Search code examples
authorizationaccess-controlxacmlabac

XACML Policy Enforcement Point (PEP) Best Practices


I have the following scenario:

in a business workflow many decisions regarding different arguments must be taken.

eg: first check user roles, then do some business logic, then check business permission, ecc...

my question is:

assuming that on the PDP there are many policies for each of that arguments,

should the PEP do a single (big) xacml request to the PDP, containing all the attributes (eg: user roles, buisiness attributes, ecc)?

or

should the PEP do multiple (short) xacml request to the PDP, containing just one kind of attributes (eg: first call with user roles, second with business attributes, ecc..) ?

thank you


Solution

  • The PEP should never be aware of how many policies the PDP has let alone how they are structured. In addition, you should have one request per authorization question. If you have multiple use cases e.g.

    • create transaction
    • view transaction
    • print transaction
    • approve transaction

    then you should do 4 independent XACML requests. 1 XACML request = 1 authorization request. If you created a single XACML request with a huge number of attributes, you wouldn't actually be asking 4 separate questions but rather a weird mix whereby you might be permitted if any of the provided attributes triggered a Permit (and of course that all depends on the policies and combining algorithms you have).

    To save on roundtrip time (transport cost...), you can use the Multiple Decision Profile of XACML (MDP) whereby you can ask in one go:

    • Can the user create, view, print, approve transaction X?

    The Axiomatics Policy Server implements the Multiple Decision Profile. You can read this blog post to understand how to create the request.

    HTH, David.