Search code examples
securitypolicyxacmlabacalfa

What should ABAC PIP do in case of attributes resolution impossibility?

How PIP and whole ABAC engine should behave in case if it can't resolve attributes. There are several cases:

  1. Destination object using which we are resolving attribute is not found
  2. Attribute can't be resolve because provided attributes not sufficient to request addition information. Like if we passed single userId and resource name without id.
  3. If during attributes resolution chain (when some attributes depends from another) something has been missing that make target attribute resolution impossible.
Solution

  • The interaction between the PDP and the PIP is not specified in the XACML standard. It is down to each implementation (AuthZForce, Axiomatics...) to determine how they handle each case.

    Generally speaking, there are 3 errors that can occur when using a PIP:

    1. Connection issues: the target PIP (e.g. an LDAP server) cannot be reached
    2. Mapping configuration issues: the mapping for the attribute is invalid. For instance you are retrieving an attribute from a non-existing SQL table or column.
    3. Data issue: there is no data to be read in the underlying source

    In addition, there is another possible issue: the keys used in the mapping (e.g. username) has no value at all. In this case, it is clear that the mapping (e.g. to retrieve a role) will not be invoked at all.

    Points 1 and 2 could lead to Indeterminate. This helps the administrator troubleshoot the installation.

    Point 3 should lead to NotApplicable for that branch that uses the attribute. If there is no value, then so be it. Why would there necessarily be a value?

    I hope this helps,

    David.