1

I wrote some obligations and advices but I was wondering if there is a widely accepted/or formal way to do this properly? In other words: Is there a standard or preferred way to use obligations and advices in ALFA?

I would really like to see an example how to define an obligation (e.g. to log every request) and its content, in a layered policy that will always be triggered (on every request) both on deny and permit? Or do you have to define a separate obligation for every Policyset/policy and rule?

Do you have to define the exact content of such an obligation or is this depending on the functionality of the PEP?

David Brossard
  • 13,584
  • 6
  • 55
  • 88
Morei
  • 41
  • 2

1 Answers1

1

This is a great question.

While the specification (all versions) do define the structure of an obligation and even advice in the case of XACML 3.0, the specification doesn't mention how the PEP (policy enforcement point) is to implement the obligation. All the specification mentions is what should happen if a PEP fails to implement an obligation i.e. what happens to the decision.

From a PEP code perspective, a best practice would be to write an ObligationHandler interface which you can implement for different obligations. The constructor for classes implementing the ObligationHandler interface would take the XACML request and response.

Example

obligation emailManager = "com.axiomatics.example.obligations.emailmanager"
policy documentAccess{
    apply firstApplicable
    rule allowAccessIfClearanceSufficient{
        condition user.clearance>document.classification
        permit
        on permit {
            obligation emailManager{
                email = email
                message = stringConcatenate("Employee ", 
                                            stringOneAndOnly(Attributes.subjectId),
                                            " has obtained access to ", 
                                            stringOneAndOnly(Attributes.resourceId)
                )
            }
        }
    }
}

Other resources:

Community
  • 1
  • 1
David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • 1
    Thank you very much David. I still wonder if it is possible in ALFA to define an obligation that will always be triggered on every request (whether it is a DENY or a PERMIT) for example when you want to force logging of every request. Can you help me? I would really like to see an example in ALFA how to do this. – Morei Dec 15 '14 at 21:41
  • I'll add a sample. You have to define the obligation twice: once on permit and once on deny – David Brossard Dec 16 '14 at 09:02
  • @Morei, I now added an example. – David Brossard Dec 16 '14 at 15:42
  • Thanks again @david-brossard. If I understand correctly you always have to define an obligation within an `on permit` or `on deny`statement that comes right after the `permit` or `deny` keyword. For a policy it would be very appropriate to have an obligation that will alway be triggered. For example by having a kinda `else` or `other` branche that comes with the `on deny` and `on permit`. But I guess that's because XACML doesn't support it either? – Morei Dec 17 '14 at 13:00
  • That's correct. XACML forces you to define when the obligation will trigger. – David Brossard Dec 17 '14 at 15:27