ABAC Attributes Resolution

Question

We have a subject, object(resource) and operation(action) in the ABAC. Subject and object have attributes that will be used to execute rules.

We can have multiple subjects of different types, as well as resources. Some attributes are relevant for some types of resources and some don't have any meaning in context of another. In this case how correct attributes model should be implemented? Example, we have resource of type A and B. For type A attribute isPublic is relevant, and for B is not. In case if PIP will receive request to get isPublic attribute for B what should it do? Return nothing or something that will lead to negative rule resolution? The same question for subject. How correct attributes model should be defined and resolved as well?
On request to PDP shall we pass all possible attributes that we are having? As far as I understood this will increase performance as it will allow to filter out by policy's target a lot of policies.

What implementation are you using? – David Brossard Jul 26 '18 at 13:24 — David Brossard, Jul 26 '18 at 13:24

score 2 · Answer 1 · edited Jul 26 '18 at 13:13

Regarding your first question, sending additional attributes that are not necessary to a rule's decision will NOT affect the decision. Take a look at this XACML decision by a PDP:

<EvaluationEvent xmlns="http://www.axiomatics.com/v1/EvaluationEvent" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <GroupId>ddc4a53f-1c98-403c-81ce-938c97645d7d</GroupId>
    <GroupVersion>6</GroupVersion>
    <Timestamp>2018-07-24T02:39:21.907Z</Timestamp>
    <EvaluationTimeMillis>0</EvaluationTimeMillis>
    <ClientIdentity>User+username%3D%22pdp-user%22%2C+roles%3D%22pdp-user%22</ClientIdentity>
    <ClientSource>127.0.0.1:49502</ClientSource>
    <InterfaceType>SOAP</InterfaceType>
    <PdpIdentity>f6a721ba-058e-44df-9434-ec1505e99ddc</PdpIdentity>
    <xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
        <xacml-ctx:RequestDefaults>
            <xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml- ctx:XPathVersion>
        </xacml-ctx:RequestDefaults>
        <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject- category:access-subject" >
            <xacml-ctx:Attribute AttributeId="com.axiomatics.seniority" IncludeInResult="false">
                <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1</xacml- ctx:AttributeValue>
            </xacml-ctx:Attribute>
            <xacml-ctx:Attribute AttributeId="role" IncludeInResult="false">
                <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ADMIN</xacml- ctx:AttributeValue>
            </xacml-ctx:Attribute>
            <xacml-ctx:Attribute AttributeId="com.axiomatics.emailAddress" IncludeInResult="false">
                <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">userone@user.com</xacml- ctx:AttributeValue>
            </xacml-ctx:Attribute>
        </xacml-ctx:Attributes>
        <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute- category:resource" >
            <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
                <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">secretmessage</xacml- ctx:AttributeValue>
            </xacml-ctx:Attribute>
        </xacml-ctx:Attributes>
    </xacml-ctx:Request>
    <ResultEntries>
        <ResultEntry>
            <xacml-ctx:Result>
                <xacml-ctx:Decision>Deny</xacml-ctx:Decision>
                <xacml-ctx:Status>
                    <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
                </xacml-ctx:Status>
            </xacml-ctx:Result>
            <EvaluationComplexity>21</EvaluationComplexity>
        </ResultEntry>
    </ResultEntries>
</EvaluationEvent>

In a sample project on my localhost, the only attribute I'm looking for in subject in a specific rule is whether or not the attribute com.axiomatics.seniority is equal to 1 or 2. This means the ADMIN is an extra attribute that is provided. However, it does not affect the decision making.

In regards to your second question, I'm not if I understand completely but I do gather that you are concerned about the PDP's performance. In general, the performance of the PDP's decision making - putting memory and software implementation of XACML aside - is based on your policies. You'll want to get a "DENY" as soon as possible in your policies if one will occur.

In regards to setting attributes in a PEP, I've found it helpful to use a function that sets the default attributes based on the type of decision that will occur, like so:

@Override
public void uiDecisionSetDefaultAttributes() {
    Authentication auth = 
SecurityContextHolder.getContext().getAuthentication();
    attrCatAry.add("SUBJECT");
    attrTypeAry.add("INTEGER");
    attrIdAry.add("com.axiomatics.seniority");
    Integer userId = null;
    try {
        userId = userRepository.findByEmail(auth.getName()).getSeniority();
    } catch (Exception e) {
        log.info(e.toString());
    }
    attrValAry.add(userId);

}

Full disclosure - I work for Axiomatics and my answers are based on a software that is fully compliant with the XACML standard, such as Axiomatics software.

score 2 · Accepted Answer · answered Jul 26 '18 at 13:24

On request to PDP shall we pass all possible attributes that we are having? As far as I understood this will increase performance as it will allow to filter out by policy's target a lot of policies.

In ABAC, you can choose to pass all attributes from the PEP to the PDP up-front. For instance you could say:

Can Alice the manager in sales approve record #123 in draft in sales?

In the above question, we pass in Alice's role and department as well as the record's status and department. We assume this is all the policies will need to reach a decision. This introduces a tight coupling between the PEP (or the application) and the PDP but it makes the PDP extremely fast given it will not need to go out to external sources (PIP).

The extreme opposite is to send in the "key" attributes only e.g.

Can Alice approve record #123?

In that case the PDP will need to call a PIP for the user's attributes and the resource's attributes leading to a total of 4 possible calls. You may think it sounds bad. But it's not. First of all

querying data sources is very efficient nowadays
you can cache values in the PDP so you don't have to go fetch Alice's role all the time
you only fetch an attribute if you really need it. If for instance, you've determined that Alice is not a manager, we won't even go fetch her department or the resource attributes.

Like Mike, I work for Axiomatics. We've put algorithms in place to optimize policy evaluation and attribute retrieval. This makes our PDP extremely fast.

How this tight coupling issue usually resolved? I mean, we need to build PIP in the way that allows to fetch almost any attribute, but where are we specifying such connections? In the documentation? Let's say I wan't to fetch attribute A1. But to fetch it I need to have B1 and C2. Is it only controlled on run-time then? — Artsiom Miksiuk, Jul 26 '18 at 14:21
To avoid tight coupling, send the basic question (Can Alice do action A on object O?). Provide PIP config that contains connection info (to LDAP, SQL...) and a mapping between an attribute e.g. jobTitle and the key attribute(s) needed to retrieve that e.g. userID. — David Brossard, Jul 26 '18 at 14:32

ABAC Attributes Resolution

2 Answers2