Im new to xacml and I am trying to understand how in practice the PDP can evaluate a policy that depends on several PIPs. Let's take an example:
Imagine a context where Josh can take up the role of Scrum Master but also the role of Business Analyst. All records of Agile roles within the company are stored in db1 (PIP1) while all records of business roles are stored in db2 (PIP2).
Let's say the following policy is created:
- Only a Business Analyst can edit the sales records
- Only a Scrum Master can export the sales records
So first the PEP receives a request from Josh to perform a particular action (eg. edit the sales records).
The question is: how can the PDP evaluate the requests when it needs to decide only after fetching the attributes from multiple PIPs? at which component does this evaluation reside?
I don't understand well where/how to put the logic when evaluating policy (rules) when the input can be coming from multiple PIPs.
TL;DR; you don't need to worry about it.
Long answer: in ABAC and XACML, the policies don't know (and don't care) where attribute values come from. Whether the fact Josh is a BA or a SM is what matters. Where the value came from is not (typically). The way the flow works in most PDP implementations (it's the case with Axiomatics where I work) is:
Can Josh edit sales record #123?agile rolevalue as well as thebusiness rolevalue. It'll retrieve attribute values from the PIPs it's been configured with on a first-come first-served basis. Of course, you can also use the same attribute for both roles. So instead of agile and business role, you'd simply haverole. And it's totally acceptable to have 2 or more PIPs resolve/look up the same attribute.It's as simple as that. How a PDP calls the PIP is implementation-specific and you shouldn't normally have to care about that.