XACML - Does a policy actually require a rule?

Question

If I define a XACML policy and provide some attributes in the policy target, do I actually need to provide an additional rule?

score 4 · Accepted Answer · answered Jul 26 '11 at 04:54

4

Yup, you need a Rule to actually say whether you want to Permit or Deny access.

answered Jul 26 '11 at 04:54

craigforster

2,589
1
16
10

score 2 · Answer 2 · answered Nov 16 '11 at 01:26

2

From a schema validation perspective, you could have a policy with no rules, but as Craig points it out, the rule is what carries the decision. So a rule-less policy is pointless.

answered Nov 16 '11 at 01:26

David Brossard

13,584
6
55
88

score 0 · Answer 3 · answered Feb 26 '13 at 14:02

You need to think about the flow of logic for the policy. By defining target attributes, you are telling it what to affect, but not how. Even if you define actions in the policy target using ActionMatch, what you really did was target the Rule at Actions with a specific ActionID.

In other words, actions defined in the target of a policy identify action-related entities by matching attribute values. This still misses the mandatory Rule, which will contain action logic.

XACML - Does a policy actually require a rule?

3 Answers3