Scanning through the OASIS XACML V3 specifications I did not find any reference to a logical function [ here ] that implements a “String-not-equal” operation. The missing function is:
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-not-equal">
Question: Is there a reason for omitting this function, or is there a good practice through code modifications that allows the rule analyst to bypass this situation?
Short answer: no.
In XACML, there are functions that you may use inside targets and functions that you may use inside conditions only.
All of the functions you can use in a target can also be used in the condition but the opposite isn't true.
The only functions you can use in a target are functions that:
For instance stringEquals("manager", role) can be used inside a Target. stringEquals is the ALFA notation for urn:oasis:names:tc:xacml:1.0:function:string-equal.
And here is the source code for a sample Target.
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="user.role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
First of all keep in mind an attribute e.g. role is in fact a bag of values. The bag could be empty, have one value, or have more.
When you write stringEquals("manager", role), what you are really saying is that if there is at least one value in the list of values for the role equal to the value "manager". In other words, your policy / rule would apply if you were both a manager and a designer.
Now what is the opposite of that? What is stringNotEquals("manager", role)? Would it also be that there is at least one value not equal to manager? Well in that case if I am a manager and a designer, then I am not a manager. Or am I?
Because XACML considers by default that all attributes are multi-valued, you cannot have a function called stringNotEquals.
However, there are ways around this. You can express negative cases in conditions e.g. by doing the following (using ALFA notation):
not ( stringEquals(stringOneAndOnly(role),"manager") )
And the resulting XACML is:
<xacml3:Condition >
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="user.role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Apply>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
I hope this helps...
Temporarily, I found a bypass by changing the "Match" statement into a REGEX based logic which offers a function that implements: “Does not contain a word XYZ in a String”, as in this sample:
<!-- Not Equal operator executed by the REGEX -->
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^((?!XYZ).)*$</AttributeValue>
This code is not very well constructed, nor readable, but it delivers the missing function for "NOT EQUAL". Please let me know case there is a better solution for it.