These day, i am working on opensource XACML 3.0 implementation, called “Balana”. You can find the project from here. Balana is an improvement of sun-xacml. However i am not going to talk about Balana today… But just want to share some knowledge with XACML 3.0 When I go through the XACML 3.0 Core specification, following are the main changes that i saw when comparing to XACML 2.0….
Custom attribute categories
Custom attribute categories can be defined with XACML 3.0. But in XACML 2.0, attributes have been organized into subject, resource, environment or action. As an example, think that you want to create an attribute category called “foo” in your policy and request. You can do it with XACML3 with out any issue. According to the XACML 3.0 policy schema, category of XACML element is identified by a XML attribute called “Category”. As an example,
In XACML 2.0 Policy, you can define the attribute designator element as follows, But it must be a pre-defined category such as subject, resource, environment or action.
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
In XACML 3.0 Policy, you can define it as follows. Category can be any thing as it is defined as an attribute of AttributeDesignator element
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="resource" DataType="http://www.w3.org/2001/XMLSchema#string"/>
Improvements in Obligation
There are several improvements with Obligation in XACML 3.0 when compare to 2.0
One is the introduced of Obligation Expressions. This would add dynamic expressions in to the obligation statements. To be more clear, lets go through an example…
Let assume that you want to do following with the Obligation.
“On deny, Tell the PEP to send an email to the user….”
In XACML 2.0, you need to define the obligation element with the user email statically.
<Obligation ObligationId="send-email" FulfillOn="Deny"> <AttributeAssignment AttributeId="email" DataType="http://www.w3.org/2001/XMLSchema#string">user@foo.com</AttributeAssignment> </Obligation>
But user would not be same for each XACML request that is evaluated, Therefore it is not possible to configure the email statically in the Obligation element. Obligation can only say PEP to “please send email to user” (let the PEP figure out the value of user’s email)
<Obligation ObligationId="send-email" FulfillOn="Deny"> <AttributeAssignment AttributeId="text" DataType="http://www.w3.org/2001/XMLSchema#string">please send email to user</AttributeAssignment> </Obligation>
But in XACML 3.0, email of each user can be retrieved using PIP in a dynamic manner as we can define na expression element inside the ObligationExpression. Therefore Obligation can say PEP to “please send email to user@foo.com address”
<ObligationExpression ObligationId="send-email" FulfillOn="Deny"> <AttributeAssignmentExpression AttributeId="email" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeDesignator AttributeId="email" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </AttributeAssignmentExpression> </ObligationExpression>
In XACML 2.0, obligations can only be added to policies and policy sets. But with XACML 3.0, rules can also contain Obligations.
Introduce of Advice
Advice is a newly introduced feature with XACML 3.0 which is similar to Obligations. But only different, when compared to Obligations, PEPs do not have to comply with advice statements. PEPs can consider or discard the statement. Common use case is to explain why something was denied. “User bob is denied Because he has not a valid email”
Improvement in Target element
Actually as we can define custom attribute categories, There are some improvements in some of the elements in the XACML 3.0 policy, when compared to 2.0. With XACML 3. 0 Target element, we can define more complex authorization logic within itself than 2 .0.
Because In XACML 2.0, Target element contains the OR and AND relationship between same category. But in XACML 3.0 AllOf and AnyOf elements have been introduced to Target element. That clearly has been helped to define the OR and AND relationship between different categories.
As an example, let look at a Target element;
In XACML 2.0 , here we are having AND relationship between foo1 and foo2 resources and OR relationship between bar1 and bar2 actions. But we can not create and OR relationship between foo1 resource and bar1 action. so we can not define something such as “Target would be matched, when Bob can access foo resource or do bar action” by using target element.
<Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo1</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo2</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bar1</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bar2</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target>
In XACML3 , here we are having AND relationship between “foo” resource and “bar1” role and OR relationship between “bar2” action. so we can not define something such as “Target would be matched, when Bob can access foo resource and do bar1 action or do bar2 action”.
<Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bar1</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Match> </AllOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bar2</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Match> </AllOf> </AnyOf> </Target>
More functions and algorithms
XACML3 has introduced new String functions such as
urn:oasis:names:tc:xacml:3.0:function:string-starts-with
urn:oasis:names:tc:xacml:3.0:function:string-ends-with
urn:oasis:names:tc:xacml:3.0:function:string-contains
urn:oasis:names:tc:xacml:3.0:function:string-substring
Some improvements to other functions such as
urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal
urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal
urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration
Also Improvements to exiting combine algorithms (deny-overrides , permit-overrides, ordered-deny-overrides and ordered-permit-overrides) and new two combine algorithms for policy and rule combining…
urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit
urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit
urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny
urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny
Improvements in XPath
New XPath data type has been introduced with XACML 3.0. In XACML 2.0 XPath has been defined as a String where it can not be defined the context that the namespace prefix are going to resolve. Also XPath based multiple decisions scheme has been introduced.
Improvement in XACML Request and Response.
As we can defined custom attribute categories, many types of attribute categories can be in the XACML 3.0 request. XACML 2.0 request can contains only Subject, resource, environment or action categories.
In XACML Response can contain additional data such as
Request attributes that are defined in the XACML response.
Applicable policy ids for given XACML request, are defined in the XACML response.
Multiple decision profile.
This is new profile which comes with XACML 3.0 and this is not incuced in XACML3 core specification. But this is very useful for performance improvement between PEP and PDP. As PEP can ask decisions for multiple requests in one XACML request.
Administrative delegation profile
This is also a new profile which comes with XACML 3.0. This allow to define policies about who can write policies about what. As an exmple.
“Bob may issue a policy but only about resources in department X”
We will discuss on Multiple decision profile and Administrative delegation profile more on my next blog post…. Thanks for reading..!!!