The XACML 3.0 specs state that for <Match> evaluation "the MatchId
function SHALL be applied between the <AttributeValue> and each
element of the bag returned from the <AttributeDesignator> or
<AttributeSelector> element." 7.6 Match evaluation
In the case that, for example, the attribute access-subject /
subject-id returns a bag with more than one value, one should iterate
over these members until the matching function returns true. This is
clear and obvious. Now in case the <AllOf> element has two <Match>es as
in conformance test IIA007Policy.xml (see below). It has a Match on
access-subject / subject-id being equal to "Julius Hibbert" and
access-subject / some-attribute being equal to "riddle me this".
Now assume that in a request, there are two attributes having multiple members, how should the match be evaluated now? Attribute1 has bag [1, 2, 3] and attribute2 has bag [a, b]. One can
start processing the members from the first attribute until a true is
returned and than continue with processing the next attribute etc, but
that would not cover all possible outcomes. Or, should the matching
functions be simultaneously applied to all combinations of the members
from the two bags [{1,a},{1,b},{2,a},{2,b},{3,a},{3,b}]? With large bags and/or many attributes, this will lead to a large set of combinations to process!
The specs, as far as I know, give no clue how the situation is handled
in case two or more attributes return bags with multiple members
within the same <AllOf> element. My questions are:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA007:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd">
<Description>
Policy for Conformance Test IIA007.
</Description>
<Target/>
<Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA007:rule">
<Description>
Julius Hibbert can read or write Bart Simpson's medical record.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">riddle me this</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
If you have a policy that states (using ALFA notation):
policy example{
target clause role == "manager" and department == "sales"
apply firstApplicable
rule allow{
permit
}
}
If the request you send contains 2 values for role ("manager" and "employee") and 3 values for department ("sales", "engineering", "finance"), then the response will be Permit. In plain old English, your question would be "Can the user who happens to be a manager and an employee and who belongs to the sales, engineering, and finance departments do X?"
The way the policy will be evaluated is that each match will be handled one after the other, independently:
It does not matter that there is an AllOf (or an AnyOf). Each match is first handled independently. The spec is quite clear on that.