OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-users] RE: XACML Request with multiple subjects of the same attributeID?


On inspection, it looks like this should work fine.

 

You might have been thrown off by the hidden semantics of Target matching.  It means “if there is any attribute in the request context that has this category, id, and issuer, then ‘match’”.

 

<AttributeDesignator> elements in a policy refer to a bag of values in the request context.  Within the Target/*Match element of a policy or rule, it does an “any-of” match between the given value and the bag of values returned by the AttributeDesignator.

 

If you wanted to do the same test in a <Condition>, you would have to use an “any-of*” function with the appropriate equality operator.

 

Attached and quoted is syntactically correct version of policy.

 

<Policy PolicyId="LoginPolicy"

                RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"

                xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">

  <Target/>

  <Rule RuleId="LoginRule" Effect="Permit">

    <Target>

      <Subjects>

                <Subject>

                  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

                    <AttributeValue

                                DataType="http://www.w3.org/2001/XMLSchema#string">backupOperators</AttributeValue>

                    <SubjectAttributeDesignator

                                AttributeId="group"

                                DataType="http://www.w3.org/2001/XMLSchema#string"/>

                  </SubjectMatch>

                </Subject>

      </Subjects>

      <Resources>

                <Resource>

                  <ResourceMatch

                      MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/service/Address/URI</AttributeValue>

                    <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>

                  </ResourceMatch>

                </Resource>

      </Resources>

    </Target>

  </Rule>

  <Rule RuleId="FinalRule" Effect="Deny"/>

</Policy>

 

From: Ryerse, Mike (DIS) [mailto:MikeRy@DIS.WA.GOV]
Sent: Thursday, September 23, 2010 12:55
To: xacml-users@lists.oasis-open.org
Subject: [xacml-users] RE: XACML Request with multiple subjects of the same attributeID?

 

Correction on the example policy, the attribute I meant to include is:

 

<Attribute AttributeID="group" DataType="http://www.w3.org/2001/XMLSchema#string">

   <AttributeValue>backupOperators</AttributeValue>

</Attribute>

 

 

Mike Ryerse

360-725-3908

 

From: Ryerse, Mike (DIS) [mailto:MikeRy@DIS.WA.GOV]
Sent: Thursday, September 23, 2010 10:46 AM
To: xacml-users@lists.oasis-open.org
Subject: [xacml-users] XACML Request with multiple subjects of the same attributeID?

 

We’re considering the use XACML to manage access control for some of our web services.

 

I’m wondering if the XACML specification can support a scenario where a request contains multiple subject attributes of the same type.  Specifically a list of all the LDAP groups the user is a member of.  When we receive a request with a username/password, and we build the XACML request, we’d like to do an LDAP query on the user that gets a list of all the LDAP groups they are a member of and put in the XACML request.  Then, the XACML policy would evaluate the request, and have a definition of what specific group the user needs to be a member of to access the single resource they are requesting.

 

The presumption is that only one LDAP group permits access to a given resource, but that when generating the XACML request you don’t know which one it is.  So we’d like to send all groups the user is a member of and let the PDP figure out if the request is authorized or not.  If XACML is not designed to work like this maybe there is a better way to handle this scenario?  I’ve read about some folks mapping their groups to generic names, but I don’t think it would work for us since we have a very large number of groups already mapped to resources on another access control platform.

 

For example I’m wondering if you could do something like the following request (files attached in case formatting gets all messed up):

 

<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <Subject>

    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">

      <AttributeValue>michael</AttributeValue>

    </Attribute>

    <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string">

      <AttributeValue>users</AttributeValue>

    </Attribute>

    <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string">

      <AttributeValue>administrators</AttributeValue>

    </Attribute>

    <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string">

      <AttributeValue>backupOperators</AttributeValue>

    </Attribute>

  </Subject>

  <Resource>

    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">

      <AttributeValue>/service/Address/URI</AttributeValue>

    </Attribute>

  </Resource>

  <Action>

    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">

      <AttributeValue>read</AttributeValue>

    </Attribute>

  </Action>

  <Environment/>

</Request>

 

On the following Policy:

 

<Policy PolicyID="LoginPolicy" RuleCombiningAlgID="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">

  <Rule RuleID="LoginRule" Effect="Permit">

    <Target>

      <Subjects>

        <Attribute AttributeID="group" DataType="http://www.w3.org/2001/XMLSchema#string">

          <AttributeValue>backupOperators</AttributeValue>

        </Attribute>

        </Attribute>

      </Subjects>

      <Resources>

        <ResourceMatch MatchID="urn:oasis:names:tc:xacml:1.0:function:string-equal">

          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/service/Address/URI</AttributeValue>

          <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeID="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />

        </ResourceMatch>

      </Resources>

    </Target>

  </Rule>

  <Rule RuleID="FinalRule" Effect="Deny"/>

</Policy>

 

Thanks for your help J

 

Michael Ryerse   |   Enterprise Security Services   |   (360) 725-3908
Washington State Department of Information Services (DIS)

 

<Policy PolicyId="LoginPolicy" 
	RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" 
	xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Target/>
  <Rule RuleId="LoginRule" Effect="Permit">
    <Target>
      <Subjects>
	<Subject>
	  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
	    <AttributeValue 
		DataType="http://www.w3.org/2001/XMLSchema#string";>backupOperators</AttributeValue>
	    <SubjectAttributeDesignator 
		AttributeId="group" 
		DataType="http://www.w3.org/2001/XMLSchema#string"/>
	  </SubjectMatch>
	</Subject>
      </Subjects>
      <Resources>
	<Resource>
	  <ResourceMatch 
	      MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
	    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>/service/Address/URI</AttributeValue>
	    <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
	  </ResourceMatch>
	</Resource>
      </Resources>
    </Target>
  </Rule>
  <Rule RuleId="FinalRule" Effect="Deny"/>
</Policy>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]