How can I apply XACML access control policies against the Identity Server's very own SCIM API? My idea is that I want the user to be able to access the user's SCIM endpoint (list endpoint), but it will only return the user itself as the only result (i.e. user can query for oneself). Is this even possible?
The default permissions in WSO2 Identity Server is not fine grained enough to solve this problem. Thus, I started looking into XACML.
是的,XACML 非常适合这一点。您需要做的是为您的用户、操作和资源建模。
例如,在您的情况下,资源是 SCIM API。SCIM API 公开:
对于每一个,您都可以根据 REST 配置文件进行 GET / POST / PUT / DELETE。
使用 XACML 的ALFA语法的示例策略可以是:
/**
* This policy secures access to the SCIM API
*/
policyset secureSCIM{
target clause stringStartsWith("/scim/v1/", contextPath)
apply firstApplicable
/**
* This policy secures access to the User object of the SCIM API
*/
policy secureUserAccess{
target clause stringEndsWith("Users", contextPath)
apply firstApplicable
/**
* View User object:
*/
rule viewUser{
target clause httpVerb == "GET"
permit
condition scimUser == requestor
}
}
}
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="http://axiomatics.com/alfa/identifier/scim.secureSCIM"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>This policy secures access to the SCIM API</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">/scim/v1/</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="scim.contextPath"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/scim.secureSCIM.secureUserAccess"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>This policy secures access to the User object of the SCIM API</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-ends-with">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Users</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="scim.contextPath"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/scim.secureSCIM.secureUserAccess.viewUser">
<xacml3:Description>View User object:</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">GET</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="scim.http.verb"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeDesignator
AttributeId="scimUser"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
<xacml3:AttributeDesignator
AttributeId="requestor"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>