Authorization for Hierarchical Resources with XACML Multiple Decision Profile

Multiple decision profile is one of useful profile in XACML 3.0, when it comes to deal with most of authorization use cases. This profile can be modeled to define authorization for hierarchical resources by use of identifier called “scope” (based on Hierarchical Resource Profile). You can find more details from here. In this blog post, let go through an authorization use case for a set of hierarchical resources that have been stored in a repository.

Assume simple repository as following…

Access for these resources can be controlled based on user attributes or their roles.

Lets creates a use case as follows

1. There are three roles that users have been assigned. i.e. Manager, Employee, User

2. Users who are in Manager role can access all things under the root resource.

3. Users who are in Employee role can access all things under the root resource except business and leadership resources.

4. Users who are in User role can only access all things under the public resource.

Sample XACML 3.0  policy for this use case,  can be found here.

Here, with multiple decision and hierarchical resource profiles,  PEP (or application) does not want to ask authorization for each resources from the PDP.  It can ask authorization only for “root” resource.  Then response would contain the authorization decisions for all resources under the “root”  resource.

Balana has extension point called “ResourceFinderModule” where you can plug your own resource finders. These resource finders would help PDP to finding the child (or hierarchical) resources. In this sample, sample resource finder module has been implemented to cater the above requirement.

Also Attribute finder module is shipped with this sample. Actually this module must call to a user store and must retrieve the user attributes such as role data, But this sample attribute finder has been hard corded few names and corresponding roles as following

bob has assigned to User group
alice has assigned to Employee group
peter has assigned to Manager group

Please find the sample project here.  This sample,  would give you an idea how we can use resource finders to support multiple decision and hierarchical resource profiles. This could be extended according to your actual use case.