How to create XACML policy and request single user having multiple roles in same resources or different resources

1
votes

Create a XACML policy having multiple roles for single user and same resources and how to create request and access only one rule which roles and resources.

The Data Model

  • resources:- company
  • roles:- admin(create and delete), visitor(read), tenant(update);
  • user:- abc;

Scenario

  1. if user login in application with resource "company" and select "admin" role then create request and validate XACML policy rule and permit to (create and delete).

  2. if user login in application with resource "company" and select "visitor" role then create request and validate XACML policy rule and permit to (read).

  3. if user login in application with resource "company" and select "tenant" role then create request and validate XACML policy rule and permit to (update).

Question

I only want sample of policy and request. What type of XACML policy we create and What request we will send in XML format

1
authorizationwso2isxacmlabacalfa
This sounds a lot like homework... What have you tried so far? Which library are you using?David Brossard

1 Answers

0
votes

Here is the policy you are looking for written in .

namespace com.axiomatics.so.pankaj{    
/**
 * Company policy
 */
policyset company{
    target clause resource == "company"
    apply firstApplicable
    /**
     * Administrators can...
     */
    policy administrator{
        target clause role == "admin"
        apply firstApplicable
        /**
         * Create
         */
        rule create{
            target clause action == "create"
            permit
        }
        /**
         * Delete
         */
        rule delete{
            target clause action == "delete"
            permit
        }
    }
    /**
     * Visitors can...
     */
    policy visitor{
        target clause role == "visitor"
        apply firstApplicable
        /**
         * read
         */
        rule read{
            target clause action == "read"
            permit
        }
    }
    /**
     * Tenants can...
     */
    policy tenant{
        target clause role == "tenant"
        apply firstApplicable
        /**
         * Update
         */
        rule update{
            target clause action == "update"
            permit
        }
    }
}

}

You also need to define the attributes you will be using the policy

attribute role{
    category = subjectCat
    id = "com.axiomatics.so.role"
    type = string
}
attribute resource{
    category = resourceCat
    id = "com.axiomatics.so.company"
    type = string
}
attribute action{
    category = actionCat
    id = "com.axiomatics.so.action"
    type = string
}

This leads to the following XACML policy in XML

<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the 
    ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will 
    be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
    PolicySetId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company"
    Version="1.0"
    xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <xacml3:Description>Company policy</xacml3:Description>
    <xacml3:PolicySetDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
        </xacml3:XPathVersion>
    </xacml3:PolicySetDefaults>
    <xacml3:Target>
        <xacml3:AnyOf>
            <xacml3:AllOf>
                <xacml3:Match
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">company</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator
                        AttributeId="com.axiomatics.so.company"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="false" />
                </xacml3:Match>
            </xacml3:AllOf>
        </xacml3:AnyOf>
    </xacml3:Target>
    <xacml3:Policy
        PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>Administrators can...</xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
            </xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.so.role"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axiomatics.so.pankaj.company.administrator.create">
            <xacml3:Description>Create</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.so.action"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
        </xacml3:Rule>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axiomatics.so.pankaj.company.administrator.delete">
            <xacml3:Description>Delete</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">delete</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.so.action"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
        </xacml3:Rule>
    </xacml3:Policy>
    <xacml3:Policy
        PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.visitor"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>Visitors can...</xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
            </xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">visitor</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.so.role"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axiomatics.so.pankaj.company.visitor.read">
            <xacml3:Description>read</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.so.action"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
        </xacml3:Rule>
    </xacml3:Policy>
    <xacml3:Policy
        PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.tenant"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>Tenants can...</xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
            </xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">tenant</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.so.role"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axiomatics.so.pankaj.company.tenant.update">
            <xacml3:Description>Update</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.so.action"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
        </xacml3:Rule>
    </xacml3:Policy>
</xacml3:PolicySet>

Sample Response & Request

{
"Request": {
    "ReturnPolicyIdList": true,
    "AccessSubject": {
        "Attribute": [
            {
                "AttributeId": "com.axiomatics.so.role",
                "Value": "admin"
            }
        ]
    },
    "Resource": {
        "Attribute": [
            {
                "AttributeId": "com.axiomatics.so.company",
                "Value": "company"
            }
        ]
    },
    "Action": {
        "Attribute": [
            {
                "AttributeId": "com.axiomatics.so.action",
                "Value": "create"
            }
        ]
    },
    "Environment": {
        "Attribute": []
    }
}
}

And the response

{
  "Response" : {
    "Decision" : "Permit",
    "Status" : {
      "StatusCode" : {
        "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok",
        "StatusCode" : {
          "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      }
    },
    "PolicyIdentifierList" : {
      "PolicyIdReference" : {
        "Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator",
        "Version" : "1.0"
      },
      "PolicySetIdReference" : {
        "Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company",
        "Version" : "1.0"
      }
    }
  }
}