XACML Policy with Single Rule and Multiple Resources and Actions

Question

Hi I am working with a XACML 3.0 policy and my scenario is :

Policy is based on multiple resource and single rule will contain multiple resources and actions corresponding to that particular resource as mention in the scenario below:

Policy:

Resources: firstname lastname email

Rule1:

 Action: 

 firstname : {create, read}
 lastname  : {delete, update, create}
 email     : {read}

and the Role group allowed for this user group is admin.

Role for Rule1:

admin

How to achieve this policy and how the request format will look like for the same.

Yusuf Khan Yusuf Khan · Accepted Answer · 2014-03-05T20:11:38

You can create the policy with target as combination of resource and actions and rule1 with permit effect in case of role as admin.

If you want to execute the action on multiple resources at the same time then in this case you may go for multiple decision profile where you can send single request to get the policy decision of multiple resource in a single response.

The pseudo-code for policy is as follows :

Policy1 Start
-Target Start
--(Resource is firstname) and ((action is create) or (action is read))
OR
--(Resource is lastname) and ((action is delete) or (action is update) or (action is   create))
OR
--(Resource is email) and (action is read)
-Target End

-Rule1 with effect Permit
--Role is admin
-Rule1 End

-Policy1 End

XACML Policy with Single Rule and Multiple Resources and Actions

1 Answers