Re: [xacml-users] Implementing UNIX file system acl using xacml

[Roberto Guanciale <guancio@netfarm.it>]

Hi,
I try to simplify our scenario in order to identify if the issues we
encountered depends on our misunderstanding of XACML or on its
expressiveness.

Let me suppose to check a request that has the (integer-bag) attribute
for the resource context defined as follows:

<Resource>
<Attribute AttributeId="attribute01"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
        <AttributeValue>2</AttributeValue>
</Attribute>
<Attribute AttributeId="attribute01"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
        <AttributeValue>4</AttributeValue>
</Attribute>
<Attribute AttributeId="attribute01"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
        <AttributeValue>2</AttributeValue>
</Attribute>
<Attribute AttributeId="attribute01"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
        <AttributeValue>5</AttributeValue>
</Attribute>
</Resource>

Can I express a policy requiring that all element of the bag must be 2
or greater than 4?
Namely I want to express a condition that is true if and only if for
each x in the attribute holds x == 2 or x > 4.

Exploiting higher order functions this property can be expressed in
several ways, for example:

all-of(
     boolean-equal
     True,
     map (
        def f(x) {
           return (x == 2) or (x > 4)
        },
        ResourceAttributeDesignator("attribute01")
     )
)

Our problem is that even if XACML supports higher order functions, We
cannot express a function definition inside the policy XML.
Clearly, we do not want to define an external function (e.g. using
java) that implements the function "f", since this approach breaks that
capability of configure the policy without changing the java code.

Are my considerations correct? Since XACML language is inspired by
functional languages I think that a mechanism to
define functions inside the policy should be a desiderata.

Roberto Guanciale
Netfarm s.r.l.