I am a beginner in XACML and ABAC. I wrote a policy in XACML, which I deployed in the AuthzForce local server, and it works as expected with my test request in Postman. However, now I want to modify my policy not just to return the permit or deny it but also to return the total number of attributes matched and the total number of attributes checked. e.g. if two attributes matched out of 3, I should get '2' and '3' numbers somewhere in responses, along with permit or deny (actual result is not important). Is there a way to change the policy below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="root"
Version="0.1.37"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>PolicySet for XACML model</Description>
<Target />
<Policy
PolicyId="EngineeringAppAccessPolicy"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Policy for controlling access to EngineeringApp by verifying attributes</Description>
<!-- Target specifies this policy applies to the resource "EngineeringApp" -->
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType=";>EngineeringApp</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:resource-category:resource"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:id"
DataType=";
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<!-- Rule specifies conditions for access -->
<Rule RuleId="AttributeBasedAccessRule" Effect="Permit">
<Description>Permit access to EngineeringApp if user role is Engineer and action is access</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType=";>access</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:action-category:action"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType=";
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<!-- Condition verifies the user role -->
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<AttributeValue
DataType=";>Engineer</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role"
DataType=";
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
My current test request:
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="true" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role" IncludeInResult="false">
<AttributeValue DataType=";>Engineer</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:resource-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:id" IncludeInResult="false">
<AttributeValue DataType=";>EngineeringApp</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:action-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType=";>access</AttributeValue>
</Attribute>
</Attributes>
</Request>
I am a beginner in XACML and ABAC. I wrote a policy in XACML, which I deployed in the AuthzForce local server, and it works as expected with my test request in Postman. However, now I want to modify my policy not just to return the permit or deny it but also to return the total number of attributes matched and the total number of attributes checked. e.g. if two attributes matched out of 3, I should get '2' and '3' numbers somewhere in responses, along with permit or deny (actual result is not important). Is there a way to change the policy below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="root"
Version="0.1.37"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>PolicySet for XACML model</Description>
<Target />
<Policy
PolicyId="EngineeringAppAccessPolicy"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Policy for controlling access to EngineeringApp by verifying attributes</Description>
<!-- Target specifies this policy applies to the resource "EngineeringApp" -->
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3./2001/XMLSchema#string">EngineeringApp</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:resource-category:resource"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:id"
DataType="http://www.w3./2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<!-- Rule specifies conditions for access -->
<Rule RuleId="AttributeBasedAccessRule" Effect="Permit">
<Description>Permit access to EngineeringApp if user role is Engineer and action is access</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3./2001/XMLSchema#string">access</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:action-category:action"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3./2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<!-- Condition verifies the user role -->
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<AttributeValue
DataType="http://www.w3./2001/XMLSchema#string">Engineer</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role"
DataType="http://www.w3./2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
My current test request:
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="true" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role" IncludeInResult="false">
<AttributeValue DataType="http://www.w3./2001/XMLSchema#string">Engineer</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:resource-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3./2001/XMLSchema#string">EngineeringApp</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:action-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3./2001/XMLSchema#string">access</AttributeValue>
</Attribute>
</Attributes>
</Request>
1 Answer
Reset to default 0I don't believe you can do that automatically, unfortunately. You could try to do a sum of the bag size of each attribute but then that would assume you know which attributes you want to consider beforehand which isn't the same as what you're looking for.
PS: use ALFA, it's easier to write policies and avoid XML syntax mistakes.
PS2: it's worth asking the XACML TC on their mailing list.