Correct approach to use XACML at granular level

Question

I am working on a Project where we want to centralized our access control.

I am just not able to understand on how to use granularity in access control when we have case like:

Physician can access only those patients who are assigned to him.

Now, we can have many use-cases like this and also some dynamic cases where lets say:

A patient detials is not visible to account department but physician change the state of patient and make him available to account department.

Then how to handle this kind of dynamic random changes.

Answer 1

Introduce a condition in the specific rule:

<Policy PolicyId="deny-apia" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
         xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <Description>...</Description>
    <Target/>       
    <Rule RuleId="1" Effect="Permit">
        <Target>
            <Subjects>
        ...
            </Subjects>
            <Resources>
        ...
            </Resources>
            <Actions>
        ...
            </Actions>
            <Environment>
        ...
            </Environment>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:function:string-equal">

            </Apply>
        </Condition>
    </Rule>
    <Rule RuleId="DenyAllThatDidNotMatchPreviousRules" Effect="Deny"/>
</Policy>

1. If the Physician changes the state by uploading a consent, the rule will be applicable and the Patient details can be viewed by the department.
2. If the consent has not been given the Rule is not applicable and access to the Patient details is denied by the members of the department.
3. If the consent is revoked by the Healthcare provider the access by the Account Department will be revoked as well as the rule is not applicable anymore.

Another example of a Condition in XACML resides here:

  <Policy PolicyId="SamplePolicy"
          RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">

    <!-- This Policy only applies to requests on the SampleServer -->
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue>
          <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
                                       AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
        </ResourceMatch>
      </Resources>
      <Actions>
        <AnyAction/>
      </Actions>
    </Target>

    <!-- Rule to see if we should allow the Subject to login -->
    <Rule RuleId="LoginRule" Effect="Permit">

      <!-- Only use this Rule if the action is login -->
      <Target>
        <Subjects>
          <AnySubject/>
        </Subjects>
        <Resources>
          <AnyResource/>
        </Resources>
        <Actions>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login</AttributeValue>
            <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
                                       AttributeId="ServerAction"/>
          </ActionMatch>
        </Actions>
      </Target>

      <!-- Only allow logins from 9am to 5pm -->
      <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal"
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
            <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time"
                                          AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
          </Apply>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue>
        </Apply>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal"
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
            <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time"
                                          AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
          </Apply>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
        </Apply>
      </Condition>

    </Rule>

    <!-- We could include other Rules for different actions here -->

    <!-- A final, "fall-through" Rule that always Denies -->
    <Rule RuleId="FinalRule" Effect="Deny"/>

  </Policy>

Note to add a deny rule at the end of the XACML file that denies everything that did not match one of the rules.