[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: where's best place to enforce conditions
Hi, Some of our application's resource access controls are based on business rules decision. We can put the business rule decision as the condition of our security policy. I believe we have 3 options to enforce the condition: 1. Using environment matching. 2. Using rule's condition. 3. Still Using the rule's condition with VariableDefintion and VariableReference. My question is which way should be the best practice or what people generally do for this situation. (I believe using environment matching is most easy and efficient way; using variableDefintion if we apply the same condition within a policy multiple times. By the way, can we use variableDefintion at policySet level for every policies within the same policySet?) Highly appreciate for advises. Here's a sample: * using variable defintion <xacml:Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" PolicyId="Permissions:for:account:manager:role"> <xacml:Target/> <xacml:VariableDefinition VariableId="urn:com:dfs:dd:security:access:control:business:rule:decision"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:com:dfs:dd:security:access:control:business:rule:decision" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">permit</xacml:AttributeValue> </xacml:Apply> </xacml:VariableDefinition> <xacml:Rule Effect="Permit" RuleId="Permission:account:information:product:modify"> <xacml:Target> <xacml:Resources> <xacml:Resource> <xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">AccountInfomationProduct</xacml:AttributeValue> <xacml:ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" /> </xacml:ResourceMatch> </xacml:Resource> </xacml:Resources> <xacml:Actions> <xacml:Action> <xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">modify</xacml:AttributeValue> <xacml:ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" /> </xacml:ActionMatch> </xacml:Action> </xacml:Actions> </xacml:Target> <xacml:Condition> <xacml:VariableReference VariableId="urn:com:dfs:dd:security:access:control:business:rule:decision" /> </xacml:Condition> </xacml:Rule> </xacml:Policy> * using environment matching <xacml:Rule Effect="Permit" RuleId="Permission:account:information:reward:program:modify"> <xacml:Target> <xacml:Resources> <xacml:Resource> <xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">AccountInfomationRewardProgram</xacml:AttributeValue> <xacml:ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" /> </xacml:ResourceMatch> </xacml:Resource> </xacml:Resources> <xacml:Actions> <xacml:Action> <xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">modify</xacml:AttributeValue> <xacml:ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" /> </xacml:ActionMatch> </xacml:Action> </xacml:Actions> <xacml:Environments> <xacml:Environment> <xacml:EnvironmentMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">permit </xacml:AttributeValue> <xacml:EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:com:dfs:dd:security:access:control:business:rule:decision" /> </xacml:EnvironmentMatch> </xacml:Environment> </xacml:Environments> </xacml:Target> </xacml:Rule> * using rule's condition directly <xacml:Rule Effect="Permit" RuleId="Permission:account:information:credit:limit:modify"> <xacml:Target> <xacml:Resources> <xacml:Resource> <xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">AccountInfomationCreditLimit</xacml:AttributeValue> <xacml:ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" /> </xacml:ResourceMatch> </xacml:Resource> </xacml:Resources> <xacml:Actions> <xacml:Action> <xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">modify</xacml:AttributeValue> <xacml:ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" /> </xacml:ActionMatch> </xacml:Action> </xacml:Actions> </xacml:Target> <xacml:Condition> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <xacml:EnvironmentAttributeDesignator AttributeId="urn:com:dfs:dd:security:access:control:business:rule:decision" DataType="http://www.w3.org/2001/XMLSchema#string"/> </xacml:Apply> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">permit</xacml:AttributeValue> </xacml:Apply> </xacml:Condition> </xacml:Rule>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]