Is there a standard or preferred way to use obligations and advice in XACML and ALFA?

397 views Asked by At

I wrote some obligations and advices but I was wondering if there is a widely accepted/or formal way to do this properly? In other words: Is there a standard or preferred way to use obligations and advices in ALFA?

I would really like to see an example how to define an obligation (e.g. to log every request) and its content, in a layered policy that will always be triggered (on every request) both on deny and permit? Or do you have to define a separate obligation for every Policyset/policy and rule?

Do you have to define the exact content of such an obligation or is this depending on the functionality of the PEP?

1

There are 1 answers

5
David Brossard On

This is a great question.

While the specification (all versions) do define the structure of an obligation and even advice in the case of XACML 3.0, the specification doesn't mention how the PEP (policy enforcement point) is to implement the obligation. All the specification mentions is what should happen if a PEP fails to implement an obligation i.e. what happens to the decision.

From a PEP code perspective, a best practice would be to write an ObligationHandler interface which you can implement for different obligations. The constructor for classes implementing the ObligationHandler interface would take the XACML request and response.

Example

obligation emailManager = "com.axiomatics.example.obligations.emailmanager"
policy documentAccess{
    apply firstApplicable
    rule allowAccessIfClearanceSufficient{
        condition user.clearance>document.classification
        permit
        on permit {
            obligation emailManager{
                email = email
                message = stringConcatenate("Employee ", 
                                            stringOneAndOnly(Attributes.subjectId),
                                            " has obtained access to ", 
                                            stringOneAndOnly(Attributes.resourceId)
                )
            }
        }
    }
}

Other resources: