Compare two multi-element attributes in XACML policy

Question

Consider a subject and object both having a label defined as follows:

subject/object label = [i1, i2, ..., in], where i is some subjectId of another subject.

In a policy (ALFA/XACML), how can I perform a comparison against the subject and object label such that no elements in either list are the same.

For example:

subject_label = [i2, i4, i9]
object_label  = [i1, i3, i7, i9]

The resulting decision would be DENY as both labels contain i9. If no match was found in any list, then the access result would be PERMIT.

Answer 1

What you are looking to use is stringAtLeastOneMemberOf (or equivalent for other datatypes). This function takes in 2 parameters:

• a bag of type string
• a bag of type string

It returns true if there is at least one value in the first bag equal to one value in the second bag. For strings, the comparison is case-sensitive.

namespace com.axiomatics{
    /**
     * Ths policy will checks the contents of the user label and the the resource label.
     * It will deny access if there is at least one value in the user label equal to at least
     * one value in the resource label.
     */
    policy denyIfSameContent{
        apply firstApplicable
        /**
         * This rule will deny access is user.label contains at least 1 value that is also present
         * in object.label 
         */
        rule denyIfSameContent{
            deny
            condition stringAtLeastOneMemberOf(user.label, object.label)
        }
    }
}

And here is the XACML/XML representation:

<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the 
    ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will 
    be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
    xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.denyIfSameContent"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description>Ths policy will checks the contents of the user
        label and the the resource label.&#13;
        It will deny access if there is at least one value in the user label
        equal to at least&#13;
        one value in the resource label.
    </xacml3:Description>
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
        </xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule Effect="Deny"
        RuleId="com.axiomatics.denyIfSameContent.denyIfSameContent">
        <xacml3:Description>This rule will deny access is user.label contains
            at least 1 value that is also present&#13;
            in object.label
        </xacml3:Description>
        <xacml3:Target />
        <xacml3:Condition>
            <xacml3:Apply
                FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <xacml3:AttributeDesignator
                    AttributeId="com.axiomatics.user.label"
                    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    MustBePresent="false" />
                <xacml3:AttributeDesignator
                    AttributeId="com.axiomatics.object.label"
                    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    MustBePresent="false" />
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>