The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets":
<Rule Effect="Permit" RuleId="PermitRule">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acme_manager</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
Would it be possible to create a more dynamic rule that says something like: "subjects with the role X_manager can perform any action on the resource /Y/widgets, if X equals Y"
So I could use the same policy to enforce:
- foo_manager ... /foo/widgets
- bar_manager ... /bar/widgets
- baz_manager ... /baz/widgets
- etc.
without creating multiple, similar policies.
Yes of course, this is in fact one of the key benefits of XACML over other authorization frameworks and definitely over RBAC.
In XACML, there are 2 elements you can use to define the applicability of the authorization. These are:
- XACML targets
- targets exist in Policy Set elements, Policy elements, and Rule elements.
- targets are for simple matching between an attribute and a value e.g. role=="manager"
- XACML conditions: conditions exist in Rule elements only.
- conditions are for any type of matching including the one you are looking for. With conditions, you can compare any number of attributes e.g. userDepartment==resourceDepartment.
I recommend you use ALFA to write your policies. It's much easier than plain old XACML. ALFA is a free tool developed by Axiomatics (disclaimer: I work for Axiomatics). It is also in the process of being standardized at the OASIS XACML Technical Committee.
I think there're 2 ways to do this:
Define two "VariableDefinition"s in your policy: one to get the part before the underscore character, the other to get the the part between the last two slash character. [i wonder if XACML's core spec has defined such function] then you can use the two "VariableDefinition"s under the "Rule". then use a standart string-equal function to compare them.
just define a new function of your own, and add that to your FunctionFactory that your PDP uses. These two approach is the same, your need to apply a specified funtion on some attribute instead of using the raw attributevalue directly.
来源:https://stackoverflow.com/questions/22262647/is-it-possible-to-compare-attributes-in-a-xacml-policy