Re: [xacml-dev] Questions about RBAC profile of XACML

[David Brossard <david.brossard@axiomatics.com>]

Hi Romain,

Please find some elements of response inline.

On Fri, Aug 19, 2011 at 11:09 AM, romain guignard <rom1.guignard@gmail.com> wrote:

Hi all

I currently working with XACML for demonstration purpose and more exactly with the RBAC profile of XACML.
In our use case, we have to write some rules in function of users role and other attributes. For the moment, we uses the RBAC profile for the elaboration of policies (one PPS and RPS for each role).

The RBAC profile is only use in order to have a hiearchy between roles.

The goal of the RBAC profile of XACML is to provide a strict RBAC implementation using XACML as a language. It is not necessarily the best approach especially if you want to start opening up to new attributes as seems to be the case.

In our case, rules are not only in function of user roles. This means that we have to write some rules that say for example :
In order to perform an action on a resource, you need to be a "Manager" (subject-role) OR to be an "Employee" (subject-role) AND to be located at "Paris" (subject-localisation). Moreover, I have a role hiearchy that describes for example that the role "BOSS" is superior to role "Manager".
In this case, only "Manager" and "Boss" can perform the action,  while "Employees" need to be located to Paris.

In order to write this rule with the RBAC profile, I need to add two rules. One in the PPS for Manager and another in the Employee PPS  where I need to add an additional condition for location.
In my opinion, the RBAC profile can be very difficult to manage in the case where you have many roles with a hiearchy and when your rules are not only role-centric.

I would like to know if some of you uses this profile? Have you ever encountered this kind of rules?

Some of our customers did implement the RBAC profile in initial phases and then moved to a more global ABAC approach.

Is it possible to implement notion of role hiearchy with ABAC policies ?

Yes of course it is. As Helmut points out, a role is just another attribute.

For example, would it be possible to have a particular attribute finder that was in charge of :

1 - Retrieve users roles
2 - Retrieve role hiearchy (roreover, hiearchy could be declared in another Role Management system)
3 - Return a bag that contains all the role junior to user role

Yes it is. In one of the integration demonstrators at Axiomatics, we use Radiant Logic Virtual Directory Server to retriever user roles for a given user. Some of the underlying data sources VDS deals with can contain role hierarchy and therefore our attribute finder (or policy information point) can also retrieve that information to make decisions based on the seniority of a role.

With this implementation, it would be possible to have a condition rule :

<Condition>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">supervisor</AttributeValue>
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                            <SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="subject-role-hiearchy-bag" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                        </Apply>
                    </Apply>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</AttributeValue>
                            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                                <SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="subject-role-hiearchy-bag" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                            </Apply>
                        </Apply>
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Paris</AttributeValue>
                            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                                <SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="localisation" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                            </Apply>
                        </Apply>
                    </Apply>
                </Apply>
            </Condition>

At a glance the condition seems fine. If you send me the policy I can load it in my editor and check it. Using multiple attributes is definitely the way to proceed in ABAC (and therefore in XACML). It leads to more efficient and relevant rules & policies.

I hope I was clear in my description.

Thanks for you time.

Romain

-- 
David Brossard, M.Eng, SCEA, CSTP
VP Product Marketing & Customer Relations
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics