1

It is straight forward to check if a user has permission for a GET request on a collection (e.g. /orders), but how does ABAC deal with items of collections? The user may have permission for some items of the collection, but not for others (e.g. the user can only see orders below 10.000 Euro).

Is a separate request to the PDP created for each object in the list or does the PDP accept a list of requests and return a list of decisions? Since the PIP doesn't know how the collection might be filtered, the decision about access permission can only be made after all objects are fetched.

The returned collection items may only return selected fields. The PIP therfore needs to make another request to fetch the missing attributes. During the time the attributes are fetched and the access is decided the data can have changed. The decision is then based on different states of the objects. How is this prevented?

M. Koch
  • 525
  • 4
  • 20
  • Could you post some code? Your question is abstract. For a user to see orders below 1000 shouldn't be complicated in my opinion. Just make differenct api for different user and add different policy. – Qiang Fu Apr 11 '23 at 13:51
  • Yes, it is trivial to create a rule, but my question is about the implementation of the PEP in the application. If a list of objects is returned with a GET, how are the view permissions decided? Is there a call for each item? Normally, the command is intercepted by the PEP, but here also the result would need to be intercepted. How can the PIP fetch additional attributes in that case? I didn't find descriptions. – M. Koch Apr 11 '23 at 19:24

1 Answers1

1

I couldn't find an answer searching on stackoverflow, but I kept searching and found a great stackoverflow answer through google:

XACML how to efficiently control Access to Collections (Lists) of Resources

M. Koch
  • 525
  • 4
  • 20