Can XACML support to retrieve allowed permissions for given subject ?

According to the XACML core specification, It only talks about a PDP that can provide authorization result of boolean values (Basically permit, deny, not applicable, indeterminate results and some additional data using advice and obligations). Basically from the PDP, application (PEP) can ask something like “is user authorized to do this” ?   And application (PEP) can not ask a question like “what are the allowed resources and actions for given user?”

However, with XACML 3.0,   application (PEP) can ask above question, if PDP supports for multiple decision profile. My previous blog post explains,  how we can use multiple decision profile to filter out resources that are only allowed for given user.  But here, application (PEP) must have knowledge about the static resources or actions that application have. I guess which is fine, As authorization policies have been created with related to the application. Then application must know what are the resources and actions (basically permissions) that contains within the application.

When we are going to introduce a XACML engine as an alternative for existing home grown authorization solutions, I have experienced that most of the users are asking…..
“is there any API to get allowed resources/actions for  user/role ? Our applications need this functionality”
“is there any way to do routine audits for users/roles? “
“we want to make a UI to show permissions that each user have. is there any way to achieve it? “
IMO,  Sometime these are valid… As an example, auditing  may be good requirement, where administrator wants to verify or monitor what resources that user can access at given time.

To achieve this, WSO2 Identity Server 4.5.0 provides some thing more than in the XACML specification, It provides some kind of search API  for  PDP policies. This search API has been exposed via web service API which is called as “EntitlementService” .   In this web service you can find a operation called  “getEntitledAttributes”. Following is the API details of this method.  Subject name (user name or role name) and subjectId (attribute id) are the required parameters.

    /**
     * Gets entitled resources for given user or role
     * This method can be only used, if all policies in PDP are defined with default categories i.e
     * subject, resource and action and default attribute Ids and #string data type.
     *
     * @param subjectName subject Name, User or Role name
     * @param subjectId attribute id of the subject, user or role
     * @param resourceName resource Name
     * @param action action name
     * @param enableChildSearch whether search is done for the child resources under the given  resource name
     * @return entitled resources as String array
     * @throws EntitlementException throws if invalid data is provided
     */
    public EntitledResultSetDTO getEntitledAttributes(String subjectName, String resourceName,
                                      String subjectId, String action, boolean enableChildSearch)
                                                                        throws EntitlementException {

Understanding Operation “getEntitledAttributes”

This method allows applications to check what are the resource that uses/roles can access, according to the XACML PDP in dynamic manner. As authorization mapping and authorization data (resources, actions, roles ) are stored in the XACML policies. Therefore internal implementation of “getEntitledAttributes” must know how to extract these authorization data and logic to provide the decisions. Internally it is happening by creating set of XACML requests and evaluating them (By use of multiple decision profile) and then extracting data in the requests that have been evaluated to “Permit“. Set of XACML requests are created using two sources. One is that the input parameters that it is send in to the “getEntitledAttributes” method and other one, Attribute values that are returned from the “getSearchAttributes” method that is defined in the “PolicyFinderModule” interface. Default implementation of this “getSearchAttributes” method is that it retrieves attributes values from the policy. But retrieving attribute values from the policy is not much straight forward in some case.  Therefore you have flexibility to extend it according to your requirement.  Basically,  with default implementation; “getEntitledAttributes” method  retrieve attribute values in the <AttributeValue> elements in the XACML policies and it works for the policies that does not have complex XACML functions.  Then some cases, you may need to implement “getSearchAttributes” method to support them.

Sample to Try out

Lets use some simple sample to see how it works.

Step 1. Upload a two sample policies and Promote them to PDP as enabled policies. You can find more detail on adding XACML policies in to PDP from this.

TestPolicy1.xml  ->  Role called “admin”  is permit for resource “foo1” and action “bar1”.
TestPolicy2.xml  ->   User called “asela” is permit for resource “foo2” and action “bar2”.

Actually  you can create sample XACML policy using simple policy editor. More details can be found here.

Step 2.  Go to PEP search option in Management console  and Let try to do following search. These searches are done by calling “getEntitledAttributes” operation in to “EntitlementService” API.

1. Let check allows resources/actions for role “admin”


2. Lets check allows resources/actions for user “admin”  who is already assigned to “admin” role

3. Lets check allows resources/actions for user “asela”

4. Lets assign user “asela” in to “admin” role and check allows resources/actions for user “asela”