是否可以比较XACML策略中的属性？

Question

The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets":

<Rule Effect="Permit" RuleId="PermitRule">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acme_manager</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
         </Apply>
      </Condition>
   </Rule>

Would it be possible to create a more dynamic rule that says something like: "subjects with the role X_manager can perform any action on the resource /Y/widgets, if X equals Y"

So I could use the same policy to enforce:

• foo_manager ... /foo/widgets
• bar_manager ... /bar/widgets
• baz_manager ... /baz/widgets
• etc.

without creating multiple, similar policies.

Answer 1

Yes of course, this is in fact one of the key benefits of XACML over other authorization frameworks and definitely over RBAC.

In XACML, there are 2 elements you can use to define the applicability of the authorization. These are:

• XACML targets
  • targets exist in Policy Set elements, Policy elements, and Rule elements.
  • targets are for simple matching between an attribute and a value eg role=="manager"
• XACML conditions : conditions exist in Rule elements only.
  • conditions are for any type of matching including the one you are looking for. With conditions, you can compare any number of attributes eg userDepartment==resourceDepartment.

I recommend you use ALFA to write your policies. It's much easier than plain old XACML. ALFA is a free tool developed by Axiomatics (disclaimer: I work for Axiomatics). It is also in the process of being standardized at the OASIS XACML Technical Committee.

Answer 2

I think there're 2 ways to do this:

1. Define two "VariableDefinition"s in your policy: one to get the part before the underscore character, the other to get the the part between the last two slash character. [i wonder if XACML's core spec has defined such function] then you can use the two "VariableDefinition"s under the "Rule". then use a standart string-equal function to compare them.

2. just define a new function of your own, and add that to your FunctionFactory that your PDP uses. These two approach is the same, your need to apply a specified funtion on some attribute instead of using the raw attributevalue directly.