XACML 在策略中结合 PIP

Question

I'm new to XACML architecture and would appreciate if you can help me with next question.

Is it possible to use multiple PIP in a way that answer extracted from one PIP is used as input parameter for other PIP?

If so can you provide me with simple XML request example?

Thanks in advance

Answer 1

Yes, it is possible to use multiple PIPs in a way that an attribute resolved by a PIP can be used as an input to another PIP.

Based on XACML architecture , it's up to the PDP to decide how to resolve attributes using PIPs.

How it works on a high level:

1. Input request(from PEP) to PDP contains an attribute say Subject-ID=Alice
2. The PDP evaluates the XACML policy based on the attributes from the input request. Eg, The policy says permit if Action-ID=Read
3. Since there is no Subject-ID defined in the policy, PDP tries to ask a PIP or PIPs to resolve Action-ID and provides PIPs the value it has which is Subject-ID (from the input request). Eg, Let's say we have 2 PIPs - PIP A can resolve resource-ID from Subject-ID and PIP B can resolve Action-ID from resource-ID
4. Here, what happens is PDP first resolves resource-ID based on the Subject-ID from input request using PIP A and then uses resource-ID to resolve Action-ID using PIP B which is then utilized by PDP to evaluate the the policy. If PIP B returns Alice, you get a permit decision else it would be NotApplicable

Note that this depends on how PDP is implemented to resolve attributes using chained PIPs as in your use case.

PDP from a company called Axiomatics is capable of performing a chained PIP lookup.

Disclosure : I work for Axiomatics where we provide XACML based access control solutions