authorization - Generating XACML advice string dynamically in a policy or rule

Question

Is there a way to generate the Advice or Obligation string returned in the XACML response dynamically dependent on the attributes used in the evaluation(e.g. environment)?

For example, through an extension which implements the logic.

score 2 · Accepted Answer

In XACML 3.0, Obligation and Advice elements can contain attribute assignments. Attribute assignments are placeholders that can be filled in with a static value or a dynamic value e.g. a value that comes from another XACML attribute. For instance, we could have the following (using alfa notation - the Axiomatics Language for Authorization):

obligation notifyManager = "com.axiomatics.examples.notification.notifyManager"
policy accessDocs{
    apply firstApplicable
    rule denyOutOfOffice{
        target clause currentTime>"17:00:00":time or currentTime<"09:00:00":time
        deny
        on deny{
            obligation notifyManager{
                com.axiomatics.examples.message = "You cannot access anything outside office hours"
                com.axiomatics.examples.user.managerEmail = com.axiomatics.examples.user.managerEmail
            }
        }
    }        
}

In this example, the obligation has 2 placeholders:

com.axiomatics.examples.message: this placeholder contains a static value.
com.axiomatics.examples.user.managerEmail: this placeholder contains a dynamic value.

You can use functions in placeholders e.g. string concatenation.

The XACML source looks as follows:

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/example.accessDocs"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description />
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule 
            Effect="Deny"
            RuleId="http://axiomatics.com/alfa/identifier/example.accessDocs.denyOutOfOffice">
        <xacml3:Description />
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
                            DataType="http://www.w3.org/2001/XMLSchema#time"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
                            DataType="http://www.w3.org/2001/XMLSchema#time"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:ObligationExpressions>
            <xacml3:ObligationExpression ObligationId="com.axiomatics.examples.notification.notifyManager"
            FulfillOn="Deny">
                <xacml3:AttributeAssignmentExpression AttributeId="com.axiomatics.examples.message" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">You cannot access anything outside office hours</xacml3:AttributeValue>
                </xacml3:AttributeAssignmentExpression>
                <xacml3:AttributeAssignmentExpression AttributeId="com.axiomatics.examples.user.manager.email" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
                    <xacml3:AttributeDesignator 
                        AttributeId="com.axiomatics.examples.user.manager.email"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        MustBePresent="false"
                    />
                </xacml3:AttributeAssignmentExpression>
            </xacml3:ObligationExpression>
        </xacml3:ObligationExpressions>
    </xacml3:Rule>
</xacml3:Policy>

authorization - Generating XACML advice string dynamically in a policy or rule

1 回答 1

Related

Reference