XACML Policy Modeling: how to model policies for multiple resources?

Question

I have a set of resources. Each resource has its own security policy which is a combination of security rules.

For creating these policies in XACML, what can I use : the element Policy or the element PolicySet?

For example :

• rule1: to read resource1 the user must have an administrator role
• rule 2: to write on resource 2 the user must have an e-mail adresse from domain @yahoo.com
• rule3: to read resource 3 the user must be from hospital Saint George
• rule 4: to write on resource 1 user must have a nurse role.

In that case : should I create a policy element for resource1 and another one for resource 2 and so on, all that under a PolicySet element? Or should I create a policy element under that security rule 1 and 2 and so on ?

Answer 1

You can choose to model in many different ways. There is not necessarily a right or a wrong. When I train our customers, I usually recommend that you design policies so that:

1. They are easy to understand
2. They are easy to manage
3. They can easily grow to cater to new scenarios
4. They allow for collaboration.

The most common pattern is to define your resource hierarchy. For instance you would have the finance app > the account object > the personal information section > the name field.

You may then start to look at other attributes e.g. user attributes (role, department...)

You would typically use a PolicySet element until you know you will need a Rule in which case you would switch to a Policy. Keep in mind that PolicySet elements can contain PolicySet and Policy elements. This allows for an any-depth policy structure. If we revisit our example, we would have: