0

I want to answer questions like what am I allowed to access ?, by using XACML, is their a workaround other than Axiomatics ARQ?

Phalguni Mukherjee
  • 623
  • 3
  • 11
  • 29

1 Answers1

1

I guess you want to ask the question (what are the resources that bob can access?) from XACML PDP rather than just hoping for aboolean type (permit, deny) result. According to the XACML core spec, There is no mention about this type of queries. But You can implement it. One way is to use multiple decision profile. PEP can send all resources in the system, actions and user (bob) in to the PDP, Then PDP would response with multiple XACML results and PEP can filter out the permitted resources. Also, Like Axiomatics, There are be some xACML implementations that support this feature with their own ways. WSO2 Identity Server, which is an open source XACML engine also supports this feature. You can find more details from here. Identity Server has introduced a search API, that would search in all policies and evaluate them to return accessible resources for given user. Also As mentioned above, sometime, you may implement same behavior using multiple decision profile and hierarchical resource profile. But It depends on your use case. I guess this would help you.

Asela
  • 5,781
  • 1
  • 15
  • 23
  • I am using SUN implementation,is it possible with it? – Phalguni Mukherjee Feb 26 '14 at 05:17
  • I guess, not it is not supported.... and even for XACML 3.0 that contain multiple decision profile..... – Asela Feb 26 '14 at 06:04
  • I can see two thing one is blana and other is WSO2is-6.0 which one to use also I dont need any web server as wso provide can I use it directly in my api? – Phalguni Mukherjee Feb 26 '14 at 09:57
  • Balana is a library and it is pure XACML 3.0 core spec implementation. You can use it for building your own XACML PDP.. It only provide a java API.. . WSO2 IS is a PDP engine that has been created using Balana.... It has web service API and also PAP Basically you can invoke this web service API using web service client or SOAP UI... web service client can be found here https://svn.wso2.org/repos/wso2/people/asela/xacml/pep/4.2.X/ – Asela Feb 26 '14 at 11:18
  • If I am making my own PDP so in that case will the DOM parsing of the xml to find my matching resource will be the right approach? – Phalguni Mukherjee Feb 26 '14 at 12:40
  • I guess you means in the XACML response? Yes it is fine.. If you like Balanan, you can find the sample of multiple decision profile from here http://xacmlinfo.org/2012/08/16/resource-filtering-with-xacml/ – Asela Feb 26 '14 at 13:39
  • No actually I am using sun xacml api(as I found Balana is also using the same) and xacml 2.0, so what I found if I dont pass the resource attribute value it gives "Not_Specified" and Resource is returned as blank so in that case I am fetching all the policies and picking the matching policy with my subject than fetching its resource and action attribute and storing in my cache. – Phalguni Mukherjee Feb 26 '14 at 13:53