How to do logical AND for Rule combining for XACML

139 views Asked by At

My scenario is I have a Policy with several rules and all the rules need to be true for the policy to be true. For example:

Policy A
       - Rule 1
       - Rule 2
       - Rule 3

For Policy A to be applicable, i need all three Rules to return true, and if even one of them return false, It should go check the other policies in my policyset

What i have right now is

<!-- shortened for brevity -->
<Policy RuleCombiningAlgId="...:deny-overrides">
         <Rule id="1" Effect="Permit">
                ...
         </Rule>
         <Rule id="2" Effect="Permit">
                ...
         </Rule>
         <Rule id="3" Effect="Permit">
                ...
         </Rule>
</Policy>

I think my problem is that the none of my rules return "Deny" but i initially thought that if it's not permit, it should be deny. I thought of putting a not on all of my rules but that would make it inelegant.

If it's relevant, I am using the Authzforce library.

1

There are 1 answers

1
cdan On BEST ANSWER

all the rules need to be true for the policy to be true

In terms of XACML, I guess you mean: Policy must return Permit if and only if all Rules inside return Permit. I can't think of any rule combining algorithm in XACML standard that simply does that. So I suggest two options:

Option A: Wrap each Rule in a deny-unless-permit Policy, and use permit-unless-deny at the top-level (Policy A becomes PolicySet A).

    <?xml version="1.0" encoding="utf-8"?>
    <PolicySet PolicySetId="A" PolicyCombiningAlgId="...:permit-unless-deny">
         <Policy RuleCombiningAlgId="...:deny-unless-permit">
           <Rule id="1" Effect="Permit">
                ...
           </Rule>
         </Policy>
         <Policy RuleCombiningAlgId="...:deny-unless-permit">
           <Rule id="2" Effect="Permit">
                ...
           </Rule>
         </Policy>
         <Policy RuleCombiningAlgId="...:deny-unless-permit">
           <Rule id="3" Effect="Permit">
                ...
           </Rule>
         </Policy>
    </PolicySet>

In this case, PolicySet A returns Permit if and only if (iff) no Policy returns Deny (by definition of permit-unless-deny algorithm). Since each Policy returns Permit iff the Rule returns Permit, else Deny (by definition of deny-unless-permit algorithm), this is equivalent to: Policy A returns Permit iff all Policies return Permit, i.e. iff all Rules return Permit.

Option B: Implement a new Combining Algorithm extension for AuthzForce.