Search code examples
authorizationaccess-controlxacmlabac

Send several simultaneous actions in one XACML request


Can we specify two actions in a same XACML request?

This question comes from the following example. I want to do the following:

  1. Define a policy like: U can use READ OR WRITE functions from a resource D (example of policy is available at this previous post
  2. Define a request like: U wants to use READ AND DELETE (or any other not permitted actions)
  3. Get as response: deny

So here is the request:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
 <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
  </Attribute>
 </Attributes>
 <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">u</AttributeValue>
  </Attribute>
 </Attributes>
 <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">d</AttributeValue>
  </Attribute>
 </Attributes>
</Request> 

So again the question, can we have such XACML request (i.e. U asks from read and delete at the same time)?


Solution

  • Yes.. you can send two attribute values. But i guess, this would result Permit, as your policy has been written with string-at-least-one-member-of function. This function just verify whether there are at least one match. As read action is matched, Policy returns with Permit. I guess, you can use subset function to achieve this. Please see following policy.. This would work for your requirement.

    <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="test-bis" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0"> <Target></Target> <Rule Effect="Permit" RuleId="read-or-write"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">d</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset"> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue> </Apply> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">u</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Deny" RuleId="deny"></Rule> </Policy>