XACML 3.0 Policies - 6
This is 6th post of a series of posts, after this post on writing XACML policies having multiple rules, http://pushpalankajaya.blogspot.com/2013/06/xacml-30-policies-multiple-rules-5.html. Here we will look into the following requirement which is more likely in practice.
Here the first rule is to permit any requests made by users in either groups admin_emps and admin, to read any resource. Second rule will permit any request coming to operations 'http://localhost:8280/services/Customers/getVersion1(2)'. Third rule will deny any other requests.
- The operation getVesrion1 and getVersion2 in the service http://localhost:8280/services/Customers should be accessed by any user
- Request to any other service or operation should only be accessed by the users belong to the group(s) admin_emps or admin or both
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="testOr" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Description>Test Or</Description> <Target></Target> <Rule Effect="Permit" RuleId="primary-group-emps-rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:group" MustBePresent="true"></AttributeDesignator> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="primary-user-rule"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion1</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Deny" RuleId="deny-rule"></Rule> </Policy>
Here the first rule is to permit any requests made by users in either groups admin_emps and admin, to read any resource. Second rule will permit any request coming to operations 'http://localhost:8280/services/Customers/getVersion1(2)'. Third rule will deny any other requests.
- User 'Pushpalanka' belonging to groups staff and business tries to access 'http://localhost:8280/services/Customers/getVersion2'. Response: Permit
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">pushpalanka</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:group"> <Attribute AttributeId="group" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">business</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue> </Attribute> </Attributes> </Request>
- Admin user belonging to admin and business groups tries to access service 'http://localhost:8280/services/Customers/'. Response: Permit
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:group"> <Attribute AttributeId="group" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">business</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/</AttributeValue> </Attribute> </Attributes> </Request>
Cheers!
Reference: Corresponding XACML 2.0 policy - FacileLogin