Using XACML to express policy which is a logical expression

Question

I am very new to XACML. And I am using XACML to express policy. But I can\'t find any good examples except a few from the OASIS XACML Technical Committee.

Ok, here is m

Answer 1

Based on the requirement you have, you need to use a XACML condition. Conditions live within rules only so this means you'll have to put your logic inside the rule.

This is because you will need a function not allowed in XACML targets: n-of.

This is also because a XACML Target cannot have negative expressions. The only way you can express Not(A1) is via a condition.

The reason for that is that XACML deals with attribute bags. So when you write in a target:

role==manager

What you are in fact saying is: if the user has at least one role equal to manager...

So what would the opposite of that be?

With respect to your 2 of (a,b,c), you can use the XACML function called n-of (urn:oasis:names:tc:xacml:1.0:function:n-of defined in A.3.5 Logical functions)

The outcome is in ALFA

/**
 * (not A1) and (A2 OR A3) and (2 of (A4, A5,A6))
 */
policy stackoverflow{
    apply firstApplicable
    rule so{
        condition not(A1=="some value") && (A2=="" || A3=="") && nOf(2, stringOneAndOnly(A4)=="value", stringOneAndOnly(A5)=="value", stringOneAndOnly(A6)=="value")
        permit
    }
}   

In the example above I made A1 through A6 string attributes instead of boolean to show how you would compare with values. Note that I have to use the stringOneAndOnly function to make sure there is a single value for each of the attributes used in the nOf function.

The XACML output is the following:

 

    (not A1) and (A2 OR A3) and (2 of (A4, A5,A6))
    
        http://www.w3.org/TR/1999/REC-xpath-19991116
    
    
    
        
        
        
            
                
                    
                        
                        some value
                        
                    
                
                
                    
                        
                            
                            
                            
                        
                        
                            
                            
                            
                        
                    
                    
                        2
                        
                            
                                
                            
                            value
                        
                        
                            
                                
                            
                            value
                        
                        
                            
                                
                            
                            value
                        
                    
                
            
        
    

--- EDIT ---

To express negative conditions e.g. not(gender==male), you have two options:

• either the set of possible values is finite e.g. true/false, male/female, hot/warm/cold and you are happy building a policy or rule per case.
• or the set of possible values is too long or infinite e.g. a numerical value or a list of citizenships (180+ of those).

In the former case you can write the following:

policy checkGender{
    apply firstApplicable
    rule male{
        target clause gender=="male"
        permit
    }
    rule female{
        target clause gender=="female"
        permit
    }
    /**
     * Optionally add a catch all case
     */
    rule other{
        target clause ... // Here you'd have to define other checks you are interested in
    }
}

In the latter case, you need to write a negative condition. To do that you need to use a XACML condition. Since XACML conditions only live inside rules, you need to go down to the XACML Rule level.

policy checkGender{
    apply firstApplicable
    rule notMale{
        condition not(gender=="male")
        permit
    }
}