Whats the difference between a XACML that uses an AND Function that contains two conditions, for example. one condition will be time in range 1-6 and date-equal 23/07/2015
And the other XACML will have two rules, one rule will be time in range 1-6 and the other rule date-equal 23/07/2015.
I mean, how they work? The 1st one, the AND function has to be true in order to get the permit effect. What about the second one? Will just check if one of those two rules its true and give the permit effect or both rules has to be true like the first one?
First of all, let's take a step back and refresh our memories. There are 3 structural elements in XACML:
PolicySet which can contain PolicySet and Policy elementsPolicy which can contain Rule elements.Rule which contain the desired effect (either of Permit or Deny).A Rule contains both a Target element and a Condition element which define when the Rule will apply.
A Rule will only apply and return its effect if both the Target and the Condition evaluate to true i.e. if all matches in a Target are correct and if all parts of the Condition eventually evaluate to True.
Let's take your example:
The code in ALFA would be:
policy parent{
apply firstApplicable
rule example{
permit
condition currentTime>"13:00:00":time &&
currentTime<"18:00:00":time &&
currentDate=="2015-07-23":date
}
}
The Rule will only be applicable and only return its effect, in this case a permit, if all the matches in the condition evaluate to true.
What if we use 2 rules to express the same logic? What happens then? Let's split the condition across 2 rules:
policy parent{
apply firstApplicable
rule checkTime{
permit
condition currentTime>"13:00:00":time &&
currentTime<"18:00:00":time
}
rule checkDate{
permit
condition currentDate=="2015-07-23":date
}
}
What happens then? The result is not the same. As a matter of fact, if a policy has 2 child rules, how does it determine which one to consider? This is where combining algorithms step in. A combining algorithm is defined at the Policy level andr the PolicySet level. See here for a full list and details.
In the example above, we use
apply firstApplicable
This means that if the Rule says Permit, then the second one won't even be considered for evaluation. In other words, the date constraint will not be checked. Therefore, the set of 2 rules is not equivalent to the original condition we wrote.
We can still rework the 2 rules such that they do work as the condition does - or almost. One such way is to turn the checks around and make the rules negative ones: deny if the time is outside the 1-6 range. Deny if the date is "2015-07-23". Only then would one define a permit rule to allow access. The reworked example becomes in ALFA:
policy parent{
apply firstApplicable
rule checkTime{
deny
condition currentTime<="13:00:00":time ||
currentTime>="18:00:00":time
}
rule checkDate{
deny
condition not(currentDate=="2015-07-23":date)
}
rule allowAccess{
permit
}
}
The bottom line, though, is: what do you want to express? Is it important to distinguish between the time check and the date check? Does it make more sense as 2 rules? A single rule? That's entirely up to you.
To edit the sample policies, you can download the ALFA plugin from here.
HTH