xacmlxacml3alfapdpauthzforce

Compare two multi-element attributes in XACML policy


Consider a subject and object both having a label defined as follows:

subject/object label = [i1, i2, ..., in], where i is some subjectId of another subject.

In a policy (ALFA/XACML), how can I perform a comparison against the subject and object label such that no elements in either list are the same.

For example:

subject_label = [i2, i4, i9]
object_label  = [i1, i3, i7, i9]

The resulting decision would be DENY as both labels contain i9. If no match was found in any list, then the access result would be PERMIT.


Solution

  • What you are looking to use is stringAtLeastOneMemberOf (or equivalent for other datatypes). This function takes in 2 parameters:

    It returns true if there is at least one value in the first bag equal to one value in the second bag. For strings, the comparison is case-sensitive.

    namespace com.axiomatics{
        /**
         * Ths policy will checks the contents of the user label and the the resource label.
         * It will deny access if there is at least one value in the user label equal to at least
         * one value in the resource label.
         */
        policy denyIfSameContent{
            apply firstApplicable
            /**
             * This rule will deny access is user.label contains at least 1 value that is also present
             * in object.label 
             */
            rule denyIfSameContent{
                deny
                condition stringAtLeastOneMemberOf(user.label, object.label)
            }
        }
    }
    

    And here is the XACML/XML representation:

    <?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the 
        ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will 
        be lost upon recompilation of the source ALFA file -->
    <xacml3:Policy
        xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
        PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.denyIfSameContent"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>Ths policy will checks the contents of the user
            label and the the resource label.&#13;
            It will deny access if there is at least one value in the user label
            equal to at least&#13;
            one value in the resource label.
        </xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
            </xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target />
        <xacml3:Rule Effect="Deny"
            RuleId="com.axiomatics.denyIfSameContent.denyIfSameContent">
            <xacml3:Description>This rule will deny access is user.label contains
                at least 1 value that is also present&#13;
                in object.label
            </xacml3:Description>
            <xacml3:Target />
            <xacml3:Condition>
                <xacml3:Apply
                    FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                    <xacml3:AttributeDesignator
                        AttributeId="com.axiomatics.user.label"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="false" />
                    <xacml3:AttributeDesignator
                        AttributeId="com.axiomatics.object.label"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="false" />
                </xacml3:Apply>
            </xacml3:Condition>
        </xacml3:Rule>
    </xacml3:Policy>