Reputation: 697
How to implement these rules in XACML policies?
Here is a requirement I am trying to implement via XACML/ABAC for learning purposes:
Information Model
Resources: Building, Unit
- there are many buildings (ex. B1, B2, B3, ... Bn)
- each building has many units (i.e. unit is the child of building) (ex. B1U1, B1U2, B1U3, ...)
Subject: Housekeeping staff
Rules
- A housekeeper can "open" a "unit" if
- they have "open" permission on that "unit" OR
- if they have "open" permission on the "building" in which that "unit" is.
Any pointers?
Update
Essentially here is my concern: if the requirement was something like, A housekeeper can "open" "unitX" if s/he has "open" permission on "unitX". Here I would've just written a simple rule.
However, with my actual requirement, the concerns are:
Since there is not one particular resource but many resources of same type, should I be writing a separate policy for each resource? Ex. separate policy for building "B1", another for "B2" and so on?
How will the policy "know" about hierarchical relationship between building and unit.
Now that I think further about this, I think the following approach should work(?)
- Request will include the following
resource: /{buildingId}/{unitId} //this is how policy will know parent child relationship
action: open
subject: subjectId and probably all permissions that this subject has (still thinking on how to represent the permissions, any suggestions?)
- Define one policy with rule: // pseudocode if(subject.permissions include open on {buildingId} OR open on {unitId}) then permit else deny.
Any suggestions?
Thanks,
Jatin
Upvotes: 0
Views: 217
Answers (1)
Reputation: 48
You need to define attributes like following on ABAC model:
Resource Attribute
Attribute - Building, Attribute Values - B1,B2,B3
Attribute - Unit, Attribute Values - B1U1, B1U2, B1U3,B2U1, B2U2, B2U3,B3U1, B3U2, B3U3
Action Attribute
Attribute - Building Action , Attribute Value - Open
Subject Attribute
Attribute - Building Resident, Attribute Values - Resident1,Resident2
The hierarchical relation among building and building units need to define on resource inheritance relation.
Resource Inheritance
Beneficiary - Building:B1 , Inherited Values - Unit: B1U1 , Unit: B1U2, Unit: B1U3
Beneficiary - Building:B2 , Inherited Values - Unit: B2U1 , Unit: B2U2, Unit: B2U3
Beneficiary - Building:B3, Inherited Values - Unit: B3U1 , Unit: B3U2, Unit: B3U3
Now you need to define rules on a ABAC policy. Now you can use policy automation tools so that you do not need to think of inheritance relations during rule creation.You once define those relations and later when you create rules, the automation tool will automatically remember those relations and create rules automatically for you. You can download such a tool name "Security Policy Tool" . This is a commercial tool but you can download free demo which also includes a full xacml editor. Please check below a screen shot of your model in SPT :
Then from this tool you can automatically convert your ABAC policies into XACML and further edit on built in xacml editor to fine tune.
Upvotes: 1
Related Questions
- XACML Obligations
- Evaluate XACML 3.0 combining algorithms
- XACML Obligations are explanation or ask for more condition
- How do I can combine two rules in single one in XACML?
- Complex Authorization using XACML
- XACML Policy for dynamic attributes
- XACML Policy Modeling: how to model policies for multiple resources?
- XACML - Difference between AND condition and Two Rules
- Writing a sample ABAC authorization policy using ALFA and XACML
- Using XACML to express policy which is a logical expression