XACML allows us to specify <Target>
tag in both <Policy>
as well as in <Rule>
tags.
What I would like to understand is that:
Any help in this regard would be appreciated. Thanks.
You can have a Target
in PolicySet
, Policy
, and Rule
. They all achieve the same thing i.e. restrict the scope of the element (PolicySet
, Policy
, or Rule
).
Your question should be more around why the three elements? it's actually a way to divide and conquer your authorization challenge. Imagine you're tackling authorization for an entire bank. You might have a policy set that focuses on the retail part of the bank and another that focuses on the commercial side of the bank. You would have an attribute in the target of the PolicySet
element that would distinguish between retail and commercial.
Inside the retail bank PolicySet
you could have another series of policy sets or maybe just policies where the Target
would distinguish between different applications. Inside each Policy
element you could have Rule
elements that would have targets that would distinguish between functions of the applications.
HTH