具有多个资源，多个规则和多个操作的XACML策略

Question

In a multiple decision profile scenario I want to create a policy for a particular Tenant and for the root resources like Customer. Here my scenario is like I have a Tenant T1 and Tenant T1 is allowed to access Root resource Customer. Customer is the Top level resource and it will contain sub child resources like: Sub-Resources: name, email . In my scenario how can i create a policy so that i can enforce multiple rules for each sub resources like:

Rule-1: Admin Permit access to resource- {name: create,read,update,delete}, {email: create,read,update,delete} Rule-2: Employee Permit access to resource- {name: read,update}, {email: read} Please share the policy structure and the Request format for the same.

In the request format i want to pass only the Tenant Id and the Root level resource Customer .

Answer 1

In this scenario, what you would want to do is pass in the field id you are interested in.

The request would be: "Can Alice view the name field of customer record #123"?

You could express this as a multiple decision request eg:

"Can Alice view the name, email, and job title fields of customer record #123"?

Either way your policy would be field-centric. It would protect a given field or set of fields. You could actually define a set of non-sensitive fields and a set of sensitive fields. You could also even write the policy in terms of field metadata. Instead of saying "a user can view field 'email'", you could write "a user can view a field if the user's clearance > field's sensitivity".

Alternatively, you could also use Reverse Query - that's specific to Axiomatics' APIs though. Reverse Query lets you do the following type of requests / responses:

• Q: list the fields Alice can view
• A: name, email