In my previous blog post, I have implemented small XACML sample with WSO2 Identity Server. Now lets try to extend it by adding more authorization rules. The XACML policy that is used in previous blog post, achieves following authorization logics; I am just going to recall them as followings.
1. Patients can read their own record only and can not read any other records. Also can not delete and update his record.
2. Doctors can read any records of patient and update them. But they can not create or delete patient record.
3. Administrators only can create and delete patient records.
Lets assume that medi.com comes with following two requirements.
1. Administrators only can create and delete patient records as previous. But Administrators can do this only between office hours; Only between 9.00 am to 4.00 pm
2. There is a community project that is being done by external party. They need some details of the patient such as DOB and Gender for their research. Therefore all the users who are in this community project (users whose email address ends with “community.com” ) can read particular xml record in the record repository; it mean only the DOB and Gender details of a particular patient.
For above two requirements, we only need to edit the our existing policy. For 1st one. we are adding new “Apply” element in to the rule. Here you need to change the offset value of defined time based on your time zone.
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00+05:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">16:00:00+05:00</AttributeValue> </Apply> </Apply>
For 2nd one, we can create a new rule such as follows. Here we are doing a reg-ex match to identify the users in community project, by his email address.
<Rule Effect="Permit" RuleId="Community_Permit_Rule"> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/patient/patientDoB</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/patient/patientGender</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[0-9a-zA-Z][email protected]</AttributeValue> <SubjectAttributeDesignator AttributeId="EMAIL" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule>
New updated policy with these two requirements, can be found here. you would notice, how easy to build complex authorization with XACML