3

The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets":

<Rule Effect="Permit" RuleId="PermitRule">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acme_manager</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
         </Apply>
      </Condition>
   </Rule>

Would it be possible to create a more dynamic rule that says something like: "subjects with the role X_manager can perform any action on the resource /Y/widgets, if X equals Y"

So I could use the same policy to enforce:

  • foo_manager ... /foo/widgets
  • bar_manager ... /bar/widgets
  • baz_manager ... /baz/widgets
  • etc.

without creating multiple, similar policies.

David Brossard
  • 13,584
  • 6
  • 55
  • 88
Ouananiche
  • 579
  • 5
  • 12

2 Answers2

2

Yes of course, this is in fact one of the key benefits of XACML over other authorization frameworks and definitely over RBAC.

In XACML, there are 2 elements you can use to define the applicability of the authorization. These are:

  • XACML targets
    • targets exist in Policy Set elements, Policy elements, and Rule elements.
    • targets are for simple matching between an attribute and a value e.g. role=="manager"
  • XACML conditions: conditions exist in Rule elements only.
    • conditions are for any type of matching including the one you are looking for. With conditions, you can compare any number of attributes e.g. userDepartment==resourceDepartment.

I recommend you use ALFA to write your policies. It's much easier than plain old XACML. ALFA is a free tool developed by Axiomatics (disclaimer: I work for Axiomatics). It is also in the process of being standardized at the OASIS XACML Technical Committee.

David Brossard
  • 13,584
  • 6
  • 55
  • 88
0

I think there're 2 ways to do this:

  1. Define two "VariableDefinition"s in your policy: one to get the part before the underscore character, the other to get the the part between the last two slash character. [i wonder if XACML's core spec has defined such function] then you can use the two "VariableDefinition"s under the "Rule". then use a standart string-equal function to compare them.

  2. just define a new function of your own, and add that to your FunctionFactory that your PDP uses. These two approach is the same, your need to apply a specified funtion on some attribute instead of using the raw attributevalue directly.

telmo
  • 153
  • 8