[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: where's best place to enforce conditions
Hi,
Some of our application's resource access controls are based on business rules decision. We can put the business rule decision as the condition of our security policy. I believe we have 3 options to enforce the condition:
1. Using environment matching.
2. Using rule's condition.
3. Still Using the rule's condition with VariableDefintion and VariableReference.
My question is which way should be the best practice or what people generally do for this situation. (I believe using environment matching is most easy and efficient way; using variableDefintion if we apply the same condition within a policy multiple times. By the way, can we use variableDefintion at policySet level for every policies within the same policySet?)
Highly appreciate for advises.
Here's a sample:
* using variable defintion
<xacml:Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
PolicyId="Permissions:for:account:manager:role">
<xacml:Target/>
<xacml:VariableDefinition VariableId="urn:com:dfs:dd:security:access:control:business:rule:decision">
<xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<xacml:EnvironmentAttributeDesignator
AttributeId="urn:com:dfs:dd:security:access:control:business:rule:decision"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml:Apply>
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>permit</xacml:AttributeValue>
</xacml:Apply>
</xacml:VariableDefinition>
<xacml:Rule Effect="Permit" RuleId="Permission:account:information:product:modify">
<xacml:Target>
<xacml:Resources>
<xacml:Resource>
<xacml:ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationProduct</xacml:AttributeValue>
<xacml:ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</xacml:ResourceMatch>
</xacml:Resource>
</xacml:Resources>
<xacml:Actions>
<xacml:Action>
<xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>modify</xacml:AttributeValue>
<xacml:ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</xacml:ActionMatch>
</xacml:Action>
</xacml:Actions>
</xacml:Target>
<xacml:Condition>
<xacml:VariableReference VariableId="urn:com:dfs:dd:security:access:control:business:rule:decision" />
</xacml:Condition>
</xacml:Rule>
</xacml:Policy>
* using environment matching
<xacml:Rule Effect="Permit" RuleId="Permission:account:information:reward:program:modify">
<xacml:Target>
<xacml:Resources>
<xacml:Resource>
<xacml:ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationRewardProgram</xacml:AttributeValue>
<xacml:ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</xacml:ResourceMatch>
</xacml:Resource>
</xacml:Resources>
<xacml:Actions>
<xacml:Action>
<xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>modify</xacml:AttributeValue>
<xacml:ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</xacml:ActionMatch>
</xacml:Action>
</xacml:Actions>
<xacml:Environments>
<xacml:Environment>
<xacml:EnvironmentMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>permit
</xacml:AttributeValue>
<xacml:EnvironmentAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:com:dfs:dd:security:access:control:business:rule:decision" />
</xacml:EnvironmentMatch>
</xacml:Environment>
</xacml:Environments>
</xacml:Target>
</xacml:Rule>
* using rule's condition directly
<xacml:Rule Effect="Permit" RuleId="Permission:account:information:credit:limit:modify">
<xacml:Target>
<xacml:Resources>
<xacml:Resource>
<xacml:ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationCreditLimit</xacml:AttributeValue>
<xacml:ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</xacml:ResourceMatch>
</xacml:Resource>
</xacml:Resources>
<xacml:Actions>
<xacml:Action>
<xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>modify</xacml:AttributeValue>
<xacml:ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</xacml:ActionMatch>
</xacml:Action>
</xacml:Actions>
</xacml:Target>
<xacml:Condition>
<xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<xacml:EnvironmentAttributeDesignator
AttributeId="urn:com:dfs:dd:security:access:control:business:rule:decision"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml:Apply>
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>permit</xacml:AttributeValue>
</xacml:Apply>
</xacml:Condition>
</xacml:Rule>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]