TechQA.

Comparing specific custom-defined attribute of user

126 views Asked by At

For an XACML policy document I had in mind, I have a subject (user) and an object, each attached with a label. Let's call this myLabel = {[a,b,c], [1,2,3]}. I wish to do a comparison of parts of this label.

How can I define a subject and object to contain this label in the access request and policy to formulate a decision to compare this?

I wish to use XML rather than JSON or ALFA to declare the above.

xml xacml xacml3 pdp
Original Q&A
1

There are 1 answers

3
David Brossard On

XACML (and ALFA) comes with a set of clearly defined data types and functions. For instance XACML defines the following datatypes:

  • string
  • integer
  • boolean
  • date...

There are 18 or so datatypes out-of-the-box.

To work on those datatypes, XACML defines hundreds of functions such as:

  • string-equal
  • string-greater-than
  • integer-equal
  • ...

Attributes in XACML (e.g. label or role or department) must have a datatype. Attributes can be multi-valued. In other words, role = ["manager"] or role = ["manager", "employee", "janitor"]. Both are perfectly valid.

In your case, you are referring to a value structured as follows: {[a,b,c],[1,2,3]}. This is not a standard datatype. It's a complex object and as such would require further processing (in a PEP? in a PIP?). How were you thinking of passing it to the PDP?

Let's assume we have simple values e.g. label = '2'. To compare a user's label to a resource's label and grant access if they are equal, you would write the following:

ALFA

    /**
     * Control access based on labels
     */
    policy labelAccessControl{
        apply firstApplicable
        rule allowIfSameLabel{
            permit
            condition user.label == object.label
        }

    }

XACML XML equivalent

<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the 
    ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will 
    be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
    xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.labelAccessControl"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description>Control access based on labels</xacml3:Description>
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
        </xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule Effect="Permit"
        RuleId="com.axiomatics.labelAccessControl.allowIfSameLabel">
        <xacml3:Description />
        <xacml3:Target />
        <xacml3:Condition>
            <xacml3:Apply
                FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
                <xacml3:Function
                    FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
                <xacml3:AttributeDesignator
                    AttributeId="com.axiomatics.user.label"
                    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    MustBePresent="false" />
                <xacml3:AttributeDesignator
                    AttributeId="com.axiomatics.object.label"
                    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    MustBePresent="false" />
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>

Related Questions in XML

Related Questions in XACML

Related Questions in XACML3

Related Questions in PDP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions