Reputation: 62185
XACML - Does a policy actually require a rule?
If I define a XACML policy and provide some attributes in the policy target, do I actually need to provide an additional rule?
Upvotes: 4
Views: 211
Answers (3)
Reputation: 90
You need to think about the flow of logic for the policy. By defining target attributes, you are telling it what to affect, but not how. Even if you define actions in the policy target using ActionMatch, what you really did was target the Rule at Actions with a specific ActionID.
In other words, actions defined in the target of a policy identify action-related entities by matching attribute values. This still misses the mandatory Rule, which will contain action logic.
Upvotes: 0
Reputation: 13834
From a schema validation perspective, you could have a policy with no rules, but as Craig points it out, the rule is what carries the decision. So a rule-less policy is pointless.
Upvotes: 2
Reputation: 2669
Yup, you need a Rule to actually say whether you want to Permit or Deny access.
Upvotes: 4
Related Questions
- What is the difference between Policy Target and Rule Target in ALFA or XACML?
- Is policy applicable to only full set or also subsets of attributes
- XACML policy at run time
- Why both PolicySet and Policy are needed?
- XACML policy location
- Using XACML to express policy which is a logical expression
- XACML 3.0 policy with multiple conditions
- What are the best practices of structuring XACML policies?
- XACML restriction policies
- XACML Policy - is it correct?