[英]How to implement these rules in XACML policies?
Here is a requirement I am trying to implement via XACML/ABAC for learning purposes: 这是我出于学习目的试图通过XACML / ABAC实现的要求:
Resources: Building, Unit 资源:建筑物,单位
Subject: Housekeeping staff 事由:家政人员
Any pointers? 有指针吗?
Essentially here is my concern: if the requirement was something like, A housekeeper can "open" "unitX" if s/he has "open" permission on "unitX". 本质上,这是我的担忧:如果要求类似,如果管家对“ unitX”具有“打开”权限,则管家可以“打开”“ unitX”。 Here I would've just written a simple rule. 在这里,我只是写了一条简单的规则。
However, with my actual requirement, the concerns are: 但是,根据我的实际需求,需要关注的是:
Since there is not one particular resource but many resources of same type, should I be writing a separate policy for each resource? 由于没有一个特定的资源,但是有许多相同类型的资源,我应该为每个资源编写一个单独的策略吗? Ex. 例如 separate policy for building "B1", another for "B2" and so on? 用于构建“ B1”的单独策略,用于“ B2”的另一个策略,依此类推?
How will the policy "know" about hierarchical relationship between building and unit. 策略将如何“了解”建筑物与单元之间的层次关系。
Now that I think further about this, I think the following approach should work(?) 现在,我对此进行了进一步思考,我认为以下方法应该可行(?)
resource: /{buildingId}/{unitId} //this is how policy will know parent child relationship 资源:/ {buildingId} / {unitId} //这是政策如何知道父子关系的方式
action: open 动作:打开
subject: subjectId and probably all permissions that this subject has (still thinking on how to represent the permissions, any suggestions?) subject:subjectId以及该主题可能拥有的所有权限(仍在思考如何表示权限,有什么建议吗?)
Any suggestions? 有什么建议么?
Thanks, 谢谢,
Jatin 贾廷
You need to define attributes like following on ABAC model: 您需要在ABAC模型上定义如下属性:
Attribute - Building, Attribute Values - B1,B2,B3 属性-建筑,属性值-B1,B2,B3
Attribute - Unit, Attribute Values - B1U1, B1U2, B1U3,B2U1, B2U2, B2U3,B3U1, B3U2, B3U3 属性-单位,属性值-B1U1,B1U2,B1U3,B2U1,B2U2,B2U3,B3U1,B3U2,B3U3
Attribute - Building Action , Attribute Value - Open 属性-建立动作,属性值-开放
Attribute - Building Resident, Attribute Values - Resident1,Resident2 属性-建筑物居民,属性值-居民1,居民2
The hierarchical relation among building and building units need to define on resource inheritance relation. 建筑和建筑单元之间的层次关系需要在资源继承关系上进行定义。
Beneficiary - Building:B1 , Inherited Values - Unit: B1U1 , Unit: B1U2, Unit: B1U3 受益人-建筑:B1,继承值-单位:B1U1,单位:B1U2,单位:B1U3
Beneficiary - Building:B2 , Inherited Values - Unit: B2U1 , Unit: B2U2, Unit: B2U3 受益人-建筑:B2,继承值-单位:B2U1,单位:B2U2,单位:B2U3
Beneficiary - Building:B3, Inherited Values - Unit: B3U1 , Unit: B3U2, Unit: B3U3 受益人-建筑:B3,继承值-单位:B3U1,单位:B3U2,单位:B3U3
Now you need to define rules on a ABAC policy. 现在,您需要定义关于ABAC策略的规则。 Now you can use policy automation tools so that you do not need to think of inheritance relations during rule creation.You once define those relations and later when you create rules, the automation tool will automatically remember those relations and create rules automatically for you. 现在,您可以使用策略自动化工具,以便您无需在规则创建过程中考虑继承关系。您一次定义了这些关系,然后在创建规则时,自动化工具将自动记住这些关系并自动为您创建规则。 You can download such a tool name "Security Policy Tool" . 您可以下载这样的工具名称“安全策略工具”。 This is a commercial tool but you can download free demo which also includes a full xacml editor. 这是一个商业工具,但是您可以下载免费的演示,其中包括完整的xacml编辑器。 Please check below a screen shot of your model in SPT : 请在下面查看您的模型在SPT中的屏幕截图:
Then from this tool you can automatically convert your ABAC policies into XACML and further edit on built in xacml editor to fine tune. 然后,通过此工具,您可以将ABAC策略自动转换为XACML,并进一步在内置的xacml编辑器中进行编辑以进行微调。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.