Using XACML to express policy which is a logical expression
I am very new to XACML. And I am using XACML to express policy. But I can\'t find any good examples except a few from the OASIS XACML Technical Committee.
Ok, here is m
-
Based on the requirement you have, you need to use a XACML condition. Conditions live within rules only so this means you'll have to put your logic inside the rule.
This is because you will need a function not allowed in XACML targets: n-of.
This is also because a XACML Target cannot have negative expressions. The only way you can express Not(A1) is via a condition.
The reason for that is that XACML deals with attribute bags. So when you write in a target:
role==managerWhat you are in fact saying is: if the user has at least one role equal to manager...
So what would the opposite of that be?
With respect to your 2 of (a,b,c), you can use the XACML function called n-of (urn:oasis:names:tc:xacml:1.0:function:n-of defined in A.3.5 Logical functions)
The outcome is in ALFA
/** * (not A1) and (A2 OR A3) and (2 of (A4, A5,A6)) */ policy stackoverflow{ apply firstApplicable rule so{ condition not(A1=="some value") && (A2=="" || A3=="") && nOf(2, stringOneAndOnly(A4)=="value", stringOneAndOnly(A5)=="value", stringOneAndOnly(A6)=="value") permit } }In the example above I made A1 through A6 string attributes instead of boolean to show how you would compare with values. Note that I have to use the stringOneAndOnly function to make sure there is a single value for each of the attributes used in the nOf function.
The XACML output is the following:
<?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). Any modification to this file will be lost upon recompilation of the source ALFA file--> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.stackoverflow" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>(not A1) and (A2 OR A3) and (2 of (A4, A5,A6))</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target /> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.stackoverflow.so"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" > <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">some value</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="A1" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"></xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="A2" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"></xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="A3" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:n-of" > <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2</xacml3:AttributeValue> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" > <xacml3:AttributeDesignator AttributeId="A4" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Apply> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">value</xacml3:AttributeValue> </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" > <xacml3:AttributeDesignator AttributeId="A5" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Apply> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">value</xacml3:AttributeValue> </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" > <xacml3:AttributeDesignator AttributeId="A6" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Apply> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">value</xacml3:AttributeValue> </xacml3:Apply> </xacml3:Apply> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy>--- EDIT ---
To express negative conditions e.g. not(gender==male), you have two options:
- either the set of possible values is finite e.g. true/false, male/female, hot/warm/cold and you are happy building a policy or rule per case.
- or the set of possible values is too long or infinite e.g. a numerical value or a list of citizenships (180+ of those).
In the former case you can write the following:
policy checkGender{ apply firstApplicable rule male{ target clause gender=="male" permit } rule female{ target clause gender=="female" permit } /** * Optionally add a catch all case */ rule other{ target clause ... // Here you'd have to define other checks you are interested in } }In the latter case, you need to write a negative condition. To do that you need to use a XACML condition. Since XACML conditions only live inside rules, you need to go down to the XACML Rule level.
policy checkGender{ apply firstApplicable rule notMale{ condition not(gender=="male") permit } }讨论(0)
加载中...
- 热议问题