XACML answer to what can I access? [closed]
https://stackoverflow.com//questions/22029652
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to answer questions like what am I allowed to access ?, by using XACML, is their a workaround other than Axiomatics ARQ?
Solution
I guess you want to ask the question (what are the resources that bob can access?) from XACML PDP rather than just hoping for aboolean type (permit, deny) result. According to the XACML core spec, There is no mention about this type of queries. But You can implement it. One way is to use multiple decision profile. PEP can send all resources in the system, actions and user (bob) in to the PDP, Then PDP would response with multiple XACML results and PEP can filter out the permitted resources. Also, Like Axiomatics, There are be some xACML implementations that support this feature with their own ways. WSO2 Identity Server, which is an open source XACML engine also supports this feature. You can find more details from here. Identity Server has introduced a search API, that would search in all policies and evaluate them to return accessible resources for given user. Also As mentioned above, sometime, you may implement same behavior using multiple decision profile and hierarchical resource profile. But It depends on your use case. I guess this would help you.
