CODEWITHSUNDEEP
authorizationxacmlabacxacml3alfa
Davide Vitali
Davide Vitali

Reputation: 1035

Understanding how XACML 3.0 attribute values are evaluated against a rule

I'm learning XACML 3.0 by reading the OASIS Standard document, 22 January 2013 version.

The first example policy (section 4.1.1) is quite simple and easy to understand: a Name-match function on the request's subject-id attribute (in form of a RFC822 name) must be performed: if the name submitted matches the value of the rule's AttributeValue attribute, the PDP evaluates to Permit.

<?xml version="1.0" encoding="UTF-8"?>
<Policy 
    xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
    PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1" 
    Version="1.0"
    RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
    <Description>
        Medi Corp access control policy
    </Description>
    <Target/>
    <Rule 
        RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
        Effect="Permit">
        <Description>
            Any subject with an e-mail name in the med.example.com domain 
            can perform any action on any resource. 
        </Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
                            med.example.com
                        </AttributeValue>
                        <AttributeDesignator 
                            MustBePresent="false"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-688 subject"
                            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                            DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
    </Rule>
</Policy>

The document then proceeds to show an ipothetical decision request (properly formatted as a request context) sumbitted to the PDP. This is also quite simple: a subject whose subject-id is [email protected] is trying a read action on a filesystem resource:

<?xml version="1.0" encoding="UTF-8"?>
<Request 
    xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
    ReturnPolicyIdList="false">
    <Attributes 
        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-757 subject">
        <Attribute
            IncludeInResult="false"
            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
            <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
                [email protected]
            </AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes
        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute 
            IncludeInResult="false"
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                file://example/med/record/patient/BartSimpson
            </AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes
        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute
            IncludeInResult="false"
            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
                read
            </AttributeValue>
        </Attribute>
    </Attributes>
</Request>

Now, here comes the part that I don't understand: the document says (row numbers 805 to 807)

The PDP now compares the attributes in the request context with the target of the one rule in this policy. The requested resource matches the <Target> element and the requested action matches the <Target> element, but the requesting subject-id attribute does not match "med.example.com".

Ok the subject-id not matching, but how are the resource and action exactly matching if they're not specified within the rule? Maybe their absence is somehow discarded and not applies to the target, but the document says that they match and this is a standard document and the exact meaning of each word if of uttermost importance. I'm not finding anything about it and this - to me - is a big deal as I'm trying to build my own XACML3.0-compliant system as a side project.

What am I missing?

Thanks!

Upvotes: 0

Views: 85

Answers (0)

Related Questions