简体繁体 English

如何在ALFA（/ XACML）中定义四眼原理？

[英]How to define 4 eyes principle in ALFA (/XACML)?

原文 2014-12-03 17:21:21 5 1 policy/ xacml/ alfa

I like to how a 4 eyes principle can be defined in ALFA. 我喜欢如何在ALFA中定义4眼原理 。 (Axiomatics) （希尔伯特）

For example: A bank employee wants to create a new account for a customer. 例如：一位银行员工想要为客户创建一个新帐户。 He can create it, fill in all the client information and settings. 他可以创建它，填写所有客户信息和设置。 But he needs to be unable to activate this account, unless his manager has approved him to do so. 但是，除非经理的批准，否则他必须无法激活此帐户。

So, when the bank employee presses the "activate account" button, a policy needs to enforce that his manager has to approve this first. 因此，当银行员工按下“激活帐户”按钮时，需要执行一项策略来强制其经理必须首先批准。 Sounds like an obligation to me, or are there better ways to enforce this with a policy? 听起来对我来说是一种义务，还是有更好的方法通过政策来实施？

Can somebody give me an ALFA example how to doe this? 有人可以给我一个ALFA示例怎么做吗？

1 个解决方案

This is a great question. 这是一个很好的问题。 There are two ways you can do this. 有两种方法可以执行此操作。 As you pointed out, you could use an obligation. 如您所指出的，您可以使用义务。 Your policy would be as follows: 您的政策如下：

a user with the role==employee can do the action==activate on a resource of type==bank account if and only the employee created the account --> PERMIT + obligation "pop up approval dialog for manager to sign the activation". 具有角色==雇员的用户可以在类型==银行帐户的资源上执行操作==激活，前提是只有该雇员创建了帐户-> PERMIT +义务“弹出批准对话框以供经理签署激活” 。

If the PEP fails to comply with the obligation then the account cannot be activated (the decision is switched to a DENY). 如果PEP无法履行义务，则无法激活该帐户（决策已切换为DENY）。

Doing so, though, gives the PEP a lot of work (the obligation to implement) and it creates a synchronous flow. 但是，这样做会给PEP带来很多工作（实施的义务），并且会创建一个同步流程。

An alternative is to create another attribute to be used in the policy. 一种替代方法是创建要在策略中使用的另一个属性。 That attribute could be managerApproved and employeeApproved. 该属性可以是managerApproved和employeeApproved。 That creates an asynchronous flow but it means that you need to keep the values of managerApproved and employeeApproved in a database somewhere. 这会创建一个异步流，但这意味着您需要将managerApproved和employeeApproved的值保存在某个地方的数据库中。

The policies would become: 这些政策将成为：

a user with the role==employee can do the action==activate on a resource of type==bank account if and only the employee created the account --> PERMIT + obligation "email the manager a link to approve the activation". 拥有角色==雇员的用户可以在类型==银行帐户的资源上执行操作==激活，前提是只有该雇员创建了该帐户-> PERMIT +义务“通过电子邮件向经理发送批准激活的链接”。
a user with the role == employee can do the action==activate on a resource of type==bank account if and only if isManagerApproved==true 具有角色==员工的用户可以且仅当isManagerApproved == true时才对类型为==银行帐户的资源执行操作==激活
a user with the role==manager can do the action==approve on a resource of type==bank account if and only if the creator is in the list of subordinates. 具有角色==经理的用户可以并且仅当创建者在下属列表中时，才对类型==银行帐户的资源执行操作==批准。