XACML restriction policies

StackOverflow https://stackoverflow.com/questions/7663255

  •  07-02-2021
  •  | 
  •  

سؤال

I'm very new to XACML (eXtensible Access Control Markup Language), i'm studying what TSPM (it's a commercial product that makes use of XACML) can do for some business needs.

So i was looking for an answer to this question:

Let's assume i have a website page with 3 links accessed by a user with a certain application profile. Is that possible to create a policy which restricts and manage the "links" (let's say till midnight a certain profile user can see just 2 links instead of three) according some rules?

The main problem is that I can't figure out what a resource is in a XACML assertion, I just found in some documentation this definition:

A resource is anything to which access can be controlled. Examples include XQuery modules and Java methods.

Anyone can help on better understanding with real examples XACML?

Thank you all!

هل كانت مفيدة؟

المحلول

(I'm the technical lead for TSPM, or Tivoli Security Policy Manager for others that aren't familiar with the product).

The use case you're describing is definitely possible. You probably don't need to focus on the raw XACML though - we go to a lot of effort to provide a higher-level user interface for authoring policies.

One way to model this would be to have each link be represented by a different structure point in TSPM's UI, with appropriate policy attached to each. For example, two links could have policy that represents "permit all users at any time" and one link could have "permit when current-time is before midnight".

You would then call our runtime before rendering each link to see if the currently authenticated user should be able to view it. You could also make one call to get a list of currently viewable links if you prefer.

You could use the WebSphere Portal tag library or our Authorization API if you're running on WebSphere. If you're not, it's really easy to build a web service client for most platforms that can call over authorization service using XACML over SOAP. For more information on calling the authorization service, see our public wiki.

Edit:

I realized I didn't really address your question, which is about what a resource is in terms of XACML. As you may know, XACML breaks the request context into four sections: Subject, Resource, Action and Environment. Each of these sections contains zero or more Attributes, each with an identifier and a type. A resource in XACML is simply an attribute, or a combination of attributes, from the Resource section that together uniquely identifies whatever you're protecting.

The spec defines the identifier urn:oasis:names:tc:xacml:1.0:resource:resource-id for this purpose, and it can be of any type but is usually a string or a URI.

In your use case, each link might have a string identifier like "link-1", "link-2" and "link-3". Your policy would use these identifiers, and your application would pass these in when requesting a decision for each link.

نصائح أخرى

In XACML you can write policies that take into account any attributes. Attributes are essentially labels that describe a situation. For instance role, citizenship, age, and clearance are all user attributes. Page URL, classification, and location are attributes of the resource (i.e. what the user is trying to access). You can have attributes about the action (edit, view, delete...) and even about the environment.

In your example, you mention that you want to control access to webpages and that you want to take into account the time of the day. To do that you'd write a XACML policy where you would check the URL page of the page and the time of the day.

In pseudocode, that would be: 

Permit if resource-id=='/pages/MyPage.jsp' AND current-time>09:00AM AND current-time<05:00PM

In ALFA, a shorthand notation for XACML, this would be:

namespace com.stackoverflow.xacml{
import Attributes.*
policy accessPages{
    apply firstApplicable
    rule accessPage1{
        target clause resourceId=="/pages/MyPage.jspx" 
               and currentTime>"09:00:00":time 
               and currentTime<"17:00:00":time
        permit
    }
}
}

The ALFA plugin for Eclipse - a free tool - will generate this into XACML 3.0 code:

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/com.stackoverflow.xacml.accessPages"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description />
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/com.stackoverflow.xacml.accessPages.accessPage1">
        <xacml3:Description />
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">/pages/MyPage.jspx</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
                            DataType="http://www.w3.org/2001/XMLSchema#time"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
                            DataType="http://www.w3.org/2001/XMLSchema#time"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
    </xacml3:Rule>
</xacml3:Policy>

Then all you need to do is send the right authorization question/request from your application to the XACML PDP. Essentially what you will ask is:

Can user Alice access page /pages/MyPage.jsp?

The PDP will then reply with either of a Permit, Deny or NotApplicable.

مرخصة بموجب: CC-BY-SA مع الإسناد
لا تنتمي إلى StackOverflow
scroll top