Search code examples
authorizationxacmlabacalfabalana

How do I get permit with XACML policy?

I have two policies, first one should return permit, and the second should return deny, but it always returns deny to the requests.

This is the PolicySet:

 <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="http://axiomatics.com/alfa/identifier/test.testps1" Version="1.0" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">



<Target/> 
<Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="p2"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
    Version="1.0">


<Target>


<AnyOf>

<AllOf>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
C70001
</AttributeValue>

<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
Alise Ibrahem
</AttributeValue>

<AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
IT
</AttributeValue>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>



</AllOf>

</AnyOf>

</Target>


<Rule Effect="Deny" RuleId="Deny_Rule">

 <Target>
           <AnyOf>
             <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
                  >Employee</AttributeValue>
                 <AttributeDesignator  AttributeId="subjectJob" MustBePresent="false"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
               </Match>
             </AllOf>
           </AnyOf>
           <AnyOf>
             <AllOf>
               <Match
                 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                 <AttributeValue
                   DataType="http://www.w3.org/2001/XMLSchema#string"
                    >read</AttributeValue>
                 <AttributeDesignator
                   MustBePresent="false"
                   Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                   AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                   DataType="http://www.w3.org/2001/XMLSchema#string"/>
               </Match>
             </AllOf>
           </AnyOf>
         </Target>

   <AdviceExpressions>
    <AdviceExpression AdviceId="not-hr-employee" AppliesTo="Deny">
    <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">You are not allowed to get employees data</AttributeValue>
    </AttributeAssignmentExpression>
    </AdviceExpression>
    </AdviceExpressions>

</Rule>


</Policy>


<Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="p1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">



<Target>


<AnyOf>

<AllOf>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
C80001
</AttributeValue>

<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
Hadeel Neama
</AttributeValue>

<AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
HR
</AttributeValue>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</Match>


</AllOf>

</AnyOf>

</Target>


<Rule Effect="Permit" RuleId="Permit_Rule">

 <Target>
           <AnyOf>
             <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
                  >Employee</AttributeValue>
                 <AttributeDesignator  AttributeId="subjectJob" MustBePresent="false"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
               </Match>
             </AllOf>
           </AnyOf>
           <AnyOf>
             <AllOf>
               <Match
                 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                 <AttributeValue
                   DataType="http://www.w3.org/2001/XMLSchema#string"
                    >read</AttributeValue>
                 <AttributeDesignator
                   MustBePresent="false"
                   Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                   AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                   DataType="http://www.w3.org/2001/XMLSchema#string"/>
               </Match>
             </AllOf>
           </AnyOf>
         </Target> 


</Rule>

</Policy>

</PolicySet>

XACML Request that I want it to have permit response:

   <?xml version="1.0" encoding="UTF-8"?>
    <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C80001</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectName" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Hadeel Neama</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectDep" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HR</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
</Request>

Request that I want it to have permit response:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C70001</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-Name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alise Ibrahem</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subjectDep" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IT</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="subjectJob" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
</Request>

Response to the both of requests:

  <?xml version="1.0" encoding="UTF-8"?>
   <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result><Result><Decision>Deny</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><AssociatedAdvice><Advice AdviceId="not-hr-employee" ><AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
You are not allowed to get employees data</AttributeAssignment>
</Advice></AssociatedAdvice></Result></Response>
===========================================================

 Result is "Deny"   

Advice :  
You are not allowed to get employees data

This is ALFA code:

namespace test {
    import Attributes.* 

policy testpolicy {
target clause subjectId == "C80001"
and subjectName=="Hadeel Neama"
and subjectDep=="HR"
and subjectJob=="Employee" 

apply permitOverrides


rule {

target clause job=="Employee"
and actionId == "read"

permit
}
}
}

and this's the condition that I added it to the rule:

condition subjectDep=="HR"

I just don't know why all the tries with condition fail! I've tried this condition in Deny_Rule:

<Condition>

<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">

<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>

<AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
HR
</AttributeValue>

</Apply>

</Condition>

but when I send a request, it returns:

مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request
مار 13, 2019 8:32:08 م org.wso2.balana.finder.PolicyFinder findPolicy
INFO: No applicable policies were found for the request

======================== XACML Response ===================
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result><Result><Decision>NotApplicable</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status></Result></Response>
===========================================================

 Result is "Deny"

Even if I just wrote:

<Condition/>

!!!

Solution

  • Still a few issues to fix:

    1. In the Policy, replace... 
      xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
      ... with simply this (make xacml the default namespace like in your Request): 
      xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    2. Replace function anyURI-equal with string-equal
    3. Replace datatype anyURI with string
    4. Remove all trailing/leading newlines or blank spaces around AttributeValues that should not be there (I suspect your XML editor messed up, remember the strings are matched as is with string-equal, incl. newlines and whitespaces around, no whitespace collapse here)

    In the end, here is the valid Policy:

    <?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="http://axiomatics.com/alfa/identifier/test.testps1" Version="1.0">
  <Target />
  <Policy PolicyId="p2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C70001</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alise Ibrahem</AttributeValue>
            <AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IT</AttributeValue>
            <AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Rule Effect="Deny" RuleId="Deny_Rule">
      <Target>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
              <AttributeDesignator AttributeId="subjectJob" MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Match>
          </AllOf>
        </AnyOf>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Match>
          </AllOf>
        </AnyOf>
      </Target>
      <AdviceExpressions>
        <AdviceExpression AdviceId="not-hr-employee" AppliesTo="Deny">
          <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">You are not allowed to get employees data</AttributeValue>
          </AttributeAssignmentExpression>
        </AdviceExpression>
      </AdviceExpressions>
    </Rule>
  </Policy>
  <Policy PolicyId="p1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C80001</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Hadeel Neama</AttributeValue>
            <AttributeDesignator AttributeId="subjectName" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HR</AttributeValue>
            <AttributeDesignator AttributeId="subjectDep" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Rule Effect="Permit" RuleId="Permit_Rule">
      <Target>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
              <AttributeDesignator AttributeId="subjectJob" MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Match>
          </AllOf>
        </AnyOf>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Match>
          </AllOf>
        </AnyOf>
      </Target>
    </Rule>
  </Policy>
</PolicySet>

    --EDIT 2019-03-30--

    The issue with your Requests is that you have multiple <Attributes ...> in the same Category access-subject and this is interpreted by Balana as requesting multiple decisions according to Multiple Decision Profile of XACML (see 3.3 Repeated <Attributes> categories), which is not what you want. To fix it, group all subject attributes together in one <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">...

    So here is the fixed request:

    <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
  </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C80001</AttributeValue>
  </Attribute>
  <Attribute AttributeId="subjectName" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Hadeel Neama</AttributeValue>
  </Attribute>
  <Attribute AttributeId="subjectDep" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HR</AttributeValue>
  </Attribute>
  <Attribute AttributeId="subjectJob" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
  </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  <Attribute AttributeId="subjectJob" IncludeInResult="false">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
  </Attribute>
</Attributes>
</Request>

    Hitting this Policy with this fixed request (Hadeel Neama in HR) returns Permit, which is what you expect.

    In the second Request, there is a mistake on the subjectName attribute: replace wrong AttributeId urn:oasis:names:tc:xacml:1.0:subject:subject-Name with subjectName to match the AttributeId in the Policy.

    With this extra fix, the second Request (Alise Ibrahem in IT department) returns Deny. Validated with AuthzForce.