Here is what we are aiming to achieve. We would like to keep a record of the changes made to a policy store under revision control, and to be able to see when policy changes have occurred and view the differences between revisions.
This document is a quick overview, and shows how to "view the differences between revisions" - there is another post in this forum that shows how to setup the Git repository and install the backup process.
We see that within an SSO installation it consists of several staged environments, we want to track changes in all of those environments, DEV, QA and PROD (or other) so in our Git repository each managed environment has a seperate subdirectory.
The programs we are using are:
ssobackup: In each environment we have a small program ssobackup (part of the SMPolicyReader package) that runs regularly (once per hour) via a scheduled task/cron job. When it runs it does an XPSExport and manipulates the output to make it more "revision control" friendly format, and checks in any changes that are found.
SMPolicyReader: The policy reader has the ability to fetch the current policy stores stored in Git and also to view and read the revision history. It can display a list of changes for the policy store as a whole or list of changes for a selected app/domain. The user has some control over what amount of history is shown, and can then view or compare revisions.
The SMPolicyReader viewer can read the XPSExport ouptut policystore.xml file. The change for this release is that it can now list the git policy store revision history, and also then pull an older copy of the XPS export from Git.
The screenshot below shows a policy store in the reader, and the revision history dialog, in this case the reader is showing a diff between two revisions of the policy store (blue means added policy, red with strikethrough means deleted, and bold means changed policy) :
The new selection screens for reviewing version history are :
We can view version history for any changes to the whole policy store :
Or we can view version history for a specific policy domain :
Directory Layout for stored environment :
The ssobackup program, as well as extracting the original policystore.xml file, also splits the policy into its components. So for example we end up creating a file for each application and domain:
When we commit those, we end up then being able to query the history for each domain separately.
Also since it is a standard Git repository, normal Git tools can be used to view the repository as well eg:
Video demonstration of usage:
THe SMPolicyReader can be downloaded from the community site:
Siteminder Policy Reader
Further Reading :
The following tech note shows the details of how to implement storing policy under revision control and running the ssobackup process:
Tech Note : Howto place SSO policy changes under revision control using git
Cheers - Mark
Snr Principal Support Engineer - Global Customer Success