Evaluate XACML 3.0 combining algorithms

Question

I am studying XACML 3.0 access control and I found this complex question about Evaluate XACML 3.0 combining algorithms. I can solve a simple exercise but this one hard for me and I need some help with it

policy p1: - op: permit-overrides

rule: permit if match all: group = staff, resource = file1
rule: permit if match all: group = student, resource = file2
rule: deny if match: any

policy p2:

op: deny-overrides
rule: deny if match all: time [MBP] = night
rule: permit if match all: time [MBP] = day

policy p3:

op: deny-overrides
policy: p1
policy: p2

Evaluate for each policy the following requests q1, q2 and q3:

q1 = {(group, staff), (resource, file1), (time, day)}
q2 = {(group, student), (resource, file2), (time, night)}
q3 = {(group, staff), (resource, file1)}

score 2 · Accepted Answer · answered Jan 08 '19 at 17:16

Evaluation Results using P1 only

q1 = {(group, staff), (resource, file1), (time, day)}
- Response: Permit. The first rule in P1 kicks in and the combining algorithm makes the process stop there. The time of day has no impact on the decision making.
q2 = {(group, student), (resource, file2), (time, night)}
- Response: Permit. The second rule in P1 kicks in and the combining algorithm makes the process stop there. The time of day, again, has no impact on the decision making.
q3 = {(group, staff), (resource, file1)}
- Response: Permit. This is essentially the same as q1.

Evaluation Results using P2 only

q1 = {(group, staff), (resource, file1), (time, day)}
- Response: Permit because all access is permitted in day time. Rule 1 inside P2 does not apply. Rule 2 grants access.
q2 = {(group, student), (resource, file2), (time, night)}
- Response: Deny because all access is denied at nighttime. Rule 1 inside P2 applies. The combining algorithm is such that the processing stops after rule 1.
q3 = {(group, staff), (resource, file1)}
- Response: Not applicable. The two rules only trigger if the time of day has been specified, which isn't the case in this request. Therefore the evaluation ends in NotApplicable.

Evaluation Results using P3 (a combination of P1 and P2)

q1 = {(group, staff), (resource, file1), (time, day)}
- Response: Access is permitted because staff is allowed to view file1 in daytime.
q2 = {(group, student), (resource, file2), (time, night)}
- Response: Access is denied regardless of what the student is trying to view. In this case, the nighttime policy trumps all other policies because of the over-arching combining algorithm (deny-overrides) in P3.
q3 = {(group, staff), (resource, file1)}
- Response: Access is permitted because staff is allowed to view file1 and no time has been specified.

Notes

The policy that grants access during daytime is not necessary. As a matter of fact, it might even open up access you would not want to have. For instance, given the current policy, a student can edit their own exam grades so long as it's daytime.

Thank you so much. It helped me a lot to understand how the policies working. — Memo, Jan 08 '19 at 18:07

score 2 · Answer 2 · edited Jun 20 '20 at 09:12

The other answer is detailed and largely correct except for two cases involving a Rule's Target missing an attribute for which MustBePresent is set to true.

Only those cases will be addressed here in this answer.

policy p2 - request q3

rule: deny if match all: time [MBP] = night -> Indeterminate{D} because of missing time attribute and MustBePresent = true and the rule effect is Deny
rule: permit if match all: time [MBP] = day -> Indeterminate{P} because of the similar reason
op:denyOverrides -> Indeterminate{DP}

The evaluation result is Indeterminate{DP}

policyset p3 - request q3:

policy p1
- rule: permit if match all: group = staff, resource = file1 -> Permit
- op:permitOverrides -> Permit regardless of the outcome of any other rules
policy p2 -> Indeterminate{DP} as explained in the previous case
op:denyOverrides -> Indeterminate{DP}