Consider a subject and object both having a label defined as follows:
subject/object label = [i1, i2, ..., in], where i is some subjectId of another subject.
In a policy (ALFA/XACML), how can I perform a comparison against the subject and object label such that no elements in either list are the same.
For example:
subject_label = [i2, i4, i9]
object_label = [i1, i3, i7, i9]
The resulting decision would be DENY as both labels contain i9. If no match was found in any list, then the access result would be PERMIT.
What you are looking to use is stringAtLeastOneMemberOf (or equivalent for other datatypes). This function takes in 2 parameters:
It returns true if there is at least one value in the first bag equal to one value in the second bag. For strings, the comparison is case-sensitive.
namespace com.axiomatics{
/**
* Ths policy will checks the contents of the user label and the the resource label.
* It will deny access if there is at least one value in the user label equal to at least
* one value in the resource label.
*/
policy denyIfSameContent{
apply firstApplicable
/**
* This rule will deny access is user.label contains at least 1 value that is also present
* in object.label
*/
rule denyIfSameContent{
deny
condition stringAtLeastOneMemberOf(user.label, object.label)
}
}
}
And here is the XACML/XML representation:
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.denyIfSameContent"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Ths policy will checks the contents of the user
label and the the resource label.
It will deny access if there is at least one value in the user label
equal to at least
one value in the resource label.
</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule Effect="Deny"
RuleId="com.axiomatics.denyIfSameContent.denyIfSameContent">
<xacml3:Description>This rule will deny access is user.label contains
at least 1 value that is also present
in object.label
</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.user.label"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.object.label"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>