Symantec Access Management

Tech Note : Storing SSO policy changes in Revision Control - viewing changes 

05-04-2017 05:55 PM

Here is what we are aiming to achieve.  We would like to keep a record of the changes made to a policy store under revision control, and to be able to see when policy changes have occurred and view the differences between revisions.


This document is a quick overview, and shows how to "view the differences between revisions"   - there is another post in this forum that shows how to setup the Git repository and install the backup process. 





We see that within an SSO installation it consists of several staged environments, we want to track changes in all of those environments, DEV, QA and PROD (or other) so in our Git repository each managed environment has a seperate subdirectory.   


The programs we are using are: 

ssobackup: In each environment we have a small program ssobackup (part of the SMPolicyReader package) that runs regularly (once per hour) via a scheduled task/cron job.  When it runs it does an XPSExport and manipulates the output to make it more "revision control" friendly format, and checks in any changes that are found.


SMPolicyReader:   The policy reader has the ability to fetch the current policy stores stored in Git and also to view and read the revision history.  It can display a list of changes for the policy store as a whole or list of changes for a selected app/domain.   The user has some control over what amount of history is shown, and can then view or compare revisions.   






The SMPolicyReader viewer can read the XPSExport ouptut policystore.xml file.  The change for this release is that it can now list the git policy store revision history, and also then pull an older copy of the XPS export from Git.    


The screenshot below shows a policy store in the reader, and the revision history dialog, in this case the reader is showing a diff between two revisions of the policy store (blue means added policy, red with strikethrough means deleted, and bold means changed policy) :  


The new selection screens for reviewing version history are : 


We can view version history for any changes to the whole policy store : 


Or we can view version history for a specific policy domain :




Directory Layout for stored environment :

The ssobackup program, as well as extracting the original policystore.xml file, also splits the policy into its components.  So for example we end up creating a file for each application and domain: 


When we commit those, we end up then being able to query the history for each domain separately.


Also since it is a standard Git repository, normal Git tools can be used to view the repository as well eg:    




gitk policystore.xml 



Video demonstration of usage:  






THe SMPolicyReader can be downloaded from the community site: 

  Siteminder Policy Reader   


Further Reading : 

The following tech note shows the details of how to implement storing policy under revision control and running the ssobackup process:

Tech Note : Howto place SSO policy changes under revision control using git 


Cheers - Mark

Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

0 Favorited
0 Files

Tags and Keywords


05-16-2017 06:00 PM

Hi Garry, the REST API doesn't directly affect how ssobackup works, since we rely on xpsexport to do the main work.


However, as per the other, currently disabled tab "EnvPatch" , I've done some work with using the policy diff's to create patches to policies, with the ability to give various mappings of names and objects as you move the "patch" from one environment to another.   I hope to be able to take those patches from the diffs, save them as a patch xml files, and use the REST Api to apply those patches to another environment.  


We can put the patches under revision control as well, and it would be a good complement to the current work of storing the policy store changes under revision control.  


Cheers - Mark

PS: Interestingly with the way I'm using the xml diff, it can be used both to apply a patch, and also to reverse out the patch - but that part is a way off yet.

05-12-2017 11:42 AM

Looks really good. We have similar aspirations at a customer to be able to version control, rollback, etc so will definitely be showing them your approach. Just wondering with the new 12.7 REST APIs if there are other options now to achieve the same result.

Related Entries and Links

No Related Resource entered.