Re: [xacml-dev] XACML RBAC Profile

[David Brossard <david.brossard@axiomatics.com>]

Inside your condition you could use an And function to combine:

(a) you must have role SeniorAdmin1
AND
(b) you must have value X > threshold

If threshold is a static value or X is a static value, you could also express the comparison in the target. Note that you can also express the role check inside the target too.

Here is sample XACML code which implements what you aim to achieve.

<xacml2:Rule RuleId="_SwitchOn" Effect="Permit" xmlns:xacml2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
     <xacml2:Target>
          <xacml2:Actions>
               <xacml2:Action>
                    <xacml2:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                         <xacml2:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SwitchOn</xacml2:AttributeValue>
                         <xacml2:ActionAttributeDesignator  AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </xacml2:ActionMatch>
               </xacml2:Action>
          </xacml2:Actions>
     </xacml2:Target>
     <xacml2:Condition >
          <xacml2:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
               <xacml2:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml2:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                         <xacml2:SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </xacml2:Apply>
                    <xacml2:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SeniorAdmin1</xacml2:AttributeValue>
               </xacml2:Apply>
               <xacml2:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
                    <xacml2:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                         <xacml2:SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="user-value" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
                    </xacml2:Apply>
                    <xacml2:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                         <xacml2:ResourceAttributeDesignator  AttributeId="threshold" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
                    </xacml2:Apply>
               </xacml2:Apply>
          </xacml2:Apply>
     </xacml2:Condition>
</xacml2:Rule>

Note though that in the RBAC profile, actual permissions are separated from role matching. In your case you check the role in the same rule as where you check other attributes e.g. the action. It doesn't look like the RBAC profile (profile here: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf).

From an implementation perspective, there is a wide range of XACML engines that implement XACML 2.0 such as Axiomatics (vendor) or PicketBox, WS02, SICSACML, or SunXACML (all open source and freely available).

I hope this helps,
David.

On Tue, Sep 27, 2011 at 10:17 AM, Ali Ahmed <ali.fci@gmail.com> wrote:

Dear All,

I have a small problem need to work out a solution for basically for my academic research. I am using an XACML policy file like this (the RBAC profile)

I need to add another data item called Threshold which is an integer number. Thus no SeniorAdmin1 role will be granted the resource unless bigger value than Threshold is provided.

Where Can I put that and how? Is there any implementation I can use?

Best wishes

Ali

-- 
David Brossard, M.Eng, SCEA, CSTP
VP Product Marketing & Customer Relations
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics