When using ABAC security, how do you look up rules?
When implementing ABAC/XACML, the spec indicates you should intercept requests for sensitive data with PEPs, which route the request to PDPs (the PEPs include attributes about the subject, environment, resource and action when calling the PDP).
The PDP then determines what rules need to be evaluated for an access decision.
From Wikipedia: https://en.wikipedia.org/wiki/XACML
XACML provides a target,[5] which is basically a set of simplified conditions for the subject, resource, and action that must be met for a policy set, policy, or rule to apply to a given request. Once a policy or policy set is found to apply to a given request, its rules are evaluated to determine the access decision and response.
Policy set, policy and rule can all contain target elements.
It's my understanding that how the PDP decides what rules in the PIP are applicable is implementation specific, but this seems like a very important part of the process-- if you miss a rule, for instance, you would not evaluate the request properly. What ways have folks implemented this? What's worked and what hasn't? (I'm reluctantly leaning towards lookups against an EAV-ish table.)
You always configure a PDP with a set of policies. You can give the PDP any number of policies and policy sets (groups of policies) but you must specify the entry point, i.e. there must be a root policy. That root policy may then contain and / or link to other policies (or policy sets).
The PDP alone decides which policies to invoke and evaluate based on the incoming request from the PEP. The PEP does not know how many policies there are. You would not miss a rule like you state in your question. It is the PDP's responsibility not to. You would not typically implement your own PDP. You would use an off-the-shelf one. There are several open-source engines e.g. SunXACML and commercial alternatives e.g. Axiomatics.
The PIP is used for attribute value retrieval, not for policy retrieval.
- UserNotFound Error for Existing Role in WSO2 IS 7.0.0 XACML Policy
- XACML how to efficiently control Access to Collections (Lists) of Resources
- How to express pagination in attribute based access control?
- What is the difference between Policy Target and Rule Target in ALFA or XACML?
- Implement geo XACML using Authzforce and host it on heroku
- WSO2 Identity / XACML Evaluation for Standard Editor / Any Debug Feature Available?
- Representing complex data types in XACML using Authzforce
- Obtain all Obligations from all the policies
- Fine-grained authorization for web applications
- Authzforce - XACML AttributeSelector
- How does missing-attribute work in XACML?
- Add multiple values in bag using authzforce
- Can XACML be validated by lxml in Python?
- Replacing LDAP store in Axiomatics to use Azure AD / B2C
- XML (XACML) Syntax Error - String Literal was Expected
- In wso2 IS XACML policy how to validate role and its permissions
- Is there a way to define variables externally from XACML policy and refer them from inside the policy rules
- XACML Obligations
- Authzforce ABAC - Fail to Enable a Result Postprocessor extension on a domain
- How to add string/URI matching in XACML
- Who uses XACML?
- URL accessible at specific hours only XACML
- Authzforce - Simple ABAC policy creation fails
- WSO2IS - XACML Policy with custom attributes is returning "Couldn't find AttributeDesignator"
- How to do logical AND for Rule combining for XACML
- Authzforce - Existing GUI for policy administration (PAP)
- Spring Security integration with XACML(Or any other policy based solution)
- XACML: how to find a long in a list of longs (list contains)
- Dynamic root policyset for multi-tenancy using Authzforce Core
- How expensive is creating a BasePdpEngine in Authzforce Core?