Hi, You can define userstore in XACML in follwoing format
<Rule Effect="Permit" RuleId="permit_by_userstores"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <AttributeDesignator AttributeId="*http://wso2.org/identity/user/user-store-domain <http://wso2.org/identity/user/user-store-domain>*" Category=" http://wso2.org/identity/user" DataType=" http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"> </AttributeDesignator> </Apply> *<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string <http://www.w3.org/2001/XMLSchema#string>">SECONDARY-USERSTORE</AttributeValue>* </Apply> </Condition> </Rule> You can get more information on XACML in blog[1]. [1] https://medium.com/@Pushpalanka/application-wise-authorization-wso2-identity-server-user-store-per-service-provider-dfea5f9ad758 On Tue, Dec 5, 2017 at 9:51 PM, Shanika Wickramasinghe <shani...@wso2.com> wrote: > Hi All, > I am implementing scenario 30 in [1] > > by default user store admins can perform operation on users of other user > stores. i want to write a xacml policy to restrict user admins to perform > operation only on his user store and they should not be able to perform > operations on other user stores. As a example consider the following > scenario > > Eg:- There are 2 JDBC secondary user stores as foo and bar. foo user > store has a role with admin permissions as foo admin and bar userstore has > a role with admin permissions as bar admin. foo admin should be able to > delete a user in foo user store and bar admin should not be able to delete > that user. Appreciate your guidance on following questions > > 1. How to specify action delete user in a xacml policy > 2. How to give the user store on which that action should happen > 3. How to call PDP from the user store operation listener > > > [1]. https://medium.facilelogin.com/thirty-solution-patterns-with-the- > wso2-identity-server-16f9fd0c0389 > > Thank you, > Shanika. > -- > *Shanika Wickramasinghe* > Software Engineer - QA Team > > Email : shani...@wso2.com > Mobile : +94713503563 <+94%2071%20350%203563> > Web : http://wso2.com > > <http://wso2.com/signature> > -- Denuwanthi De Silva Senior Software Engineer; WSO2 Inc.; http://wso2.com, Email: denuwan...@wso2.com Blog: https://denuwanthi.wordpress.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev