[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] XACML Target matching question
- Is it possible that two policies have the same target in one PDP?
- Yes of course, it's quite possible and it makes business sense in many scenarios (see below for examples).
- If yes then which policy is selected by the PDP?
- It depends on the policy combining algorithm (see the spec for a definition - 2.3 Combining algorithms). Both could potentially be evaluated. See the more detailed explanation below.
In a more formal way, if one takes the time to read through the spec (accessible here: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf), you will find interesting items.
First of all there are 3 top-level policy elements: <Rule>, <Policy> and <PolicySet>. (quoting the spec directly). The basis for an authorization decision is a policy which contains the combining algorithm for the rules. The policy set is simply a means of combining several policies into a single combined policy.
Reading further down in the XACML spec, in the Functional Requirements chapter which dictates how evaluation should proceed, section 7.15 "Authorization Decision" explains exactly how a decision should be reached whether there are multiple policies that can be matched or not:
In relation to a particular decision request, the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets. The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets.
The PDP MUST evaluate the policy set as specified in Sections 5 and 7. The PDP MUST return a response context, with one <Decision> element of value "Permit", "Deny", "Indeterminate" or "NotApplicable".
If the PDP cannot make a decision, then an "Indeterminate" <Decision> element SHALL be returned.
The paragraph above highlights one very important point: the PDP must always have a policy-combining algorithm at the very top. Any XACML 3.0 implementation should respect that. It then considers all the top policies (policy sets) as if they were within a policy set with the combining algorithm defined at the very top.
Finally, after reading through the spec, I could not see any mention of a default combining algorithm as Doron suggested it.
It is a requirement that the PDP consider all root policies as if they were children of a single policy set as described in section 7.15 but the choice of combining algorithm is down to the implementation.
Helmut is quite right in highlighting the following: "If the two policies are top level policies and there is no combining algorithm, you should get an error from your PDP". Section 7.15 stipulates that there must be a combining algorithm.
Note that choosing a PDP that forces you to use only-one-applicable has considerable limitations. Section C.9 describes its behavior: if two policies combined with only-one-applicable match an incoming request, the PDP is forced to return Indeterminate. However, this would make enterprise scenarios fail where for instance 2 policies have the same target simply because one addresses enterprise-wide requirements such as "out-of-office hours" whereas the other policy could address direct business requirements e.g. "access to sensitive information".
Being able to segregate policies on different planes (enterprise-wide policies about hours of work, geo-location, SoD, PCI-DSS on one hand and business-specific policies on the other) is one of the strengths of 100% XACML solutions and fine-grained access control. The ability to choose the combining algorithm gives you that flexibility and strength.
I hope this helps clarify the situation.
David Brossard, M.Eng, SCEA, CSTP
+46(0)760 25 85 75
S-111 30 Stockholm, Sweden
http://twitter.com/axiomatics2011/7/17 Doron Grinstein
Multiple policies can have the same target in the same PDP. How their decision results are combined is determined by their parent policy-set’s policy combining algorithm.
If there is no parent policy set (because you have configured the PDP to take multiple root policies), then the PDP will behave as though the multiple root policies were the children of a policy set with a policy combining algorithm of “only one applicable”. (I don’t recall offhand if this is a requirement of the XACML spec or just a recommendation, you’d need to check the spec doc)
In the situation you described, if the PDP were forced to work with multiple root policies, every request would return “Indeterminate” because more than one policy is applicable and that is not acceptable under the implicit “only one applicable” policy combining algorithm.
A PDP instance must have a single root policy(set) to evaluate requests against. If you give the PDP multiple root policies, it will behave as though it created an in-memory policy set to contain the given policies. I hope this brief explanation helps answer your question.
From: Security Developer [mailto:firstname.lastname@example.org]
Sent: Saturday, July 16, 2011 2:43 AM
Subject: [xacml-dev] XACML Target matching question
I have a question regarding XACML target matching.
1 - Is it possible that two policies have the same target in one PDP? suppose
Is the above case possible? if yes then which policy is selected by the PDP?
Thanks for your time.