XACML policy based on resource giving result as NotApplicable

Question

I am creating simple policy and the format is like

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="ResourcePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">images</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="Rule-1">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
               </Apply>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
               <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Permit" RuleId="Rule-2">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">blue.jpg</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
               </Match>
            </AllOf>
         </AnyOf>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">emp</AttributeValue>
            <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="Deny-Rule"/>
</Policy>        `

when I am creating a request to the resource blue.jpg so that emp can read the resource blue.jpg the result is not applicable what's wrong in the policy or is their something i missed out in request.

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">emp</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">blue.jpg</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

score 1 · Accepted Answer · edited Jun 14 '16 at 14:40

I guess you are trying policy with WSO2IS. According to policy, It is applicable to "images" resource. You have defined it with target element. But in your request, you are not sending "images"? Therefore policy would not be applicable to this request and there are no other policies in the server that applicable to request, If you want to send a request that would return "permit" according to the your policy, Please try out following request. Here you are sending both "images" and "blue.jpg" a values and modify the attribute id of the subject category.

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute AttributeId="http://wso2.org/claims/role" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">emp</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">images</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">blue.jpg</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

Thanks a lot Asela , this is will be the nice explanation but still I want to know one thing that using Wso2 identity server. I am performing operation like read | write using OR operator but at the time when i am creating request i am giving read | write so wso2 IS is considering both as a different attribute i mean to say in a Request Read is one attribute and Write is another. So its just appending as it is like read | write and when i say Try its giving not applicable so how can I add multiple actions as a separate attribute in a Request ? — Utsav, Jan 22 '14 at 13:06
No...in XACML there is no symbol like "|" operator. When creating policy we can define (read OR write). We can using for that. It is just a policy editor thing. But exact XACML policy is different. When you are creating a request from UI. If you wish to provide more than one attribute, You must provide then as common separated. — Asela, Jan 23 '14 at 04:45

score 1 · Answer 2 · answered Jan 22 '14 at 16:58

1

Regarding your question about action READ and action WRITE, it looks like you are trying to make use of the Multiple Decision Profile (MDP) feature of XACML where you can ask multiple questions in a single XACML request like

<Request>
<Question1>
  action=read
  resource=r1
</Question1>

<Question2>
  action=write
  resource=r1
</Question2>

</Request>

I am not sure whether WSO2 supports MDP.

answered Jan 22 '14 at 16:58

Srijith Nair

570
3
12

Thanks Srijith can you please help me to create a multi decision profile policy , please check this link : http://stackoverflow.com/questions/21275421/multiple-decisions-profile-policy-in-xacml-3-0 – Utsav Jan 22 '14 at 18:51
1

Yes MDP is support by WSO2 Identity Server. Please check here http://xacmlinfo.org/2013/12/06/multiple-decision-profile-repeated-attribute-categories/ – Asela Jan 23 '14 at 04:41
Thanks Asela if you help me to create policy in MDP scenario as mention in the given link that will be great for me to understand how it works: http://stackoverflow.com/questions/21275421/multiple-decisions-profile-policy-in-xacml-3-0 – Utsav Jan 23 '14 at 04:53

XACML policy based on resource giving result as NotApplicable

2 Answers2