In wso2 identity server how to add custom permission like for a role useroperation associate permissions create,update,delete. How can I create the permissions like this.
How can use those assigned permissions for validating by using roles and permissions in XACML policy.
I have created a XACML policy using Standard Policy Editor based on the subject name which is username I am fetching role attribute and I am validating, but how can I validate the permissions assoicated to it using XACML. Is it possible to achieve this usecase in wso2 XACML policy?
There are several ways that you can add custom permissions to the WSO2 Identity Server. These methods are given in this answer.
There is a XACML function as urn:oasis:names:tc:xacml:1.0:function:eval-permission-tree defined in the WSO2 Identity Server. This can be used to validate the permissions of a user. This function requires two inputs.
1. required permission string (ex: /permission/admin/login)
2. subject or the user whose permissions are validated
In the WSO2 Identity Server, there is a sample XACML policy on using this function. If you login to the management console of the Identity Server, the sample is with the name evaluate_permission_tree_policy at Main > Entitlement > PAP > Policy Administration
You can get the permission string by referring to the registry of the Identity Server via Main > Registry > Browse
I assume that you want to validate the permissions of a given role from the XACML policy. As per the current implementation, the function eval-permission-tree only checks whether the given user is authorized. [1] To achieve your requirement, you can write your own XACML function extending the EvalPermissionTreeFunction class. This blog[2] describes how you can write a custom XACML function and plug it into WSO2 IS.
[2] https://pamodaaw.medium.com/custom-xacml-functions-for-wso2-identity-server-5-10-0-a91bc2ec673d