XACML policy - getting "indeterminate" response

Question

I am trying to explore XACML in WSO2. I am using the below policy in WSO2 IS 5.3.0

    <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="InStorePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
       <Target>
          <AnyOf>
             <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
                   <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                </Match>
             </AllOf>
          </AnyOf>
       </Target>
       <Rule Effect="Permit" RuleId="Rule_for_employee">
          <Target>
             <AnyOf>
                <AllOf>
                   <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
                      <AttributeDesignator AttributeId="http://test.org/claim/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                   </Match>
                </AllOf>
                <AllOf>
                   <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue>
                      <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                   </Match>
                </AllOf>
             </AnyOf>
          </Target>
          <Condition>
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">private/support</AttributeValue>
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">private/team</AttributeValue>
                </Apply>
                <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
             </Apply>
          </Condition>
       </Rule>
       <Rule Effect="Permit" RuleId="Rule_for_manager">
          <Target>
             <AnyOf>
                <AllOf>
                   <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue>
                      <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                   </Match>
                </AllOf>
             </AnyOf>
          </Target>
          <Condition>
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">private</AttributeValue>
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">private/business</AttributeValue>
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">private/leadership</AttributeValue>
                </Apply>
                <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
             </Apply>
          </Condition>
       </Rule>
       <Rule Effect="Deny" RuleId="Rule_deny_all"></Rule>
    </Policy>        

I have created users with Manager and Employee roles. But when I use the 'Tryit', with the following values, I am getting "Indeterminate"

action : access, subject : employee1, resource : /private/team

Also, I am getting "Couldn't find AttributeDesignator attribute" error in the server console. I couldn't find more details.

Could anyone help me understand the issue ?

-Albie Morken

Answer 1

I tried your policies using the Axiomatics Policy Server and I believe I might have found the root cause to your issue. Some of your attributes are marked as MustBePresent. This is an optional flag which, if set to true, will make the evaluation return Indeterminate if there is no value for your attribute.

Access Review

Here are the three different ways access can be granted:

1. stringAtLeastOneMemberOf(stringBag("private/support" , "private/team") , Attributes.resource.resource_id ) AND "access" == Attributes.action.action_id AND "Employee" == http://test.org/claim/role

2. "Manager" == http://wso2.org/claims/role AND stringAtLeastOneMemberOf(stringBag("private/support" , "private/team") , Attributes.resource.resource_id ) AND "access" == Attributes.action.action_id

3. "Manager" == http://wso2.org/claims/role AND "access" == Attributes.action.action_id AND stringAtLeastOneMemberOf(stringBag("private" , "private/business" , "private/leadership") , Attributes.resource.resource_id )

The notation above use ALFA, the Abbreviated Language for Authorization.

Policy Review

This is what your policy looks like in the Policy Editor.

There are a couple of odd things in your policy BTW:

1. You use 2 similar yet different attribute identifiers (http://wso2.org/claims/role and http://test.org/claim/role). Is that intentional?
2. None of your policies and rules are described which makes understanding them harder.
3. I'm not sure you need to mark attributes as MustBePresent. I typically do not but that's likely a preference.
4. You use conditions when a simple target would do

Before

After

The following is easier to read than the former.

Sample Request / Response

The following samples leverage the JSON profile of XACML (Wikipedia | Blog post)

{
    "Request": {
        "AccessSubject": {
            "Attribute": [
                {
                    "AttributeId": "http://test.org/claim/role",
                    "Value": "Employee"
                }
            ]
        },
        "Resource": {
            "Attribute": [
                {
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                    "Value": "private/support"
                }
            ]
        },
        "Action": {
            "Attribute": [
                {
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "access"
                }
            ]
        },
        "Environment": {
            "Attribute": []
        }
    }
}

And the matching response

{
  "Response" : {
    "Decision" : "Permit",
    "Status" : {
      "StatusCode" : {
        "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok",
        "StatusCode" : {
          "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      }
    }
  }
}