1

If I have an API

https://api.example.org/api/v1/resources

and there is access to a resource with id

https://api.example.org/api/v1/resources/:id

How can I write a XACML policy where the resource is an URL with a resource id (the second URL from above)? How can I put a placeholder/variable there so that I can write a rule for it?

transient_loop
  • 5,984
  • 15
  • 58
  • 117

1 Answers1

2

Are you saying that you need to write separate policies for various possible id? E.g.

P1 that handles access to resource https://api.example.org/api/v1/resources/:1 and P2 that handles access to resource https://api.example.org/api/v1/resources/:2 etc.

If so, the idea would be to use an attribute id, say the resource-id attribute, to capture the value of the id in the URL at the PEP side and pass it to the PDP and to write policies where the target is specified as string-equals(resource-id,1) for P1 and string-equals(resource-id,2) for P2 etc.

(edit) Based on the clarification, provided, you can do it as follows:

The reasoning in such a case will be similar. You write a Policy that handles all rules for resources and specify its target as string-equals(resource-type,"resources") and in that policy specify rules for each resource-id. At the rule level the target would be string-equals(resource-id,"1"), string-equals(resource-id,"2") etc.

Srijith Nair
  • 570
  • 3
  • 12
  • 2
    actually not really, what I need to write is a policy that handles https://api.example.org/api/v1/resources/ and one that handles https://api.example.org/api/v1/resources/:id :) I hope I was clear this time :) Thanks for your answer, which might give a clue on how to go about it – transient_loop May 03 '14 at 00:46