我是 XACML 的新手,正在使用 ALFA 编写策略。我要写的政策是在银行设置 2000 美元的转账限额。如果要转移的金额超过此金额,则应拒绝该操作。
我该怎么做?
谢谢!
问问题
1257 次
1 回答
3
您拥有的用例非常简单。我建议你先用英文写,然后再用 ALFA:
- 当且仅当(例如,在您的情况下为 2000)==>允许时,用户才能
action==transfer对资源执行type==bank accountamount transferred < the amount limit - 所有其他情况 ==>拒绝
在 ALFA 中,上述策略变为
namespace policies{
attribute actionId{
category = actionCat
id = "actionId"
type = string
}
attribute resourceType{
category = resourceCat
id = "resourceType"
type = string
}
attribute amount{
category = resourceCat
id = "amount"
type = double
}
/**
* The limit could be a subject attribute in the case it's user-specific
*/
attribute limit{
category = subjectCat
id = "limit"
type = double
}
/*
* A user can do the `action==transfer` on a resource of `type==bank account` if and only if the `amount transferred
* < the amount limit` (e.g. 2000 in your case) ==> **permit**
*
*/
policy transfer{
target clause actionId == "transfer" and resourceType=="bank account"
apply firstApplicable
rule allow{
condition amount <= limit
permit
}
rule denyTransfer{
deny
}
}
}
于 2014-10-09T06:53:51.513 回答