How to implement these rules in XACML policies?
Here is a requirement I am trying to implement via XACML/ABAC for learning purposes:
Information Model
Resources: Building, Unit
- there are many buildings (ex. B1, B2, B3, ... Bn)
- each building has many units (i.e. unit is the child of building) (ex. B1U1, B1U2, B1U3, ...)
Subject: Housekeeping staff
Rules
- A housekeeper can "open" a "unit" if
- they have "open" permission on that "unit" OR
- if they have "open" permission on the "building" in which that "unit" is.
Any pointers?
Update
Essentially here is my concern: if the requirement was something like, A housekeeper can "open" "unitX" if s/he has "open" permission on "unitX". Here I would've just written a simple rule.
However, with my actual requirement, the concerns are:
Since there is not one particular resource but many resources of same type, should I be writing a separate policy for each resource? Ex. separate policy for building "B1", another for "B2" and so on?
How will the policy "know" about hierarchical relationship between building and unit.
Now that I think further about this, I think the following approach should work(?)
- Request will include the following
resource: /{buildingId}/{unitId} //this is how policy will know parent child relationship
action: open
subject: subjectId and probably all permissions that this subject has (still thinking on how to represent the permissions, any suggestions?)
- Define one policy with rule: // pseudocode if(subject.permissions include open on {buildingId} OR open on {unitId}) then permit else deny.
Any suggestions?
Thanks,
Jatin
You need to define attributes like following on ABAC model:
Resource Attribute
Attribute - Building, Attribute Values - B1,B2,B3
Attribute - Unit, Attribute Values - B1U1, B1U2, B1U3,B2U1, B2U2, B2U3,B3U1, B3U2, B3U3
Action Attribute
Attribute - Building Action , Attribute Value - Open
Subject Attribute
Attribute - Building Resident, Attribute Values - Resident1,Resident2
The hierarchical relation among building and building units need to define on resource inheritance relation.
Resource Inheritance
Beneficiary - Building:B1 , Inherited Values - Unit: B1U1 , Unit: B1U2, Unit: B1U3
Beneficiary - Building:B2 , Inherited Values - Unit: B2U1 , Unit: B2U2, Unit: B2U3
Beneficiary - Building:B3, Inherited Values - Unit: B3U1 , Unit: B3U2, Unit: B3U3
Now you need to define rules on a ABAC policy. Now you can use policy automation tools so that you do not need to think of inheritance relations during rule creation.You once define those relations and later when you create rules, the automation tool will automatically remember those relations and create rules automatically for you. You can download such a tool name "Security Policy Tool" . This is a commercial tool but you can download free demo which also includes a full xacml editor. Please check below a screen shot of your model in SPT :
Then from this tool you can automatically convert your ABAC policies into XACML and further edit on built in xacml editor to fine tune.
- How can I authenticate user token in Angular Guard if I am using Http-Only?
- .NET 8 Blazor Server - role authorization with Windows Authentication
- Require authenticated user in asp.net core but require custom policy in some actions require custom policy
- How to define the basic HTTP authentication using cURL correctly?
- Relation between Authorization middleware and filter Asp.net core
- Roles Authorization not working for Razor Pages site using AddNegotiate
- Laravel `Auth` not compatible with 3rd party library ajax call?
- How to configure user and password for neo4j cluster without REST API
- Fetching custom Authorization header from incoming PHP request
- How can i ensure that controller methods are entered only in a specific sequence
- How to prevent users to access other user's data with dotnet core and RESTful APIs?
- How to know which controller method will be called from Web API Authorization filter
- .net how to set the the response body when the authorization failed?
- Spring security 6 - authorization not working
- Glide Image Download with Bearer fails
- Java: how to use UrlConnection to post request with authorization?
- Exploring Changes to Authentication and Authorization Setup in .NET 7 API with JWT
- Authentication on actions not controller
- How do I get access token inside Node.JS Google Cloud function?
- How to make Amazon AWS API call from Java?
- PUT request to Azure storage with shared key authorization
- Azure Container access via Python SDK fails with AuthorizationPermissionMismatch but I am owner
- Django user entitlements on creation / privilege escalation
- How to authenticate and authorize in blazor
- Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud
- Why is AllowAnonymous not working while deployed to Azure Websites?
- Difference between Passport and JWT?
- How do I implement "Authorization: Bearer <Token>" in a Delphi REST Server?
- Redirect Unauthorized Page Access in MVC to Custom View
- OAuth 2: separating resource server and authorization server