XACML engine usually returns a Boolean decision (whether permit or deny). Let see how we can use Advice elements in the XACML to return a policy decision more than a Boolean value.
Let takes some example in MDM (Mobile Device Management) systems.
MDM contains the policy enforcement point (PEP) for mobile devices. PEP decides what features of the mobile device are allowed for each employee. PEP calls to the PDP and takes the decision on it. PEP is looking for the allowed feature list for given user rather than a Boolean decision. Following is flow
1. PEP only knows the mobile number and PEP sends it in the XACML request.
2/3. PDP finds the user/roles based on the mobile number by calling to user store aid of the PIP. Please read more about PIP from here
4. PDP takes the decision and send the XACML response with Advice element. These advice element contains the features list that is allowed for given mobile number.
Lets assume following sample scenarios
Let takes few features of mobile device and define access control rules for them.
- Camera Feature -> Mobile user’s who are in ManagerGroup can use the camera. Others can not
- App Installation Feature -> Mobile user’s who are in ManagerGroup and EngineeringGroup can install applications. Others can not.
- WIFI feature -> Mobile user’s who are in ManagerGroup can connect to WIFI-M network and users in EngineeringGroup can connect to WIFI-E and users in SalesGroup can connect WIFI-S
Lets write policies for above scenarios
We can make a policy for each feature. When It is needed to define an authorization rules for new feature, we can create a new policy in PDP.
To get the effective feature list for given user, all policies must be invoked in the PDP. Therefore,
We are not using a target element for any policy to make sure all are evaluated.
Policy combining algorithm of the PDP is set to “Deny-Overrides” and Any policy never returns a “Deny” decision. Policy decision would be “Permit” or “Not Applicable”.
Policy for camera feature
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="CameraPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Target></Target> <Rule Effect="Permit" RuleId="Rule-for-manager-group"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ManagerGroup</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Apply> </Condition> </Rule> <AdviceExpressions> <AdviceExpression AdviceId="camera-enable" AppliesTo="Permit"> <AttributeAssignmentExpression AttributeId="camera-enable"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CameraEnable</AttributeValue> </AttributeAssignmentExpression> </AdviceExpression> </AdviceExpressions> </Policy>
When user is in ManagerGroup, policy is decision would be “Permit” Then Advice would be added in to the XACML response. When user is in any other group, policy is decision would be “Not Applicable”. Then Advice would not be added in to the XACML response.
Policy for app installation feature
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="AppPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Target></Target> <Rule Effect="Permit" RuleId="Rule-for-manager-group"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ManagerGroup</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="Rule-for-engineering-group"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">EngineeringGroup</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Apply> </Condition> </Rule> <AdviceExpressions> <AdviceExpression AdviceId="app-enable" AppliesTo="Permit"> <AttributeAssignmentExpression AttributeId="app-enable"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">AppEnable</AttributeValue> </AttributeAssignmentExpression> </AdviceExpression> </AdviceExpressions> </Policy>
Same as camera feature policy. If policy is Permit, Advice would be added in to the XACML response.
Policy for WIFI feature
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="WifiPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Target></Target> <Rule Effect="Permit" RuleId="Rule-for-manager-group"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ManagerGroup</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Apply> </Condition> <AdviceExpressions> <AdviceExpression AdviceId="wifi_network" AppliesTo="Permit"> <AttributeAssignmentExpression AttributeId="wifi_network"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WifiM</AttributeValue> </AttributeAssignmentExpression> </AdviceExpression> </AdviceExpressions> </Rule> <Rule Effect="Permit" RuleId="Rule-for-engineering-group"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">EngineeringGroup</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Apply> </Condition> <AdviceExpressions> <AdviceExpression AdviceId="wifi_network" AppliesTo="Permit"> <AttributeAssignmentExpression AttributeId="wifi_network"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WifiE</AttributeValue> </AttributeAssignmentExpression> </AdviceExpression> </AdviceExpressions> </Rule> <Rule Effect="Permit" RuleId="Rule-for-sales-group"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SalesGroup</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Apply> </Condition> <AdviceExpressions> <AdviceExpression AdviceId="wifi_network" AppliesTo="Permit"> <AttributeAssignmentExpression AttributeId="wifi_network"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WifiS</AttributeValue> </AttributeAssignmentExpression> </AdviceExpression> </AdviceExpressions> </Rule> </Policy>
As we have set the policy combining algorithm to “first applicable”. It means first rule would be picked that is evaluated to correct effect.
When user is in ManagerGroup, policy is decision would be “Permit” with the first rule. Then Advice value “WIFI-M” would be added in to the XACML response. When user is in EngineeringGroup, policy is decision would be “Permit” with the second rule. Then Advice value “WIFI-E” would be added. Therefore, we can prioritized the WIFI network that is allowed for given role.
Lets try with Identity Server.
You can upload above three policies to Identity Server and Try out. Before that is better to read this blog post that gives you more idea about the behavior of RBAC policies in Identity Server
Step 1. Upload XACML policies to Identity Server. Please go through this on adding XACML policies in to PDP
Step 2. Create roles and assign users to them.
Ex, User bob -> EngineeringGroup
Step 3. You can use TryIt tool to try out the XACML policies.
XACML request for user bob. (Actually this must be the mobile number I am using username just for testing)
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue> </Attribute> </Attributes> </Request>
XACML response for user bob with Advice elements
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </Status> <AssociatedAdvice> <Advice AdviceId="app-enable" > <AttributeAssignment AttributeId="app-enable" DataType="http://www.w3.org/2001/XMLSchema#string"> AppEnable</AttributeAssignment> </Advice> <Advice AdviceId="wifi_network" > <AttributeAssignment AttributeId="wifi_network" DataType="http://www.w3.org/2001/XMLSchema#string"> WifiE</AttributeAssignment> </Advice> </AssociatedAdvice> </Result> </Response>
Thanks for reading….!!!