2

How can I apply XACML access control policies against the Identity Server's very own SCIM API? My idea is that I want the user to be able to access the user's SCIM endpoint (list endpoint), but it will only return the user itself as the only result (i.e. user can query for oneself). Is this even possible?

The default permissions in WSO2 Identity Server is not fine grained enough to solve this problem. Thus, I started looking into XACML.

Community
  • 1
  • 1
bufferingStacker
  • 65
  • 5

1 Answers1

0

Yes, XACML is a good fit for this. What you need to do is model your users, actions, and resources.

For instance, in your case, the resource is the SCIM API. The SCIM API exposes:

  • manage users
  • manager user groups
  • manage user memberships

For each one you can GET / POST / PUT / DELETE per the REST profile.

ALFA Policy

An example policy using the ALFA syntax of XACML could be:

/**
 * This policy secures access to the SCIM API
 */
policyset secureSCIM{
    target clause stringStartsWith("/scim/v1/", contextPath)
    apply firstApplicable
    /**
     * This policy secures access to the User object of the SCIM API
     */
    policy secureUserAccess{
        target clause stringEndsWith("Users", contextPath)
        apply firstApplicable
        /**
         * View User object: 
         */
        rule viewUser{
            target clause httpVerb == "GET"
            permit
            condition scimUser == requestor
        }

    }
}

XACML Equivalent

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicySetId="http://axiomatics.com/alfa/identifier/scim.secureSCIM"
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description>This policy secures access to the SCIM API</xacml3:Description>
    <xacml3:PolicySetDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicySetDefaults>
    <xacml3:Target>
        <xacml3:AnyOf>
            <xacml3:AllOf>
                <xacml3:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">/scim/v1/</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator 
                        AttributeId="scim.contextPath"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        MustBePresent="false"
                    />
                </xacml3:Match>
            </xacml3:AllOf>
        </xacml3:AnyOf>
    </xacml3:Target>
    <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
        PolicyId="http://axiomatics.com/alfa/identifier/scim.secureSCIM.secureUserAccess"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>This policy secures access to the User object of the SCIM API</xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-ends-with">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">Users</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="scim.contextPath"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Rule 
                Effect="Permit"
                RuleId="http://axiomatics.com/alfa/identifier/scim.secureSCIM.secureUserAccess.viewUser">
            <xacml3:Description>View User object:</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">GET</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator 
                                AttributeId="scim.http.verb"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                MustBePresent="false"
                            />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
            <xacml3:Condition>
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
                    <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                    <xacml3:AttributeDesignator 
                        AttributeId="scimUser"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        MustBePresent="false"
                    />
                    <xacml3:AttributeDesignator 
                        AttributeId="requestor"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        MustBePresent="false"
                    />
                </xacml3:Apply>
            </xacml3:Condition>
        </xacml3:Rule>
    </xacml3:Policy>
</xacml3:PolicySet>
David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • Thank for you reply! My actual question is when I save this XACML policy in WSO2 IS, would it automatically enforce it for every SCIM request? Or do I have to setup a separate application (like WSO2 API Manager) to intercept the SCIM request separately and make a separate WS request to trigger this rule inquiry? – bufferingStacker Aug 17 '16 at 18:16
  • I think you probably have to deploy something to enforce it. It could be an option in the SCIM server – David Brossard Aug 17 '16 at 18:48