XACML Response is Not Applicable

Question

Hi I am experimenting with XACML3 and I have found that the request when matches the Condition I get response as Permit. but when it does not i get not applicable instead of deny. I am not sure if the behavior is correct. I do understand that I can mask the Not applicable response with deny-unless-permit combining algorithm but I do not understand this behavior.

Below is my Policy

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
    Version="1.0">
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MyApp</AttributeValue>
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        MustBePresent="true" />
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Rule Effect="Permit"
        RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
        <Target />
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
                </Apply>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age2"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
                </Apply>

            </Apply>
        </Condition>
    </Rule>
</Policy>

And this is my request for which i get response as not applicable

<?xml version="1.0" encoding="utf-8"?>
<Request  ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
    </Attribute>
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age2">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">4</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MyApp</AttributeValue>
    </Attribute>
  </Attributes>
</Request>

I get response as Permit only when age and age2 match else response is not applicable. Not applicable implies that no matching rules found but the Target does make a successful match with the resource-id string so why the response is not applicable? Any help is appreciated.

Answer 1

Getting NotApplicable is a normal response. As a matter of fact, it may well be the most common response.

XACML defines 4 possible decisions in a response:

• Permit
• Deny
• NotApplicable
• Indeterminate (which I believe you have seen before. See this post)

When first writing your policies, it is very easy to hit NotApplicable because it essentially means your request does not match the policy. Imagine your policy is about bank accounts and you send a request about health records. You'd get NotApplicable.

There are ways to mask a NotApplicable and force a PDP to return Permit or Deny. One such way is to use either one of the following combining algorithms:

• permit-unless-deny
• deny-unless-permit

If your policy contains 3 rules and none of them applies, the policy would normally return NotApplicable. Using one of the 2 previous combining algorithms, you would get Permit or Deny.

Another option is to use another rule as a catch-all that will deny any access that was not previously handled. In that case the parent's combining algorithm needs to be first-applicable. See below.

Targets or conditions?

In XACML there are 2 key elements you can use to define the scope of an authorization policy (in the broad sense):

• a Target element: targets can exist in PolicySet, Policy, and Rule. Use them for simple match logic combined with and/or/and e.g. role=="manager" and age>18.
• a Condition element: conditions exist inside Rule elements only. They can be used for more advanced matching and in particular to compare 2 attributes together e.g. age>ageLimit. You cannot do the latter in a Target.

For a rule to be applicable, both the Target and the Condition (if any) must evaluate to true.