XACML Resources

Question

I am trying to write a code that will enable user access of content from a website based on security roles. Thus some users can see all the content, and some can only see urls with certain extensions.

Most of my code works, but I have trouble with the access for the 3 subcategories.

<Rule Effect="Permit" RuleId="accesses">
    <Description>Permission for lower clearance</Description>
    <Target>
        <Resources>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">home.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin@website.com"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">localweather.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin@website.com"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">about.html
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin@website.com"
                        MustBePresent="true" />
                </ResourceMatch>
            </Resource>
        </Resources>
    </Target>
    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                <SubjectAttributeDesignator AttributeId="AccessLevel"
                    DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="policy-admin@website.com"
                    MustBePresent="true" />
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Clear</AttributeValue>
            </Apply>
        </Apply>
    </ Condition >
</Rule>

I have these 3 resources, and when I run the program, I get an "indeterminate" response. Can I only have 1 resource per rule? Is something else throwing an exception?

Answer 1

You can have tree resources for in target. According to the your rule, they would act as "OR". Please check with your XACML request, may be you are sending request that is not matching with policy (policy has MustBePresent="true it means, if attribute is not there, PDP would create a indeterminate error). Please change them to "false" and see.

Answer 2

It was actually a condition problem. The resources were all leaf-level files. I didn't have the right set of user attribute values for my policy. I compared it against my LDAP schema and got it working.