Created question in FIWARE Q/A platform on 28-07-2017 at 15:07
Please, ANSWER this question AT https://stackoverflow.com/questions/45375053/xacml-policies-are-not-sync-with-authzforce-after-creation-in-idm

Question:
XACML policies are not sync with AuthZForce after creation in IdM

Description:
Im trying to extend the Wilma PEP Proxy GE to support level 3 of security: xacml authorization.

I already implemented the necessary modifications in the PEP Proxy, in order to support this level of authorization, but I'm having problems provisioning the XACML permissions through the IdM interface, based on the OpenStack Horizon fork. As far as I know, the xacml policy is created at the IdM database but not created at the corresponding AuthZForce domain. In fact, after xacml permision creation test, any level 2 permision associated to the same application are not syncronized with AuthZForce.

After a little of research, the thing got more complex. As far as I can see, each domain in the AuthZForce has a PolicySet root. In particular this PolicySet has mapped all user roles (application roles except Provider and Purchaser) to XACML with their associated permissions. In fact level 2 of security (basic authorization) is supported through XACML policies.

So my questions are:

1) Why did not my xacml policy sync with Authzforce?. May be an issue in the IdM?

2) How should my XACML level 3 permissions looks, if then it will be combined with the xacml policies associated with the level 2 permissions of the other roles in my application, before they are published in the corresponding AuthZForce domain?

Suggestions?

I am using the following versions of each GE:

IdM GE: v5.4.0
AuthZForce GE: release 5.4.1
PEP Proxy Wilma: 5.4