I read a lot about ABAC and its benefits, but I can't comprehend is how the involved parties to their work exactly.
I am creating a REST API microservices using C++ and I want to secure all API requests using ABAC. I do understand that I need to have: PEP, PDP, PIP etc. And I understand the general idea of what each service will do. But I have some questions about some issue that I am facing and I need to understand if there is a standard way to do it or it just depend on my imagination.
I am not going to use XACML (XML) to store the policy because my company prefers that policies be stored in a database or JSON format.
After forming the XACML request on the PEP side and send it to PDP how to search the policies stored on the PDP side with this request knowing that and if I understand it correctly not all PolicySets have targets, not all Policies have targets and the same for rules?
Do i have to use regex to match data from the request with policies from PDP. And if it is regex to be used how can i deal with policysets with no targets as i mentioned before or multiple targets in the same branch
