Search code examples
authorizationxacmlabacxacml3alfa

Is there a way to define variables externally from XACML policy and refer them from inside the policy rules


I am using XACML with multiple policy sets and policies. These policies are sharing the same variables and I want to be able to define them in some kind "global" dictionary. While it seems rather basic requirement, I couldn't find any documentation, example or discussion about such an option. Is there any way to do so?

Thanks.


Solution

  • The only feature XACML provides OOTB is the notion of variable definitions and variable references. However it doesn't fully do what you're looking for.

    For starters, variable definitions are defined globally but can only be used inside rules. You cannot use them inside targets. Variable definitions are made up of a XACML expression i.e. anything that can be expressed in a condition (so a string, a function, and more).

    Variable definitions are defined within a policy and their visibility is scoped to that policy. This limits their usefulness.

    If you wanted a cross-policy variable / constant, you'd have to do that outside XACML, define your policies, and then post-process them to replace your placeholders with your values. If you work directly on XML, you could do that with XSLT for instance. Otherwise, it'll largely depend on the IDE you're using.

    Source: eXtensible Access Control Markup Language (XACML) Version 3.0 Plus Errata 01