XACML Policy based on Resource and Child Resources

Question

Hi I need a policy where I can have multiple child resources. Policy is based on Resource where the Top level Resource is Customer and the child resources corresponding to that is 1. firstname , 2. lastname

Customer -- -- 1. firstname -- 2. lastname

How to achieve this Policy using WSO2 identity server and Axiomatics Alfa Plugin or is there any other way to achieve this policy. I need a policy structure and the request for the same policy.

Answer 1

Your problem is not a technical problem but merely a modeling one. You need to agree on what your resource is and what your resource hierarchy is.

What I sometimes do is have a resource-type == customer record (in your case) and then a field-id == firstname.

What I'm doing is introducing 2 attributes to model a resource hierarchy:

• resource-type
• field-id

It's one simple way to get things working.

EDIT - sample policy:

policy documentAccess{
    target clause resourceType=="document" and actionId=="view"
    apply firstApplicable
    rule viewSSN{
        target clause fieldId=="ssn"
        condition subjectId==assignedPerson
        permit
    }
    rule viewBalance{
        target clause fieldId=="balance"
        condition subjectId==assignedPerson
        permit
    }
    rule viewOtherFields{
        target clause fieldSensitive == false
        permit
    }
}