Angelo Capasso
Reputation: 41
Compare attributes inside a XACML policy
I'm developing an XACML policy and I'm using a sun.xacml library. i want to compare two attributes: one for the subject and one for the resource for permit the access on the resources.
I have generated this XACML file
<?xml version="1.0"?>
<Policy PolicyId="GeneratedPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>Policy che permette la lettura del file ai client che hanno un livello di permesso maggiore o uguale al livello di permesso del file richiesto</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule RuleId="canRead" Effect="Permit">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="level-permission" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">4</AttributeValue>
</Condition>
</Rule>
<Rule RuleId="FinalRule" Effect="Deny"/>
</Policy>The problem is that a resource have a level-permission and i want to compare subject's level-permission and resource's level-permission but i don't know how do it.
thanks a lot
Upvotes: 2
Views: 995
Answers (1)
David Brossard
Reputation: 13834
You are almost there. Whenever you need to compare 2 attributes together e.g. user-clearance and resource-classification, you need to use a XACML Condition. You did try to do that in your example but you compared the attribute to a static value.
Here is a simple example in ALFA (Axiomatics Language for Authorization).
policy documentAccess{
apply firstApplicable
rule allowAccessIfClearanceSufficient{
condition user.clearance>document.classification
permit
}
}
I define my attributes as follows:
attribute classification{
category = resourceCat
id = "document.classification"
type = integer
}
and
attribute clearance{
category = subjectCat
id = "user.clearance"
type = integer
}
Note that I use an integer here instead of string. It's more efficient and safer.
The output in XACML 3.0 is the following:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/example.documentAccess"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/example.documentAccess.allowAccessIfClearanceSufficient">
<xacml3:Description />
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-greater-than"/>
<xacml3:AttributeDesignator
AttributeId="user.clearance"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
<xacml3:AttributeDesignator
AttributeId="document.classification"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
Upvotes: 3
Related Questions
- XACML compare two request attributes.
- Compare two multi-element attributes in XACML policy
- Evaluating multi-valued Attribute in XACML 2.0 policy
- match evaluation of multiple multi-valued attributes
- XACML Policy for dynamic attributes
- Does XACML implement a “NOT EQUAL” function?
- Resolving XACML policy conflicts
- XACML - Difference between AND condition and Two Rules
- Is it possible to compare attributes in a XACML policy?
- Using XACML to express policy which is a logical expression