cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Intergration with XACML system

Go to solution
Former Member

on ‎07-17-2014 1:48 AM

0 Kudos

Hi,

We have a policy server in the landscape, which communicates only through XACML and an SAP system with BRF+ setup.

XACML is nothing but an XML message with additional declarative access control tags.

We are trying to use policy server for validation on few documents. We have a challenge here to integrate these systems.

Can we use BRF+ import functionality to copy all the XACML rules into SAP?

Thanks,

Vishnu Sangati

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

carsten_ziegler
Active Contributor
‎07-17-2014 9:16 AM
0 Kudos

I have done things like this many times and I always went with the same approach.

You need to understand the XACML schema. Then you do a conceptual mapping to the BRFplus artifacts like decision tables, rulesets etc.

Then you write your XACML inbound interface (e.g. an RFC function module and/or a report for manual upload). Once the XACML is loaded you convert it to BRFplus by using the BRFplus API. Afterwards you save and activate everything. Aquestion you need to deal with is also if the XACML content shall be loaded into an existing application. Should it overwirte existing content or should it all be created again and again which may lead to problems long term. Further, in all cases I did I was able to identify a big deal of reuse. So I had created those reuse objects beforehand (data objects, rules, ...) and in the conversion XACML I had used the reuse objects whenever possible instead of generating same objects multiple time.

I know there are people that tried to do this by XSL transformations. My experience with this is negative as usually the complexity is too high for an XSL based approach.

Show replies
Show replies
Former Member
‎07-17-2014 4:48 PM
0 Kudos

Hey Carsten,

Thanks a lot for the reply.

If an optimal solution is to have an inbound interface and map the XACML schema to BRFPlus artifacts, not sure if we are bypassing the purpose of BRFPlus application here? Please help me understand a reason to go with BRFPlus.

Since the rules cannot(should not in this case) be updated manually in BRF Plus and needs a report or RFC to update each time, do we have a justification against usage of standard dictionary table updates and use them in policy check?

Thanks,

Vishnu Sangati

carsten_ziegler
Active Contributor
‎07-18-2014 12:22 PM
0 Kudos

You use the inbound interface to translate the rules into BFplus.

Then you have all the BRFplus advantages, such as code generation, rules visualization, versioning, local ABAP API, simuation, tracing and many other things you may ge tthrough decision service management such as distribution and automated testing.

You can use an application exit to control changes on the generated objects so that in UI they cannot be changed.

Answers (0)

Ask a Question