Enumerate all policies to which a user store is assigned
search cancel

Enumerate all policies to which a user store is assigned

book

Article ID: 408206

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

How can an admin list all of the policies to which a user store is assigned?

Environment

All Supported Releases

Resolution

This can be accomplished using the REST API.  First, query the list of user stores (/ca/api/sso/services/policy/v1/SmUserDirectories - this query takes no input).  The response will contain the XID of the user directory of interest. 

Next, query the list of objects that use the specified object (/ca/api/sso/services/policy/v1/objects/<XID>/usedby - this query takes an XID as input).  The response will contain domains and user policies that this XID is assigned to (this list could contain other objects as well, depending on the config).

The user policy XIDs in the 'usedby' output do not map directly to policy names.  To map these to the policy names, run the query to fetch objects by ID (/ca/api/sso/services/policy/v1/objects/<XID>).  The output will contain the display name of the associated policy.

Here are samples of these queries and the outputs (the user store name is 'Test_LDAP' and it's assigned to two policies, one of which is named XXY_Policy:

User Store Query:
Request:
https://host.example.com:8443/ca/api/sso/services/policy/v1/SmUserDirectories
Response:
{
  "responseType": "links",
  "path": "children",
  "xpsclass": "SmUserDirectories",
  "data": [
    {
      "id": "CA.SM::UserDirectory@0e-fa6d0635-51be-4fed-9b0f-7ad5ce70bac4",
      "path": "/SmUserDirectories/AdvAuthExternalLDAPDir",
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-fa6d0635-51be-4fed-9b0f-7ad5ce70bac4"
    },
    {
      "id": "CA.SM::UserDirectory@0e-08c6cadb-e30b-4e06-9e2e-b3d7a866fab8",
      "path": "/SmUserDirectories/FederationWSCustomUserStore",
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-08c6cadb-e30b-4e06-9e2e-b3d7a866fab8",
      "desc": "list of all the affiliates exposed as an user store"
    },
    {
      "id": "CA.SM::UserDirectory@0e-f741be64-b38b-4d98-a431-b96548214981",
      "path": "/SmUserDirectories/FedBCCustomUserStore",
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-f741be64-b38b-4d98-a431-b96548214981",
      "desc": "Custom user store for Federation BackChannel communications"
    },
    {
      "id": "CA.SM::UserDirectory@0e-6c89afa4-31b0-4caa-9d9b-75e47061f187",
      "path": "/SmUserDirectories/FedBCCertUserDirectory",
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-6c89afa4-31b0-4caa-9d9b-75e47061f187"
    },
    {
      "id": "CA.SM::UserDirectory@0e-3b0f4ccf-71f3-4968-b095-2b5a830c3244",
      "path": "/SmUserDirectories/SAML2FederationCustomUserStore",
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-3b0f4ccf-71f3-4968-b095-2b5a830c3244",
      "desc": "list of all the service providers"
    },
    {
      "id": "CA.SM::UserDirectory@0e-6e000c25-1cf6-415e-a2a8-a25c9d44594d",
      "path": "/SmUserDirectories/CADir",
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-6e000c25-1cf6-415e-a2a8-a25c9d44594d"
    },
    {
      "id": "CA.SM::UserDirectory@0e-2ae935db-1ee8-422d-bf92-ffa83f2f3981",
      "path": "/SmUserDirectories/Test_LDAP",
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-2ae935db-1ee8-422d-bf92-ffa83f2f3981"
    }
  ],
  "links": {}
}

Objects UsedBy Query:
Request:
https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/0e-2ae935db-1ee8-422d-bf92-ffa83f2f3981/usedby
Response:
{
  "responseType": "groups",
  "path": "usedby",
  "data": {
    "CA.SM::Domain.UserDirectoriesLink": [
      {
        "id": "CA.SM::Domain@03-5fef8d42-e144-49e9-9a0c-028641637cb6",
        "path": "/SmDomains/ProxyUI",
        "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-5fef8d42-e144-49e9-9a0c-028641637cb6"
      },
      {
        "id": "CA.SM::Domain@03-d6914042-7b92-42e6-bb5e-afd4fb1f5544",
        "path": "/SmDomains/XXY",
        "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-d6914042-7b92-42e6-bb5e-afd4fb1f5544"
      }
    ],
    "CA.SM::UserPolicy.UserDirectoryLink": [
      {
        "id": "CA.SM::UserPolicy@0f-28bd67f6-e078-4759-bd0b-4588b1dcb915",
        "path": null,
        "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserPolicy@0f-28bd67f6-e078-4759-bd0b-4588b1dcb915"
      },
      {
        "id": "CA.SM::UserPolicy@0f-b745b4fd-7cc9-4c55-aed6-a14473be17b7",
        "path": null,
        "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserPolicy@0f-b745b4fd-7cc9-4c55-aed6-a14473be17b7"
      }
    ]
  }
}

Object Query:
Request:
https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/0f-28bd67f6-e078-4759-bd0b-4588b1dcb915
Response:
{
  "responseType": "object",
  "parent": {
    "id": "CA.SM::Policy@04-9455b22b-0fe4-46d0-af3d-4a1d76deaa98",
    "path": "/SmDomains/XXY/SmPolicies/XXY_Policy",
    "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Policy@04-9455b22b-0fe4-46d0-af3d-4a1d76deaa98"
  },
  "data": {
    "id": "CA.SM::UserPolicy@0f-28bd67f6-e078-4759-bd0b-4588b1dcb915",
    "type": "SmUserPolicy",
    "PolicyResolution": "All",
    "PolicyFlags": [],
    "FilterClass": "All",
    "FilterPath": "All",
    "UserDirectory": {
      "id": "CA.SM::UserDirectory@0e-2ae935db-1ee8-422d-bf92-ffa83f2f3981",
      "path": "/SmUserDirectories/Test_LDAP",
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-2ae935db-1ee8-422d-bf92-ffa83f2f3981"
    }
  },
  "links": {
    "self": {
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserPolicy@0f-28bd67f6-e078-4759-bd0b-4588b1dcb915"
    },
    "usedby": {
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserPolicy@0f-28bd67f6-e078-4759-bd0b-4588b1dcb915/usedby"
    },
    "classinfo": {
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserPolicy@0f-28bd67f6-e078-4759-bd0b-4588b1dcb915/classinfo"
    },
    "editinfo": {
      "href": "https://host.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserPolicy@0f-28bd67f6-e078-4759-bd0b-4588b1dcb915?op=editinfo"
    }
  }
}

===========================================================

To test the REST API, click the REST APIs link at the bottom of the AdminUI window.  An authorization token is required and can be obtained by clicking the Authorization link at the top of the page.  Expand the needed queries and click the Try it Out button to send a request.  Note that authorization tokens last 15 minutes, after which a new token must be obtained.

Powered by Wolken Software