How to deal with deep level granularization with XACML in enterprise application

Question

I am using IS WSO2 for authorization with XACML. I am am able to achieve authorization for static resource. But I am not sure with the design when it comes to granularization.

Example : if I have method like getCarDetails(Object User) where I should get only those cars which are assigned to this particular user, then how to deal this with XACMl?

Wso2 provides support for PIP where we can use custom classes which can fetch data from database. But I am not sure if we should either make copy of original database at PDP side or give the original database to PIP to get updated with live data.

Because Cars would be dynamic for the application eg. currently 10 cars assigned to user Alice. suddenly supervisor add 20 more car in his list which will be in application level database. Then how these other 20 cars will be automatically assigned in policy at PDP level until it also have this latest information.

I may making some mistake in understanding. But I am not sure how to deal with this as in whole application we can have lots of this kind of complex scenario where some times we will get data for one user from more than 4 or 5 tables then how to handle that scenario?

I have also posted one question which was kind of pre-requisite to understand this question.. so if anyone interested please go to this link : http://stackoverflow.com/questions/27598049/how-to-use-xacml-and-pip-in-real-application/27607263#27607263 — Budhh, Dec 23 '14 at 19:12

score 3 · Accepted Answer · answered Dec 30 '14 at 11:43

Your question is a great and the answer will highlight the key benefits of XACML and externalized authorization as a whole.

In XACML, you define generic, global rules, about what is allowed and what isn't using what I would call high-level attributes e.g. attributes of the vehicle (in your case) or the user (role, department, ...)

For instance a simple rule could be (using the ALFA syntax):

policy viewCars{
    target clause actionId=="view" and resourceType=="car"
    apply firstApplicable
    rule allowSameRegion{
        permit
        condition user.region==car.region
    }
}

Both the user's region and the car's region are maintained inside the application's database. The values are read using a PIP or Policy Information Point (details here).

In your example, you talk about direct assignment, i.e. a user has been directly assigned to a vehicle. In that case, the rule would become:

policy viewCars{
    target clause actionId=="view" and resourceType=="car"
    apply firstApplicable
    rule allowAssignedVehicle{
        permit
        condition user.employeeId==car.assignedUser
    }
}

This means that the assigned user information must be kept somewhere, in the application database, a CSV file, a web service, or another source of information. It means that from a management perspective, an administrator would add / remove vehicles from a user's assigned list (or perhaps the other way around: add / remove assigned users from a vehicle's assigned user list).

The XACML rule itself will not change. If the supervisor adds 20 more cars to the employee's list (maintained in the application-level database), then the PDP will be able to use that information via the PIP and access will be granted or denied accordingly.

The key benefit of XACML is that you could add a second rule that would state a supervisor can see the cars he/she is assigned to (the normal rule) as well as the cars assigned to his/her subordinates (a new proxy-delegate rule).

This diagram, taken from the Axiomatics blog, summarizes the XACML flow:

The XACML Architecture - Axiomatics

HTH, let me know if you have further questions. You can download ALFA here and you can watch tutorials here.

First of all , thank you very much for the answer. And Yes!! I though PIP might be the one way of doing it.But I am not sure with the design we will be get at the end. — Budhh, Dec 30 '14 at 13:39
IT will be like we want to do centralized role based access to our application which should isolate our authorization logic from our application and make our application free from authorization stuff. Now, if we use PIP as you mentioned, the request flow is like Application->Ideneity server->application database->Identity server->Application. So, now my XACML in identity server became dependent on my application level database. I am not sure if we can able to get the real benefit of the Enterprise level Centralised access control by following this design. — Budhh, Dec 30 '14 at 13:40
Great comment. The next step would be to have an enterprise data model or dictionary. It would go a long way. Btw don't forget to accept the answer and/or vote up. — David Brossard, Dec 30 '14 at 13:44
hi David, if possible plz send me test mail on my id himanshu.d@ezdi.us. And yes the answer was useful to me. thanks a lot. — Budhh, Dec 30 '14 at 14:08

How to deal with deep level granularization with XACML in enterprise application

1 Answers1

Linked