file, using the sample code as a guide. Step 3 Save changes. Step 4 Type: compile Step 5 Type: run Exercise 7: getResourceAndResourceGroupDecisionsForUser() This method is used to get an array of the following three elements for a given user based on the custom attributes under the specified roleBundles and context: •The first element consists of resources and resource groups that are allowed for the specified user. •The second element consists of resources and resource groups that are denied (explicitly) for the specified user. •The third element consists of resource groups where some of its members are not allowed for the specified user. Refer to Appendix A, "PEP API Reference Guide." for getResourcesAndResourceGroupsDecisonsForRoles() and getResourcesAndResourceGroupsDecisionsForGroups() methods. getResourcesAndResourceGroupsDecisionsForUser(subject, resourceFQN, action, attMap, roleBundles, context, level) •subject: String value containing user ID (for example, jdoe) •resource: String value containing fully qualified resource name (for example, Prime group:Prime portal). You can pass the resource group FQN as resource group is considered as regular resource in the resource hierarchy. •map: Hash map containing different message attributes. •roleBundle: String array containing role bundle names. •context: String value containg context name. •level: Integer that refers to the resource level of child hierarchy. •Return Type: String[] array containing multidimensional string array of two elements such as - •The first element is an array of resources and resource groups that are allowed. •The second element is an array of resources and resource groups that are denied. •The third element consists of an array of resource groups where some of its members are denied. Sample Code: //Define subject, resource, map, role bundle and context values String username = "User1"; String resource = "App Group:RGApplication:Resource1"; String[] roleBundles = new String[1]; roleBundles[0] = "Default"; HashMap map = new HashMap(); String context = "Global Context:Global Context"; int level = -1; //Initialize IAuthorization Manager IAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager(); //Invoke getResourcesAndResourceGroupsDecisionsForUser() method, providing the above mentioned parameters String[][] result = mgr.getResourceAndResourceGroupDecisionsForUser("user1","App Group:RGApplication:Resource1", "any", map, roleBundles,"Global Context:Global Context", -1); //Iterate through String array and print permissible resources and resoource groups for user for (int i = 0; i < result[0].length; i++) { System.out.println("Permitted FQN: "+result[0][i]); } //Iterate through String array and print denied resources and resoource groups for user for (int j =0; j < result[1].length; j++) { System.out.println("Denied FQN: "+result[1][j]); } //Iterate through String array and print denied resoource groups members for user for (int k =0; k < result[2].length; k++) { System.out.println("Resource Group FQN with denied members: "+result[2][k]); } Output: If Child11, child12, Child13 and Child14 are the child resources of 'Resource1' and ResourceGroup1 is the resource group under 'Resource1' with child11 and Child12 as members, ResourceGroup2 is the resource group under 'Resource1' with child13 and Child14 as members and if the user (user1) has an allow policy on 'ResourceGroup1' and a deny policy on 'ResourceGroup2' under 'Default' roleBundle and 'Global Context', then this method returns all its permitted child resources in first list and resource group in second list as given below: Permitted FQN: App Group:RGApplication:Resource1:Child11 Permitted FQN: App Group:RGApplication:Resource1:Child12 Permitted FQN: App Group:RGApplication:Resource1:ResourceGroup1 Denied FQN: App Group:RGApplication:Resource1:Child13 Denied FQN: App Group:RGApplication:Resource1:Child13 Denied FQN: App Group:RGApplication:Resource1:ResourceGroup2 Resource Group FQN with denied members: App Group:RGApplication:Resource1:ResourceGroup2 To list the permissible roles of a resource, follow these steps: Step 1 Open PEP.java in a text editor. Step 2 Edit the file, using the sample code as a guide. Step 3 Save changes. Step 4 Type: compile Step 5 Type: run Exercise 8: getBulkDecisions() This method is used to get all decisions of the resources and its child resources. This exercise uses getBulkDecision() method, which passes subject, resources, actions, map, role bundles, context and level. getBulkDecision(subject, resources, actions, map, rolebundles, context, level) •subject: String value containing user ID (for example, jdoe) •resources: String array containing fully qualified resource names (for example, Prime group:Prime portal:Account 1) •actions: String array containing actions for the resource (for example, buy, sell, read, write, delete, and any) •map: Hash map containing different message attributes. •rolebundle: String array containing role bundle names. •context: String value containing context. •level: Int value for the resource level upto which the decision to be given. •Return type: XacmlResponse object containing the full XACML response from the PDP Sample Code: Example 1: Passing action as "any": //Define resource, action, map, role bundle, context and level values String[] resources = new String[1]; resources[0] = "Prime group:Prime portal:View Reports"; String[] actions = new String[1]; actions[0] = "any"; Map map = new HashMap(); map.put("sum", "10"); String[] roleBundles = new String[1]; roleBundles[0] = "Default"; int level = -1; //Invoke getBulkDecisions() method by providing the above mentioned parameters mgr.getBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global Context",level); Output: If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be: <xml> <Response> //Result for the resource "View Reports:Report 6" <Result ResourceId="Prime group:Prime portal:View Reports:Report 6"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:Action</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> //Result for the resource "View Reports" <Result ResourceId="Prime group:Prime portal:View Reports"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> //Result for the action "View Reports:Report 6:Read" </Result> <Result ResourceId="Prime group:Prime portal:View Reports:Report 6:Read"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> //Result for the action "View Reports:Read" <Result ResourceId="Prime group:Prime portal:View Reports:Read"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> </Response> </xml> Example 2: Passing a specific action (other than "any"): //Define resource, action, map, role bundle, context and level values String[] resources = new String[1]; esources[0] = "Prime group:Prime portal:View Reports"; tring[] actions = new String[1]; actions[0] = "Read"; Map map = new HashMap(); map.put("sum", "10"); String[] roleBundles = new String[1]; roleBundles[0] = "Default"; int level = 1; //Invoke getBulkDecisions() method by providing the above mentioned parameters mgr.getBulkDecisions("Tom",resources,actions,map,roleBundles,"Global Context:Global Context",level); Output: If the user (Tom) have the permission to access 'View Reports' under 'Default' roleBundle and 'Global Context', after evaluating the PIP Rule based on the given attributes, the result will be: <xml> <Response> //Result for the action "View Reports:Read" <Result ResourceId="Prime group:Prime portal:View Reports:Read"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-action"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">action</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Global:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> </Response> </xml> Exercise 9: getAuthorizedDecisions() This is a generic method which takes XACML request as its input parameter. This single API method replaces all existing PEP methods such as isUserAccessAllowed(), isRoleAccessAllowed(), getDecisions() etc. To use this method: Step 1 Define the following input parameters. String subject = "Mary"; String resource = "Prime group:Prime portal:Send Trades"; String action = "any"; HashMap<String, String> envMap = new HashMap<String, String>(); envMap.put(XacmlConstant.LEVEL, "-1"); String roleBundle = "Default"; String context = "Global Context:Global Context"; Step 2 Initialize IAuthorization Manager. IAuthorizationManager mgr = AuthorizationManagerFactory.getInstance().getAuthorizationManager(); Step 3 Call the XacmlGenerator to create the XacmlRequest. com.cisco.epm.xacml.XACMLGenerator generator = new XACMLGenerator(); Step 4 Create the XacmlRequest com.cisco.epm.xacml.XacmlRequest xacmlRequest = generator.createXacmlRequest(subject, resource, action, envMap, roleBundle, context, XacmlConstant.SUBJECTID) If the subject is a role, the XacmlConstant will be ROLEID, in case of a group, it will be GROUPID. The Xacml Generator will consider the above mentioned parameters and generate a XacmlRequest which may look like: <Request> <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="requestor"> <AttributeValue>Mary</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Prime group:Prime portal:Send Trades</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>any</AttributeValue> </Attribute> </Action> <Environment> <Attribute AttributeId="Key" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>value</AttributeValue> </Attribute> <Attribute AttributeId="urn:cisco:cepm:3.3:xacml:context-name" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Global Context:Global Context</AttributeValue> </Attribute> <Attribute AttributeId="urn:cisco:cepm:3.3:xacml:rolebundle-name" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Default</AttributeValue> </Attribute> </Environment> </Request> Step 5 Invoke getAuthorizedDecision() method by passing the above XacmlRequest as inputparameter. com.cisco.epm.xacml.XacmlResponse xacmlResponse = mgr.getAuthorizedDecisions(xacmlRequest); Step 6 Invoke getResults() to get the XacmlResponse. com.cisco.epm.xacml.Result results[] = xacmlResponse.getResults(); This response contains results of all the child resources created under the specified resource `Send Trades' because the vlaue passed for level is `-1'. This gives the XacmlResponse which may look like: <Response> <Result ResourceId="Prime group:Prime portal:Send Trades:Buy Trades"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> <Result ResourceId="Prime group:Prime portal:Send Trades"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> <Result ResourceId="Prime group:Prime portal:Send Trades:Sell Trades"> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:cisco:cepm:3.3:xacml:status:ok"/> <StatusMessage>Request is successful</StatusMessage> <StatusDetail>Response from PDP</StatusDetail> </Status> <Obligations> <Obligation FulfillOn="Permit" ObligationId="urn:cisco:cepm:3.3:xacml:response-qualifier"> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:is-resource"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:resource-type-name"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GLOBAL:UNTYPE</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:cisco:cepm:3.3:xacml:ttl"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0</AttributeValue> </AttributeAssignment> </Obligation> </Obligations> </Result> </Response> Step 7 Retrive the resource ID, decisions and obligations: for (Result result : results) { System.out.println("Resource name[" + result.getResourceId() + "]"); System.out.println("Decision [" + result.getDecision() + "]"); Obligation obligations[] = result.getObligations(); for (Obligation obligation : obligations) { AttributeAssignment[] assignments = obligation.getAttributeAssignment(); for (AttributeAssignment assignment : assignments) { System.out.println("Attribute ID[" + assignment.getAttributeID() + "]"); System.out.println("Attribute ID[" + assignment.getValue() + "]"); The result will include the decisions and obligation for the specified resource and its child resources, such as, `Buy Trades' and `Sell Trades'. It may look like: Resource name[Prime group:Prime portal:Send Trades] Decision [0] Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource] Attribute ID[resource] Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name] Attribute ID[GLOBAL:UNTYPE] Attribute ID[urn:cisco:cepm:3.3:xacml:ttl] Attribute ID[0] Resource name[Prime group:Prime portal:Send Trades:Buy Trades] Decision [0] Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource] Attribute ID[resource] Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name] Attribute ID[GLOBAL:UNTYPE] Attribute ID[urn:cisco:cepm:3.3:xacml:ttl] Attribute ID[0] Resource name[Prime group:Prime portal:Send Trades:Sell Trades] Decision [0] Attribute ID[urn:cisco:cepm:3.3:xacml:is-resource] Attribute ID[resource] Attribute ID[urn:cisco:cepm:3.3:xacml:resource-type-name] Attribute ID[GLOBAL:UNTYPE] Attribute ID[urn:cisco:cepm:3.3:xacml:ttl] Attribute ID[0] Where Decision[0] means permit decision. If the decision is deny it will be `1'.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks