XACML: How to control the access to the properties in a resource

Question

I understand that XACML can give a fine grained control to access a resource based on various categories like subject, resource, env and actions.

But, once the evaluation is made and decided to fetch a resource, can we control what fields/properties in the resource the user/subject can access?

For e.g., there is a resource called Customer with following fields.

customer: { name, isVip, phoneNumber}

Now, if I have a sales agent accessing this info, I want to show the phoneNumber of a VIP customer to only a few selected sales agents.

This should be the response to the GET customer info API:

called by a normal sales agent: {name, isVip}

called by a selected sales agent: {name, isVip, phoneNumber}

Can I achieve this with XACML? If yes, how?

Answer 1

Yes you can!

It is all a matter of how you define your resources and how you write policies for them. In your case you have an object of type "Customer" and you have objects of type "field". Name, isVip, and phoneNumber are all fields of the Customer object.

You could write the following policies:

• Sales agents can view the customer object of a customer in the same region
• Sales agents can view the phoneNumber field of a customer if they are assigned to that customer

How would enforcement work? What you have to see is that you can do enforcement on the way in... and on the way out. In other words, you could ask

• Can Alice the sales agent view customer record #123?
• Permit

The app then fetches the record. As the record comes back from the underlying system through the PEP, you then inspect the record, find that you have 3 sections worth controlling access to and then you ask the PDP:

• Can Alice the sales agent view section #1, #2, #3 of customer record #123?
• Permit, Deny, Deny

By the way, the latter is an example of a Multiple Decision Request. You can read more on MDPs here and here.