How to implement these rules in XACML policies?

Question

Here is a requirement I am trying to implement via XACML/ABAC for learning purposes:

Information Model

Resources: Building, Unit
- there are many buildings (ex. B1, B2, B3, ... Bn)
- each building has many units (i.e. unit is the child of building) (ex. B1U1, B1U2, B1U3, ...)
Subject: Housekeeping staff

Rules

A housekeeper can "open" a "unit" if
- they have "open" permission on that "unit" OR
- if they have "open" permission on the "building" in which that "unit" is.

Any pointers?

Update

Essentially here is my concern: if the requirement was something like, A housekeeper can "open" "unitX" if s/he has "open" permission on "unitX". Here I would've just written a simple rule.

However, with my actual requirement, the concerns are:

Since there is not one particular resource but many resources of same type, should I be writing a separate policy for each resource? Ex. separate policy for building "B1", another for "B2" and so on?
How will the policy "know" about hierarchical relationship between building and unit.

Now that I think further about this, I think the following approach should work(?)

Request will include the following

resource: /{buildingId}/{unitId} //this is how policy will know parent child relationship

action: open

subject: subjectId and probably all permissions that this subject has (still thinking on how to represent the permissions, any suggestions?)

Define one policy with rule: // pseudocode if(subject.permissions include open on {buildingId} OR open on {unitId}) then permit else deny.

Any suggestions?

Thanks,

Jatin

*Any pointers?* Show what you have so far, or at least explain the part that's causing you difficulties. — Robby Cornelissen, Jul 07 '17 at 02:47

score 1 · Accepted Answer · edited Sep 19 '17 at 15:23

You need to define attributes like following on ABAC model:

Resource Attribute

Attribute - Building, Attribute Values - B1,B2,B3

Attribute - Unit, Attribute Values - B1U1, B1U2, B1U3,B2U1, B2U2, B2U3,B3U1, B3U2, B3U3

Action Attribute

Attribute - Building Action , Attribute Value - Open

Subject Attribute

Attribute - Building Resident, Attribute Values - Resident1,Resident2

The hierarchical relation among building and building units need to define on resource inheritance relation.

Resource Inheritance

Beneficiary - Building:B1 , Inherited Values - Unit: B1U1 , Unit: B1U2, Unit: B1U3

Beneficiary - Building:B2 , Inherited Values - Unit: B2U1 , Unit: B2U2, Unit: B2U3

Beneficiary - Building:B3, Inherited Values - Unit: B3U1 , Unit: B3U2, Unit: B3U3

Now you need to define rules on a ABAC policy. Now you can use policy automation tools so that you do not need to think of inheritance relations during rule creation.You once define those relations and later when you create rules, the automation tool will automatically remember those relations and create rules automatically for you. You can download such a tool name "Security Policy Tool" . This is a commercial tool but you can download free demo which also includes a full xacml editor. Please check below a screen shot of your model in SPT :

Screenshot of your model defined in Security Policy Tool

Then from this tool you can automatically convert your ABAC policies into XACML and further edit on built in xacml editor to fine tune.

XACML policy automatically converted by Security Policy Tool