0

I am reading the XACML Standard and I see this elements, but the documentation is very technical and I can't find examples about these elements.

What do the elements CombinerParameters and CombinerParameter do in XACML?

Thanks.

David Brossard
  • 13,584
  • 6
  • 55
  • 88
Miguel
  • 909
  • 2
  • 8
  • 10

1 Answers1

0

Background

The XACML () core specification is defined by OASIS and can be found here. XACML is a language that implements attribute-based access control ().

The specification defines:

  1. An architecture
  2. A policy language
  3. A means to send authorization requests and receive authorization responses

Language Elements - Combiner Parameters

Your question relates to the language itself. The language contains many different elements of which:

  • CombinerParameter (defined here)
  • CombinerParameters (defined here)

Combiner parameters are used in conjunction with combining algorithms.

What is a combining algorithm?

When a policyset or a policy element contain multiple children, these children can be conflicting. For instance a policy could contain the following rules:

  • Managers can view documents in their department
  • Managers cannot view secret documents

These 2 rules are conflicting. Which one wins? This is where combining algorithms step in (Specification definition | Blog post | Wikipedia). Combining algorithms help determine which policies and rules win. For instance, deny-overrides makes deny decisions win over permit decisions.

Combining algorithms in XACML can have combiner parameters to influence the way they work. Note that none of the default combining algorithms defined in the specification use combiner parameters. If you wanted to, you could implement a custom combining algorithm that would make use of combiner parameters.

The combiner parameters in detail

The first element contains any number of the second element as defined hereafter:

<xs:element name="CombinerParameters" type="xacml:CombinerParametersType"/>
<xs:complexType name="CombinerParametersType">
   <xs:sequence>
          <xs:element ref="xacml:CombinerParameter" minOccurs="0"
               maxOccurs="unbounded"/>
   </xs:sequence>
</xs:complexType>

The second element is defined as follows

<xs:element name="CombinerParameter" type="xacml:CombinerParameterType"/>
<xs:complexType name="CombinerParameterType">
   <xs:sequence>
          <xs:element ref="xacml:AttributeValue"/>
   </xs:sequence>
   <xs:attribute name="ParameterName" type="xs:string" use="required"/>
</xs:complexType>

It contains:

  • a sequence of attribute values
  • a parameter name e.g. location.

An attribute value is made up of:

  • a value e.g. Chicago
  • a datatype e.g. http://www.w3.org/2001/XMLSchema#string

An example attribute value in XML looks like the following:

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Chicago</AttributeValue>

In other words, a combiner parameter is:

  • an identifier e.g. location
  • a value made up a the value itself e.g. 'Chicago' and the datatype e.g. string.
David Brossard
  • 13,584
  • 6
  • 55
  • 88