CODEWITHSUNDEEP
authorizationaccess-controlpolicyxacmlabac
Memo
Memo

Reputation: 53

Evaluate XACML 3.0 combining algorithms

I am studying XACML 3.0 access control and I found this complex question about Evaluate XACML 3.0 combining algorithms. I can solve a simple exercise but this one hard for me and I need some help with it

policy p1: - op: permit-overrides

policy p2:

policy p3:

Evaluate for each policy the following requests q1, q2 and q3:

Upvotes: 3

Views: 447

Answers (2)

Jack Tran
Jack Tran

Reputation: 21

The other answer is detailed and largely correct except for two cases involving a Rule's Target missing an attribute for which MustBePresent is set to true.

Only those cases will be addressed here in this answer.

policy p2 - request q3

  • rule: deny if match all: time [MBP] = night -> Indeterminate{D} because of missing time attribute and MustBePresent = true and the rule effect is Deny
  • rule: permit if match all: time [MBP] = day -> Indeterminate{P} because of the similar reason
  • op:denyOverrides -> Indeterminate{DP}

The evaluation result is Indeterminate{DP}

policyset p3 - request q3:

  • policy p1
    • rule: permit if match all: group = staff, resource = file1 -> Permit
    • op:permitOverrides -> Permit regardless of the outcome of any other rules
  • policy p2 -> Indeterminate{DP} as explained in the previous case
  • op:denyOverrides -> Indeterminate{DP}

The evaluation result is Indeterminate{DP}

References

The XACML 3.0 specification contain all the details necessary for your understanding

  • For the attribute retrieval and MustBePresent flag refer to section 7.3.5

  • For the combining algorithms refer to Appendix C

Upvotes: 2

David Brossard
David Brossard

Reputation: 13832

Evaluation Results using P1 only

  • q1 = {(group, staff), (resource, file1), (time, day)}
    • Response: Permit. The first rule in P1 kicks in and the combining algorithm makes the process stop there. The time of day has no impact on the decision making.
  • q2 = {(group, student), (resource, file2), (time, night)}
    • Response: Permit. The second rule in P1 kicks in and the combining algorithm makes the process stop there. The time of day, again, has no impact on the decision making.
  • q3 = {(group, staff), (resource, file1)}
    • Response: Permit. This is essentially the same as q1.

Evaluation Results using P2 only

  • q1 = {(group, staff), (resource, file1), (time, day)}
    • Response: Permit because all access is permitted in day time. Rule 1 inside P2 does not apply. Rule 2 grants access.
  • q2 = {(group, student), (resource, file2), (time, night)}
    • Response: Deny because all access is denied at nighttime. Rule 1 inside P2 applies. The combining algorithm is such that the processing stops after rule 1.
  • q3 = {(group, staff), (resource, file1)}
    • Response: Not applicable. The two rules only trigger if the time of day has been specified, which isn't the case in this request. Therefore the evaluation ends in NotApplicable.

Evaluation Results using P3 (a combination of P1 and P2)

  • q1 = {(group, staff), (resource, file1), (time, day)}
    • Response: Access is permitted because staff is allowed to view file1 in daytime.
  • q2 = {(group, student), (resource, file2), (time, night)}
    • Response: Access is denied regardless of what the student is trying to view. In this case, the nighttime policy trumps all other policies because of the over-arching combining algorithm (deny-overrides) in P3.
  • q3 = {(group, staff), (resource, file1)}
    • Response: Access is permitted because staff is allowed to view file1 and no time has been specified.

Notes

The policy that grants access during daytime is not necessary. As a matter of fact, it might even open up access you would not want to have. For instance, given the current policy, a student can edit their own exam grades so long as it's daytime.

Upvotes: 2

Related Questions