Compare attributes inside a XACML policy

Question

I'm developing an XACML policy and I'm using a sun.xacml library. i want to compare two attributes: one for the subject and one for the resource for permit the access on the resources.

I have generated this XACML file

<?xml version="1.0"?>
<Policy PolicyId="GeneratedPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
  <Description>Policy che permette la lettura del file ai client che hanno un livello di permesso maggiore o uguale al livello di permesso del file richiesto</Description>
  <Target>
<Subjects>
  <AnySubject/>
</Subjects>
<Resources>
  <AnyResource/>
</Resources>
<Actions>
  <Action>
 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
   <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
 </ActionMatch>
  </Action>
</Actions>
  </Target>
  <Rule RuleId="canRead" Effect="Permit">
<Target>
  <Subjects>
 <AnySubject/>
  </Subjects>
  <Resources>
 <AnyResource/>
  </Resources>
  <Actions>
 <Action>
   <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
  <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
   </ActionMatch>
 </Action>
  </Actions>
</Target>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal">
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
 <SubjectAttributeDesignator AttributeId="level-permission" DataType="http://www.w3.org/2001/XMLSchema#string"/>
  </Apply>
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">4</AttributeValue>
</Condition>
  </Rule>
  <Rule RuleId="FinalRule" Effect="Deny"/>
</Policy>

The problem is that a resource have a level-permission and i want to compare subject's level-permission and resource's level-permission but i don't know how do it.

thanks a lot

Answer 1

You are almost there. Whenever you need to compare 2 attributes together e.g. user-clearance and resource-classification, you need to use a XACML Condition. You did try to do that in your example but you compared the attribute to a static value.

Here is a simple example in ALFA (Axiomatics Language for Authorization).

policy documentAccess{
    apply firstApplicable
    rule allowAccessIfClearanceSufficient{
        condition user.clearance>document.classification
        permit
    }
}

I define my attributes as follows:

    attribute classification{
        category = resourceCat
        id = "document.classification"
        type = integer
    }

and

    attribute clearance{
        category = subjectCat
        id = "user.clearance"
        type = integer
    }

Note that I use an integer here instead of string. It's more efficient and safer.

The output in XACML 3.0 is the following:

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/example.documentAccess"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description />
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/example.documentAccess.allowAccessIfClearanceSufficient">
        <xacml3:Description />
        <xacml3:Target />
        <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
                <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-greater-than"/>
                <xacml3:AttributeDesignator 
                    AttributeId="user.clearance"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    MustBePresent="false"
                />
                <xacml3:AttributeDesignator 
                    AttributeId="document.classification"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                    MustBePresent="false"
                />
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>