access-controlpolicyxacmlabacauthzforce

How to do logical AND for Rule combining for XACML


My scenario is I have a Policy with several rules and all the rules need to be true for the policy to be true. For example:

Policy A
       - Rule 1
       - Rule 2
       - Rule 3

For Policy A to be applicable, i need all three Rules to return true, and if even one of them return false, It should go check the other policies in my policyset

What i have right now is

<!-- shortened for brevity -->
<Policy RuleCombiningAlgId="...:deny-overrides">
         <Rule id="1" Effect="Permit">
                ...
         </Rule>
         <Rule id="2" Effect="Permit">
                ...
         </Rule>
         <Rule id="3" Effect="Permit">
                ...
         </Rule>
</Policy>

I think my problem is that the none of my rules return "Deny" but i initially thought that if it's not permit, it should be deny. I thought of putting a not on all of my rules but that would make it inelegant.

If it's relevant, I am using the Authzforce library.


Solution

  • all the rules need to be true for the policy to be true

    In terms of XACML, I guess you mean: Policy must return Permit if and only if all Rules inside return Permit. I can't think of any rule combining algorithm in XACML standard that simply does that. So I suggest two options:

    Option A: Wrap each Rule in a deny-unless-permit Policy, and use permit-unless-deny at the top-level (Policy A becomes PolicySet A).

        <?xml version="1.0" encoding="utf-8"?>
        <PolicySet PolicySetId="A" PolicyCombiningAlgId="...:permit-unless-deny">
             <Policy RuleCombiningAlgId="...:deny-unless-permit">
               <Rule id="1" Effect="Permit">
                    ...
               </Rule>
             </Policy>
             <Policy RuleCombiningAlgId="...:deny-unless-permit">
               <Rule id="2" Effect="Permit">
                    ...
               </Rule>
             </Policy>
             <Policy RuleCombiningAlgId="...:deny-unless-permit">
               <Rule id="3" Effect="Permit">
                    ...
               </Rule>
             </Policy>
        </PolicySet>
    

    In this case, PolicySet A returns Permit if and only if (iff) no Policy returns Deny (by definition of permit-unless-deny algorithm). Since each Policy returns Permit iff the Rule returns Permit, else Deny (by definition of deny-unless-permit algorithm), this is equivalent to: Policy A returns Permit iff all Policies return Permit, i.e. iff all Rules return Permit.

    Option B: Implement a new Combining Algorithm extension for AuthzForce.