how to match XACML 3.0 request against policy stored in policy store

Question

Hi I just want to know how can I match XACML 3.0 Request from the PEP against the Policies stored in policy store using PDP. How I will evaluate particular request against the multiple policies stored in policy store.

Answer 1

XACML request is matched with the "Target" element of the policies that are stored in PDP policy store. Once target element is matched for policies, Those matched policies (applicable policies) are evaluated (rules of the policies) according to the policy order and results are combined according to the policy combining algorithm of the policy store. If PEP wants to know that; what PEP policies are matched for given XACML request, PEP can send the XACML request with "ReturnPolicyIdList" attribute as "true".

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">

Then XACML response would returns the matched policies in the XACML response.

Answer 2

In addition to Asela's answer, I'd like to add that a "policy store" is implementation-specific.

The way Asela describes it essentially means that the policy store acts a policy set with a combining algorithm and no target.

Answer 3

Adding my experience of using WSO2 Identity Server as a PDP

So you can add multiple policy files in IS. But you have to give ranking to each policy file.

So what i think is, those policies get validated in the order of ranking which we provide and for whichever policy the target element gets matched first get evaluated first.