[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML Request with multiple subjects of the same attributeID?
We’re considering the use XACML to manage access
control for some of our web services. I’m wondering if the XACML specification can support a
scenario where a request contains multiple subject attributes of the same type.
Specifically a list of all the LDAP groups the user is a member of. When
we receive a request with a username/password, and we build the XACML request,
we’d like to do an LDAP query on the user that gets a list of all the LDAP
groups they are a member of and put in the XACML request. Then, the XACML
policy would evaluate the request, and have a definition of what specific
group the user needs to be a member of to access the single resource they are
requesting. The presumption is that only one LDAP group permits access
to a given resource, but that when generating the XACML request you don’t
know which one it is. So we’d like to send all groups the user is a
member of and let the PDP figure out if the request is authorized or not.
If XACML is not designed to work like this maybe there is a better way to
handle this scenario? I’ve read about some folks mapping their
groups to generic names, but I don’t think it would work for us since we
have a very large number of groups already mapped to resources on another
access control platform. For example I’m wondering if you could do something
like the following request (files attached in case formatting gets all messed
up): <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>michael</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>users</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>administrators</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>backupOperators</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>/service/Address/URI</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment/> </Request> On the following Policy: <Policy PolicyID="LoginPolicy" RuleCombiningAlgID="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Rule RuleID="LoginRule" Effect="Permit"> <Target> <Subjects>
<Attribute AttributeID="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>
Bob
</AttributeValue>
</Attribute> </Subjects> <Resources>
<ResourceMatch MatchID="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/service/Address/URI</AttributeValue>
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeID="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch> </Resources> </Target> </Rule> <Rule RuleID="FinalRule" Effect="Deny"/> </Policy> Thanks for your help J Michael Ryerse | Enterprise Security Services | (360) 725-3908 |
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>michael</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>users</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>administrators</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>backupOperators</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>/service/Address/URI</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment/> </Request>
<Policy PolicyID="LoginPolicy" RuleCombiningAlgID="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Rule RuleID="LoginRule" Effect="Permit"> <Target> <Subjects> <Attribute AttributeID="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue> Bob </AttributeValue> </Attribute> </Subjects> <Resources> <ResourceMatch MatchID="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/service/Address/URI</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeID="urn:oasis:names:tc:xacml:1.0:resource:resource-id" /> </ResourceMatch> </Resources> </Target> </Rule> <Rule RuleID="FinalRule" Effect="Deny"/> </Policy>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]