abac

Hierarchical attributes in XACML Policy

别等时光非礼了梦想. 提交于 2021-02-07 09:28:34
问题 We are using WSO2 Identity Server 5.1.0 . We have a location hierarchy like Plant1->Area1->unit1. Now if a user is having attribute for the Plant1, he should get access to unit1 as well (all children of the parent in a tree). Can we specify this in XACML? We have the hierarchy stored in DB. We can provide the list of hierarchical elements as a list of attributes also if so required. Problem explained in sample : A user bob has been given access to area2 as shown below : Plant1 |--Area1 |-

Fine-grained authorization for web applications

≯℡__Kan透↙ 提交于 2020-01-01 03:16:06
问题 I have a C# .net application which servers both company's internal users and external customers. I need to do fine-grained authorization like who accesses what resource. So I need something like resource-based or attribute-based rather than a role-based authorization. What comes to my mind is to either: Implement my own authorization mechanism and sql tables for my .net application Use/implement a standard mechanism, like a software that has implemented XACML (for instance Axiomatics) The

Fiware IDM : Dynamic permission resource

六月ゝ 毕业季﹏ 提交于 2019-12-24 10:59:50
问题 I've deployed an application based on Fiware generic enablers, in Docker. The versions are: Orion 1.14 Cygnus 1.9.0 Authzforce 5.4.1 Keyrock: the latest Pep-proxy: 7.0.1 but, when I want to create a permission in keyrock I can't find a specific syntax or character sequence to enter a dynamic resource in the resource field like: /resource1/<user>/info , or to specify only the resource prefix like: /resource2/<whatever> . Really exists the syntax for the dynamic resource and authzforce can

RBAC system with two parameters

孤街浪徒 提交于 2019-12-23 05:01:43
问题 I’m looking for an example or best practices for a RBAC system with two parameters. Rather than simply having a user associated with a role, and that role associated with a group of permissions; a user can be associated with a role “for a specific project,” and the user can then have the permissions of that role for that project only (or for other projects that the user holds that role for). A user can have a specific role on one project, and a different role on another project; the

Cannot access user attribute using Attribute Based Access Control (ABAC) in Hyperledger Fabric 1.1

泪湿孤枕 提交于 2019-12-22 18:12:24
问题 I am trying out Attribute based access control using GoLang and facing an issue in getting the attribute in the chaincode. I'm using cid.GetAttributeValue() function and the function returns nothing. It prints blank and the found variable is set to false. The things I have done are: Registered a user defined attribute named "firstName" with value "*" to the admin. (Also tried setting it to a specific value) Enrolled that admin to the network Registered and enrolled the user with the same

XACML how to efficiently control Access to Collections (Lists) of Resources

允我心安 提交于 2019-12-13 01:04:02
问题 Let's say I have a collection transactions and a policy that grants read access to a transaction within that collection for users with the role user , if the user's department is the same as the on of the record. The Problem: If I access single resources I have no problem checking access per resource. But if I want to enumerate/ list the whole collection I would need to check each and every item in the collection which is not efficient (especially if you amount of entries is "high"). It would

How to using client_ip and request_uri in XACML policy in WSO2 IS

泪湿孤枕 提交于 2019-12-11 15:48:56
问题 We are using WSO2 IS as the Identity Bus for our solutions. We make REST API in WSO2 ESB to implement our Integration and use OAuth mediator in that to securing our API. in WSO2 IS we create a service provider as sp1 and apply XACML policy to that. I want to create XACML policy to permit incoming requests just when client_ip is xxx.xxx.xxx.xxx and request URI is http://wso2ESB.uri/sampleApi/app and method is GET . please help me to make this XACML policy in WSO2 IS. 回答1: Currently WSO2

Cannot import XACML 3,0 policy file inside WSO2 Identity Server 5.1.0

落花浮王杯 提交于 2019-12-11 11:34:33
问题 I am getting " Policy uploading failed. Invalid Entitlement Policy. Policy is not valid according to XACML schema " message, whenever i am uploading policy in WSO2 identity server. I have wso2is-5.1.0 version. I got this XACML policy from this WSO2 tutorial. The XACML policy is: <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Entitlement_Filter_Sample_Policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">

Where should the authorization logic go in an api based application?

耗尽温柔 提交于 2019-12-11 06:57:57
问题 I have a brand new Rails api based application, where i need to implement authorization. Overall Architecture: React frontend -> Rails API layer -> Rails model/server layer While exploring different approaches, I have got a confusion. Should we put the authorization logic in API layer or Service layer? API Layer Approach: We will build some authorization middleware that will sit between our front end and API layer and all our api calls will be routed thorough the authorization middleware to

How does an access control mechanism (e.g., RBAC or ABAC) protect resources?

喜你入骨 提交于 2019-12-08 13:37:00
问题 How does an access control mechanism (e.g., RBAC or ABAC) protect resources? I know how access control mechanisms such as RBAC, ABAC and so on work. In other words, I know how the access control engine evaluates requests and makes decisions (permit, deny, etc.). But, I do not know how they protect the resources. I mean, how does, for example, ABAC enforce a Deny decision? Are the resources encrypted? Or are they stored in a secure database? 回答1: RBAC and ABAC work in different ways to achieve