xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Problem with an or function

From: David Brossard <david.brossard@axiomatics.com>
To: valerie.bauche@bull.net
Date: Thu, 27 Jan 2011 17:46:29 +0100

Hi Valerie,

You need to define your original rule in a clearer way. What are you trying to achieve?

You claim profile1>10 gives Permit OR profile2>10 gives Permit.

What if profile1>10 and profile2<10? Do you also want Permit?

If you want to return Permit if at least one of the 2 statements is true regardless of what the other statement is, then create a simple rule as follows:

<xacml3:Rule RuleId="profile1-2" Effect="Permit" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
     <xacml3:Description>allow if either profile1 is greater than 10 or profile2 is greater than 10</xacml3:Description>
     <xacml3:Target>
          <xacml3:AnyOf>
               <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
                         <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</xacml3:AttributeValue>
                         <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="profile2" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                    </xacml3:Match>
               </xacml3:AllOf>
               <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
                         <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</xacml3:AttributeValue>
                         <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="profile1" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                    </xacml3:Match>
               </xacml3:AllOf>
          </xacml3:AnyOf>
     </xacml3:Target>
</xacml3:Rule>

With the rule expressed as above using a target and 2 All Of nodes inside an Any Off node, you do not need to use conditions making the rule simpler.

If you send profile1=5 you get NotApplicable
If you send profile2=5 you get NotApplicable
If you send profile1=5 and profile2=5 you get NotApplicable
If you send profile1=15 and profile2=5 you get Permit
If you send profile1=5 and profile2=15 you get Permit
If you send profile1=15 and profile2=15 you get Permit

You can get rid of NotApplicable by using the deny-unless-permit (3.0) combining algorithm.

I hope this helps,
David.

On Thu, Jan 27, 2011 at 5:32 PM, <valerie.bauche@bull.net> wrote:

Hello

I want to express a quite simple rule :
profile1>10 or profile2>10

Here is the corresponding XACML :

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile1" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
</Apply>
<Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile2" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
</Apply>
</Condition>

If I come with profile1=20 : the result is PERMIT
If I come with profile2=20 : the result is DENY !!!!!

I think that the following happened :
If I have profile2=20 and no profile1 at all, the function first try to evaluate the profile1 and string-one-and-only fails because profile1 does not exists. Then the evaluation cannot be done, the whole process fails and we don't even try to evaluate the second possibility with profile2.....

Am I right ?

What could be the solution to handle such a problem ?

Valerie

--
David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics

Follow-Ups:
- RE: [xacml-users] Problem with an or function
  - From: "Tyson, Paul H" <PTyson@bellhelicopter.textron.com>

References:
- Problem with an or function
  - From: valerie.bauche@bull.net

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]