Saurabh Kulkarni
Reputation: 79
How do i get number of attributes matched and total attributes checked from XACML policy in ABAC?
I am a beginner in XACML and ABAC. I wrote a policy in XACML, which I deployed in the AuthzForce local server, and it works as expected with my test request in Postman. However, now I want to modify my policy not just to return the permit or deny it but also to return the total number of attributes matched and the total number of attributes checked. e.g. if two attributes matched out of 3, I should get '2' and '3' numbers somewhere in responses, along with permit or deny (actual result is not important). Is there a way to change the policy below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="root"
Version="0.1.37"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>PolicySet for XACML model</Description>
<Target />
<Policy
PolicyId="EngineeringAppAccessPolicy"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Policy for controlling access to EngineeringApp by verifying attributes</Description>
<!-- Target specifies this policy applies to the resource "EngineeringApp" -->
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">EngineeringApp</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:resource-category:resource"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<!-- Rule specifies conditions for access -->
<Rule RuleId="AttributeBasedAccessRule" Effect="Permit">
<Description>Permit access to EngineeringApp if user role is Engineer and action is access</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:action-category:action"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<!-- Condition verifies the user role -->
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Engineer</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
My current test request:
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="true" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Engineer</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:resource-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">EngineeringApp</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:action-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
</Attribute>
</Attributes>
</Request>
Upvotes: 1
Views: 26
Answers (1)
David Brossard
Reputation: 13834
I don't believe you can do that automatically, unfortunately. You could try to do a sum of the bag size of each attribute but then that would assume you know which attributes you want to consider beforehand which isn't the same as what you're looking for.
PS: use ALFA, it's easier to write policies and avoid XML syntax mistakes.
PS2: it's worth asking the XACML TC on their mailing list.
Upvotes: 0
Related Questions
- Evaluating multi-valued Attribute in XACML 2.0 policy
- Hierarchical attributes in XACML Policy
- XACML policy - HOW to set a policy as the root policy?
- XACML condition comparing subject attribute and resource attribute, not hard coded
- XACML Policy for dynamic attributes
- XACML 3.0 Request with additional Attribute is matching even that attribute is missing in the policy rule
- XACML Editor using <Condition> and String Comparison
- Compare attributes inside a XACML policy
- WSO2 Identity Server – How to write a XACML Policy for an Extended PIP
- WSO2 Identity server GUI creating different attribute id for policy and request