2

I have two policies, first one should return permit, and the second should return deny, but it always returns deny to the requests.

This is the PolicySet:

 <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="http://axiomatics.com/alfa/identifier/test.testps1" Version="1.0" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">



<Target/> 
<Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="p2"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
    Version="1.0">


<Target>


<AnyOf>

<AllOf>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
C70001
</AttributeValue>

<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
Alise Ibrahem
</AttributeValue>

<AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
IT
</AttributeValue>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>



</AllOf>

</AnyOf>

</Target>


<Rule Effect="Deny" RuleId="Deny_Rule">

 <Target>
           <AnyOf>
             <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
                  >Employee</AttributeValue>
                 <AttributeDesignator  AttributeId="subjectJob" MustBePresent="false"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
               </Match>
             </AllOf>
           </AnyOf>
           <AnyOf>
             <AllOf>
               <Match
                 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                 <AttributeValue
                   DataType="http://www.w3.org/2001/XMLSchema#string"
                    >read</AttributeValue>
                 <AttributeDesignator
                   MustBePresent="false"
                   Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                   AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                   DataType="http://www.w3.org/2001/XMLSchema#string"/>
               </Match>
             </AllOf>
           </AnyOf>
         </Target>

   <AdviceExpressions>
    <AdviceExpression AdviceId="not-hr-employee" AppliesTo="Deny">
    <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">You are not allowed to get employees data</AttributeValue>
    </AttributeAssignmentExpression>
    </AdviceExpression>
    </AdviceExpressions>

</Rule>


</Policy>


<Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="p1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">



<Target>


<AnyOf>

<AllOf>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
C80001
</AttributeValue>

<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
Hadeel Neama
</AttributeValue>

<AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
HR
</AttributeValue>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>


</AllOf>

</AnyOf>

</Target>


<Rule Effect="Permit" RuleId="Permit_Rule">

 <Target>
           <AnyOf>
             <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
                  >Employee</AttributeValue>
                 <AttributeDesignator  AttributeId="subjectJob" MustBePresent="false"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
               </Match>
             </AllOf>
           </AnyOf>
           <AnyOf>
             <AllOf>
               <Match
                 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                 <AttributeValue
                   DataType="http://www.w3.org/2001/XMLSchema#string"
                    >read</AttributeValue>
                 <AttributeDesignator
                   MustBePresent="false"
                   Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                   AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                   DataType="http://www.w3.org/2001/XMLSchema#string"/>
               </Match>
             </AllOf>
           </AnyOf>
         </Target> 


</Rule>

</Policy>

</PolicySet>

XACML Request that I want it to have permit response:

   <?xml version="1.0" encoding="UTF-8"?>
    <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C80001</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectName" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Hadeel Neama</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectDep" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HR</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
</Request>

Request that I want it to have permit response:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C70001</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-Name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alise Ibrahem</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subjectDep" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IT</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
</Request>

Response to the both of requests:

  <?xml version="1.0" encoding="UTF-8"?>
   <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result></Response>
===========================================================

 Result is "Deny"   

Advice :  
You are not allowed to get employees data

This is ALFA code:

namespace test {
    import Attributes.* 

policy testpolicy {
target clause subjectId == "C80001"
and subjectName=="Hadeel Neama"
and subjectDep=="HR"
and subjectJob=="Employee" 

apply permitOverrides


rule {

target clause job=="Employee"
and actionId == "read"

permit
}
}
}

and this's the condition that I added it to the rule:

condition subjectDep=="HR"

I just don't know why all the tries with condition fail! I've tried this condition in Deny_Rule:

<Condition>

<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">

<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
HR
</AttributeValue>

</Apply>

</Condition>

but when I send a request, it returns:

مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request

======================== XACML Response ===================
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result></Response>
===========================================================

 Result is "Deny"

Even if I just wrote:

<Condition/>

!!!

AhmadSYousef
  • 67
  • 5
  • 1
    Hi, your first request was invalid. It was missing a closing tag. Your second policy is also invalid. It is missing an closing tag. Can you double-check your policies? How did you write them? – David Brossard Mar 12 '19 at 17:11
  • Welcome, Mr. David... Sorry, it's by mistake... I'll fix it... I wrote it with alfa, this is my code: namespace test { import Attributes.* policy testpolicy { target clause subjectId == "C80001" and subjectName=="Hadeel Neama" and subjectDep=="HR" and subjectJob=="Employee" apply permitOverrides rule { target clause job=="Employee" and actionId == "read" permit } } } – AhmadSYousef Mar 12 '19 at 17:39
  • I've added it to the question... I don't know what's matter with the condition! – AhmadSYousef Mar 12 '19 at 17:46
  • 1
    The XML documents of the polcies are still invalid, regardless of XACML. For instance, you declare 'xacml3' prefix for XACML namespace, but your Policy element (and others) has no namespace prefix. Should be 'xacml3' (or just declare it as default namespace like in Requests - no prefix). Therefore any XML validator will tell you it cannot find the declaration of *Policy* element. **Which XACML implementation are you testing?** Since you tagged the question with 'balana', I would assume it is Balana but you also mention sending a request in ALFA which Balana does not understand. Please clarify. – cdan Mar 12 '19 at 20:58
  • 1
    Now if I fixed the XML namespace issue, then there are XACML syntax issues in the first policy: 1) line 31: the **MustBePresent attribute is missing** in the Attribute Designator. 2) line 31 (again): invalid type of argument to function `anyURI-equal`, the AttributeDesignator's **type must be anyURI instead of string**. – cdan Mar 12 '19 at 21:13
  • 1
    Now if I fixed both XML and XACML-specific issues (I set MustBePresent=false for the first issue, and replace with type anyURI for the second one), I get `NotApplicable` result for the first XML Policy/Request, as expected because the Request does not match. Confirmed with [AuthzForce](https://github.com/authzforce/core). – cdan Mar 12 '19 at 21:39
  • 1
    Now there are **semantic issues** I think: 1) you wrote `employee` (all lowercase) in the XML Policy for the `job` attribute in resource category, but `Employee` in the ALFA format. Typo? 2) In the XML and ALFA policy, you are using a Match on **`job` attribute in resource category**, whereas in the XML Request, it's **`subjectJob`** (in resource category). Typo again? – cdan Mar 12 '19 at 21:39
  • 1
    For 2) the datatype is different as well: **`job` attribute** has type **anyURI** in the XML Policy, whereas in the XML Request, **`subjectJob`** (in resource category) has type **string**. Typo again? So if we fix all that (use string datatype everywhere in Policy and Request and string-equal instead of anyURI-equal), then I get *Permit* as you would expect for the first Policy and Request. – cdan Mar 12 '19 at 21:50
  • 1
    @CyrilDangerville you should add these in a response... – David Brossard Mar 12 '19 at 23:53
  • Will do. Just waiting for the OP to fix the question. But you're right, I should probably post the fixed policy/request myself in an answer. – cdan Mar 13 '19 at 12:23
  • Thanks, I've considered your advice, And I've edited the post. – AhmadSYousef Mar 13 '19 at 17:36
  • Issues are still there. See my answer. – cdan Mar 13 '19 at 22:35

1 Answers1

2

Still a few issues to fix:

  1. In the Policy, replace... 
    xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    ... with simply this (make xacml the default namespace like in your Request): 
    xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
  2. Replace function anyURI-equal with string-equal
  3. Replace datatype anyURI with string
  4. Remove all trailing/leading newlines or blank spaces around AttributeValues that should not be there (I suspect your XML editor messed up, remember the strings are matched as is with string-equal, incl. newlines and whitespaces around, no whitespace collapse here)

In the end, here is the valid Policy:

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="http://axiomatics.com/alfa/identifier/test.testps1" Version="1.0">
  <Target />
  <Policy PolicyId="p2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C70001</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alise Ibrahem</AttributeValue>
            <AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IT</AttributeValue>
            <AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Rule Effect="Deny" RuleId="Deny_Rule">
      <Target>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
              <AttributeDesignator AttributeId="subjectJob" MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Match>
          </AllOf>
        </AnyOf>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Match>
          </AllOf>
        </AnyOf>
      </Target>
      <AdviceExpressions>
        <AdviceExpression AdviceId="not-hr-employee" AppliesTo="Deny">
          <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">You are not allowed to get employees data</AttributeValue>
          </AttributeAssignmentExpression>
        </AdviceExpression>
      </AdviceExpressions>
    </Rule>
  </Policy>
  <Policy PolicyId="p1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C80001</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Hadeel Neama</AttributeValue>
            <AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HR</AttributeValue>
            <AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Rule Effect="Permit" RuleId="Permit_Rule">
      <Target>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
              <AttributeDesignator AttributeId="subjectJob" MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Match>
          </AllOf>
        </AnyOf>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Match>
          </AllOf>
        </AnyOf>
      </Target>
    </Rule>
  </Policy>
</PolicySet>

--EDIT 2019-03-30--

The issue with your Requests is that you have multiple <Attributes ...> in the same Category access-subject and this is interpreted by Balana as requesting multiple decisions according to Multiple Decision Profile of XACML (see 3.3 Repeated <Attributes> categories), which is not what you want. To fix it, group all subject attributes together in one <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">...

So here is the fixed request:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
  </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C80001</AttributeValue>
  </Attribute>
  <Attribute AttributeId="subjectName" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Hadeel Neama</AttributeValue>
  </Attribute>
  <Attribute AttributeId="subjectDep" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HR</AttributeValue>
  </Attribute>
  <Attribute AttributeId="subjectJob" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
  </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  <Attribute AttributeId="subjectJob" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
  </Attribute>
</Attributes>
</Request>

Hitting this Policy with this fixed request (Hadeel Neama in HR) returns Permit, which is what you expect.

In the second Request, there is a mistake on the subjectName attribute: replace wrong AttributeId urn:oasis:names:tc:xacml:1.0:subject:subject-Name with subjectName to match the AttributeId in the Policy.

With this extra fix, the second Request (Alise Ibrahem in IT department) returns Deny. Validated with AuthzForce.

cdan
  • 3,470
  • 13
  • 27
  • Thanks @cyril-dangerville, but unfortunately it doesn't work in Balana... And when I add xml head it doesn't work, And when I add: **xmlns** without: **:xacml3** it doesn't work, and the response to the requests is **Deny** with the advice... – AhmadSYousef Mar 14 '19 at 06:47
  • Have you tested with the fixed Policy in my answer **as is** ? (there are more fixes than just the xmlns). If not, please do so. You should definitely get a Permit for the first Request, else there is something wrong with Balana (not XACML compliant?). – cdan Mar 14 '19 at 14:29
  • Yes, I have tested with the fixed Policy in your answer as is, it didn't work until I removed **xml head** and added **:xacml3**. and the response still **Deny** with the advice. I think something is wrong with Balana... Thanks. – AhmadSYousef Mar 14 '19 at 19:21
  • Maybe you could give us a link to your Java project (zip file or public repository) that can enable us to test/reproduce your issue, so that we can confirm that this is indeed a Balana issue. Else I invite you to test with AuthzForce, I can help more since I'm a contributor. – cdan Mar 17 '19 at 14:25
  • Thank you... I need your help... This's the repository: https://github.com/AhmadYYousef/test01 I didn't solve it yet – AhmadSYousef Mar 20 '19 at 10:33
  • Ok, how do I run the test? When I do `mvn test`, there is none. – cdan Mar 22 '19 at 13:13
  • Right click on pom.xml then choose *Run As* Could you tell me how to start with *AuthzForce*? – AhmadSYousef Mar 28 '19 at 04:27
  • OK, the issue was the Request having repeated Attributes category 'access-subject' , which triggers Balana to use Multiple Decision profile, not something you want. Fix: group all subject attributes in one single Attributes category, works for me with your github project. I edited my answer and gave you the fixed Request. Also you didn't fix the PolicySet's `xmlns` as I told you. (Lucily for you, balana doesn't care, but this is wrong.) For AuthzForce, see the [Getting started](https://github.com/authzforce/core#getting-started). Plz accept my answer if OK for you. – cdan Mar 30 '19 at 14:38