How to trace the value for an attribute using obligations in XACML

Question

Wonder if there is way to load an attribute value which was previously loaded by the PIP extension attribute finder and transfer it ( $myattr1 ) into an obligation, in order to get a printout message in clear text, mainly useful for doing debug tasks.

Below my XACML obligation that I'd like to add to my rule (written in an abstract notation):

  <xacml2:Obligations>
    <xacml2:Obligation FulfillOn="Permit" ObligationId="debug1">
      $myattr1 = AttributeId="http://red.com/subject/groupsUserBelong"
      <xacml2:AttributeAssignment AttributeId="debug1" DataType="http://www.w3.org/2001/XMLSchema#string">Attribute found: $myattr1</xacml2:AttributeAssignment>
    </xacml2:Obligation>
  </xacml2:Obligations>

Updated Code Section

Below you find an example how to combine a text message with dynamic data from the PIP lookup generating an output via ObligationExpressions:

   <Rule Effect="Deny" RuleId="Deny-Rule1">
      <Target></Target>
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
               <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://red.com/subject/groupsUserBelong" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Apply>
         </Apply>
      </Condition>
      <ObligationExpressions>
         <ObligationExpression FulfillOn="Deny" ObligationId="groupscheck">
            <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rule 1 - The groups validation error</AttributeValue>
            </AttributeAssignmentExpression>
         </ObligationExpression>
         <ObligationExpression ObligationId="debug1" FulfillOn="Deny"> 
            <AttributeAssignmentExpression AttributeId="debug1">
            <AttributeDesignator AttributeId="http://red.com/subject/groupsUserBelong" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> 
            </AttributeAssignmentExpression> 
         </ObligationExpression> 
      </ObligationExpressions>
   </Rule>

Answer 1

No, this is not possible in WSO2 IS and XACML 2.0. In order to do this, you need to use XACML 3.0. The ability to add variables inside an obligation (they're called attribute assignments in the XACML spec) was added to XACML 3.0.

The Axiomatics Policy Server does support that. As you point out, it is a neat feature for debugging purposes but also for other cases eg

• Deny a user the right to transfer money to themselves + obligation to notify their manager.

In this example, the obligation would contain the manager's email. Here is an example using the alfa syntax.

    policy transferMoney{
        target clause actionId == "transfer"
        apply firstApplicable
        rule denySelfTransfer{
            condition requestor==recipient
            deny
            on deny {
                obligation notifyManager{
                    message = "An employee tried to transfer money to themselves"
                    employee = employeeId
                    email = managerEmail
                }
            }
        }
    }