[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Questions about RBAC profile of XACML
Hi,
I'm using xacml just for scientific purposes, but I also found the RBAC
profile complicate.
I decided to go for an "abac based rbac" approach, i.e., using the
strength of xacml: attributes.
The management of roles is done via the PAP which stores both the
user/role assignment, the available roles and the role hierarchy. The
"inelegant" part is that you have to calculate the hierarchy outside of
the xacml PDP; in case of deep hierarchies you will have to return a lot
of attribute values if a user has a very high role. However, you may
circumvent this drawback by introducing your own attribute value (data
type).
In my case, roles are seen as attributes an are resolved by an
attributeDesignator, which retrieves them from the store. This allows a
- for my feeling - much more natural definition of rules and policies.
For example, to check if the user is in a specific role in a target
match, you simply write
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<SubjectAttributeDesignator AttributeId="urn:custom:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
clinician</AttributeValue>
</SubjectMatch>
I'm using roles only in the target match; if you like to use roles in
the condition, you have to consider that the attribute designator will
return a bag of all roles; thus you have to write something like this
(not tested):
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<SubjectAttributeDesignator AttributeId="urn:custom:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:string-bag”>
<AttributeValue DataType=”http://www.w3.org/2001/XMLSchema#string”;>
clinician</AttribtueValue>
</Apply>
</Apply>
which is not really elegant, but for my feeling sufficient as it should
not be the regular case.
Regards,
Helmut
On 08/19/2011 11:09 AM, romain guignard wrote:
> Hi all
>
> I currently working with XACML for demonstration purpose and more
> exactly with the RBAC profile of XACML.
> In our use case, we have to write some rules in function of users role
> and other attributes. For the moment, we uses the RBAC profile for the
> elaboration of policies (one PPS and RPS for each role).
>
> The RBAC profile is only use in order to have a hiearchy between roles.
>
> In our case, rules are not only in function of user roles. This means
> that we have to write some rules that say for example :
> In order to perform an action on a resource, you need to be a "Manager"
> (subject-role) OR to be an "Employee" (subject-role) AND to be located
> at "Paris" (subject-localisation). Moreover, I have a role hiearchy that
> describes for example that the role "BOSS" is superior to role "Manager".
> In this case, only "Manager" and "Boss" can perform the action, while
> "Employees" need to be located to Paris.
>
> In order to write this rule with the RBAC profile, I need to add two
> rules. One in the PPS for Manager and another in the Employee PPS where
> I need to add an additional condition for location.
> In my opinion, the RBAC profile can be very difficult to manage in the
> case where you have many roles with a hiearchy and when your rules are
> not only role-centric.
>
> I would like to know if some of you uses this profile? Have you ever
> encountered this kind of rules?
>
> Is it possible to implement notion of role hiearchy with ABAC policies ?
>
> For example, would it be possible to have a particular attribute finder
> that was in charge of :
>
> 1 - Retrieve users roles
> 2 - Retrieve role hiearchy (roreover, hiearchy could be declared in
> another Role Management system)
> 3 - Return a bag that contains all the role junior to user role
>
> With this implementation, it would be possible to have a condition rule :
>
> <Condition>
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:*or*">
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";>supervisor</AttributeValue>
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:*string-is-in*">
> <SubjectAttributeDesignator
> SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> AttributeId="*subject-role-hiearchy-bag*"
> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/>
> </Apply>
> </Apply>
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:*and*">
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";>*employee*</AttributeValue>
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
> <SubjectAttributeDesignator
> SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> AttributeId="*subject-role-hiearchy-bag*"
> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/>
> </Apply>
> </Apply>
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";>Paris</AttributeValue>
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:*string-one-and-only*">
> <SubjectAttributeDesignator
> SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> AttributeId="*localisation*"
> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/>
> </Apply>
> </Apply>
> </Apply>
> </Apply>
> </Condition>
>
> I hope I was clear in my description.
> //
> Thanks for you time.
>
> Romain
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]