XACML Rule Subject

Question

I am writing a policy with ordered-permit-overrides for the rules.

Rule 1 permits access to all content for anyone with an appropriate security level.

Rule 2 permits access to some content (3 resources) to anyone with alternative credentials.

Rule 3 denies access to everything else. This is a failsafe if a user has neither the security level or the credentials.

My problem is that I can get my server to run the program and rule 1 works fine. For rule 2 the only result I get if I give the values required is "deny" and if I leave any blank it is "indeterminate." I think the policy isn't running my rule 2 despite using ordered-permit-overrides.

I have tried running the script with rule 3 commented out, and the result is only "indeterminate" or "not applicable."

In rule 1 I left the target empty. For rule 2 I defined resources, but not subjects. Do I need to specify subjects to get this rule to work? Is there something else that could be causing my first and third rules to function, but not my second.

Answer 1

It would be great if you could share your policy here so we could have a look. What are you using to write and test the policy.

As you might know indeterminate is due to an error inside the PDP e.g. you are requiring that an attribute be present but you're not sending it or you're using a string-one-and-only (or any *-one-and-only) function on a missing attribute.

By the way, why don't you use first applicable as a combining algorithm?

Check out the ALFA plugin for Eclipse (it's free) to be able to quickly write your policies without having to know the XACML syntax: http://www.axiomatics.com/axiomatics-alfa-plugin-for-eclipse.html