authorizationxacmlabacxacml3alfa

XACML combining PIPs in policy


I'm new to XACML architecture and would appreciate if you can help me with next question.

Is it possible to use multiple PIP in a way that answer extracted from one PIP is used as input parameter for other PIP?

If so can you provide me with simple XML request example?

Thanks in advance


Solution

  • Yes, it is possible to use multiple PIPs in a way that an attribute resolved by a PIP can be used as an input to another PIP.

    Based on XACML architecture, it's up to the PDP to decide how to resolve attributes using PIPs.

    How it works on a high level:

    1. Input request(from PEP) to PDP contains an attribute say Subject-ID=Alice
    2. The PDP evaluates the XACML policy based on the attributes from the input request. E.g., The policy says permit if Action-ID=Read
    3. Since there is no Subject-ID defined in the policy, PDP tries to ask a PIP or PIPs to resolve Action-ID and provides PIPs the value it has which is Subject-ID(from the input request). E.g., Let's say we have 2 PIPs - PIP A can resolve resource-ID from Subject-ID and PIP B can resolve Action-ID from resource-ID
    4. Here, what happens is PDP first resolves resource-ID based on the Subject-IDfrom input request using PIP A and then uses resource-ID to resolve Action-ID using PIP B which is then utilized by PDP to evaluate the the policy. If PIP B returns Alice, you get a permit decision else it would be NotApplicable

    Note that this depends on how PDP is implemented to resolve attributes using chained PIPs as in your use case.

    PDP from a company called Axiomatics is capable of performing a chained PIP lookup.

    Disclosure: I work for Axiomatics where we provide XACML based access control solutions