Authorization - XACML Configuration - Account Aggregation
Temenos Microservices adopted XACML implementation to provide provision for the client to define authorization policies for intended Microservices. The client will use Policy Editor Design time to author XAML policies for Microservices and deploy them on the policy store.
Policy Authoring will be carried out using Policy Editor and final reviewed policies will be uploaded into a centralized policy store.
XACML – Policy Attributes
From Microservice's perspective, the following are the attributes that can be used to the author authorization policy:
| S.No | XACML Attribute Type | Information Data available for policy enforcement |
|---|---|---|
| 1 | RESOURCE |
The resource element is a data, service or system component. Data parameters available in HTTP Request Headers & Payload and “Data Entity”. Example “Balance”, “Transaction”. |
| 2 | SUBJECT |
A subject element is an entity requesting access. User attributes available in HTTP Header. |
| 3 | ACTION | Action id of the API. |
| 4 | ENVIRONMENT |
Environmental parameters existing in the Business Function context. AWS – Lambda, AZURE – Function. |
Azure
For Azure deployment, set the below-mentioned JWT configuration properties in install.bat/install.sh:
# ---XACML PDP Configuration --- temn_msf_security_authz_enabled="true" PDP_CONFIG="classpath:xacml/pdp-config.xml" temn_msf_pdp_resource_type="API" temn_msf_pdp_resource_manager="ACCOUNTAGGREGATION"
AWS
In AWS deployment, set the below mentioned JWT configuration properties in install-aws.sh:
# ---XACML PDP Configuration --- temn_msf_security_authz_enabled="true" PDP_CONFIG="classpath:xacml/pdp-config.xml" temn_msf_pdp_resource_type="API" temn_msf_pdp_resource_manager="ACCOUNTAGGREGATION"
K8
For K8, configure the below JWT configurations in accountaggregation-api-config.yaml:
accountaggregation-api-config.yaml
# ---XACML PDP Configuration --- temn.msf.security.authz.enabled="false" PDP_CONFIG="classpath:xacml/pdp-config.xml" temn.msf.pdp.resource.type="API" temn.msf.pdp.resource.manager="ACCOUNTAGGREGATION"
In this topic