Avoid code duplication in XACML

Question

Description

I have created multiple XACML files containing several policies which are evaluated according the first-applicable rule-combining-algorithm.

Sometimes I am unable to avoid code duplication in XACML and I have to copy a certain XACML policy at several locations in the XACML file.

Is it possible to avoid code duplication in XACML via e.g. <import file="xacml/deny-policy.xacml"/> like in xml or via another way?

Answer 1

Actually there is already way to refer already existing policies inside another policy for reusability. You may use either of the two ways:

1. Using Policy Id reference : Call existing policy inside another policy/PolicySet.
2. Using Policy Set id reference : Call exisitng PolicySet inside another policySet

For example below is the way to call an existing policy inside another policy:

Existing policy "policy1" to be resued:

<Policy PolicyId="policy1" ....>
....
....
</Policy>

Call "policy1" inside another policy:

<Policy PolicyId="MasterPolicy" ....>
<Description>Master Policy Set</Description>
<Target>
  ....
</Target>

<PolicyIdReference>policy1</PolicyIdReference>

</Policy>

Answer 2

In addition to what Yusuf said, you can also use variable definitions. Variable definitions are expressions you can define inside policies and which you can reuse inside rule conditions.

See the XACML specification for more details.