Is there a way to design common Role based access control (RBAC) in Enterprise Applications, so other applications can also use the same configuration?
I have seen WSo2 Rbac support with XACML but I am not able to understand how to design common RBAC policies so other applications can also use it.
I understood how to create policies in XACML with WSO2 Identity Server but I am not able to understand how all Java applications will use these policies?
In order to use XACML policies in your applications you need to have a XACML PEP (Policy Enforcement Point) agent integrated with your application. The PEP agent will intercept all your requests for access of resource and convert it into XACML request and then communicates with XACML policy server for decision.
If your application is a java web application then you may create a servlet filter as a PEP. You may find sample here and here.
In case you are using it for field level authorization or non web application then you may use a thrift based PEP client which will communicate with your XACML policy server. You may find sample PEP using java here. Thrift is a more efficient protocol than SOAP or REST.
In addition to Yusuf's answer which focuses on the enforcement, you should also consider using the RBAC Profile of XACML which focuses on the policy design itself. It explains how to design policies for RBAC-oriented applications.
In the profile, illustrated in the diagram below, policies are organized into role policies and permissions policies. Through the use of policy references, it is possible to assign multiple permissions to multiple role policies. It is also possible to have roles inherit other roles (e.g. a manager would inherit an employee's permissions).
HTH
