Hi,
My question is basically for the situation where we need to make a decision based on multiple resources.
We have an application and use xacml v2 spec implementation to control the access to the application resources. We have a situation where the access decision for a resource requires multiple other resources as inputs.
For example, we have the following resources:
application id
page id
view id
functional area id
account balance.
we would like to make decision if an agent can modify the account balance.
so we have a permission as
a subject - agent, e.g. plays account manager role
a resource - account balance
a action - modify
But in order to make the access control decision, we also need to have other resources which are the context to define what the account balance references to. Those are
application id
page id
view id
functional area id
Those resources can also be used separately, for example, application id can be used to decide if an agent can access the application, or page id can be used to decide if an agent can access a specific page.
We have 2 options to modify about permission:
Option 1.
a subject - agent, e.g. plays account manager role
a resource - has the following attributes: application id, page id, view id, functional area id, and account balance
a action - modify
Option 2.
a subject - agent, e.g. plays account manager role
resource 1 - application id
resource 2 - page id
resource 3 - view id
resource 4 - functional area id
resource 5 - account balance ( this is the resource to which the access decision will be made.)
I know Option 1 would work with xacml v2 implementation. I have the following questions for Option 2:
1. Can we make Option 2 as a valid use case in compliance with xacml v2 spec, i.e. could we use xacml v2 spec to define XACML policy and request to achieve option 2?
2. From implementation point of view, option 2 has advantage, i.e. for an access query within the same context we do not need to set all repeated attributes to create a resource instead just create a resource with a new attribute. Is this really a advantage or is a wrong impression.
3. For either Option 1 or Option 2, we have to use XACML spec defined resource id -
urn:oasis:names:tc:xacml:1.0:resource:resource-id to define the attribute for account balance to which the access decision is made. Am I right? For option 2, what id should be used to define resource - application id, page id, view id, functional area id which can be used as separate resource to make access decision too.
Highly appreciate your views on the issue.
thanks
hao