Is there a way to generate the Advice or Obligation string returned in the XACML response dynamically dependent on the attributes used in the evaluation(e.g. environment)?
For example, through an extension which implements the logic.
In XACML 3.0, Obligation and Advice elements can contain attribute assignments. Attribute assignments are placeholders that can be filled in with a static value or a dynamic value e.g. a value that comes from another XACML attribute. For instance, we could have the following (using alfa notation - the Axiomatics Language for Authorization):
obligation notifyManager = "com.axiomatics.examples.notification.notifyManager"
policy accessDocs{
apply firstApplicable
rule denyOutOfOffice{
target clause currentTime>"17:00:00":time or currentTime<"09:00:00":time
deny
on deny{
obligation notifyManager{
com.axiomatics.examples.message = "You cannot access anything outside office hours"
com.axiomatics.examples.user.managerEmail = com.axiomatics.examples.user.managerEmail
}
}
}
}
In this example, the obligation has 2 placeholders:
You can use functions in placeholders e.g. string concatenation.
The XACML source looks as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/example.accessDocs"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Deny"
RuleId="http://axiomatics.com/alfa/identifier/example.accessDocs.denyOutOfOffice">
<xacml3:Description />
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:ObligationExpressions>
<xacml3:ObligationExpression ObligationId="com.axiomatics.examples.notification.notifyManager"
FulfillOn="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="com.axiomatics.examples.message" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">You cannot access anything outside office hours</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
<xacml3:AttributeAssignmentExpression AttributeId="com.axiomatics.examples.user.manager.email" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.examples.user.manager.email"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:AttributeAssignmentExpression>
</xacml3:ObligationExpression>
</xacml3:ObligationExpressions>
</xacml3:Rule>
</xacml3:Policy>