I have few questions regarding "Resource & Action".
1. Is is possible for me to define an object as Resource? Example, My policy is something like this. I have an Account object in my system and this account object can be accessible only by Teller roles. Not by any body else. No action is permitted on this object except the Tellers. How do i specify this in XACML?
2. Also lets say i have another policy, where only specfic Tellers are allowed to look at the 'available balance' on a employee account. In this case, my resource is an attribute of the object Account. How do i specify these in XACML.
3. What are the possible values of Action supported by XACML? I have seen in examples talk about 'read', 'create' and so on. How to configure or use XACML for an action like 'search accounts'? THis is a usecase in the system and i want this action can be performed only by Teller roles. I will have the Subject as the Teller. But how do i represent this action in XACML.
The answers to the above questions will help me deciding whether i should go with XACML for my security requirement or should i go for a security framework of my own to have these features.
I have gone through the UML diagram of the various objects available in XACML and felt this is the framework which i was trying to develop on my own. But when all the examples talking about either a URL or a String for the Resource and string for the action, i got confused. Please help me out and let me know whether my requirement is possible to implement using XACML or not.
Thanks,
Amjath Sharief
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
> 3a. What are the possible values of Action supported by XACML?
XACML allows any string as the "action-id". This string is defined by the application, so you only need to make sure that the values that are sent by the PEP will match those in the policy.
> 3b. How to configure or use XACML for an action like 'search accounts'?
This doesn't fit into the XACML model, since you always need a resource and an action. You only have an action here.
You may consider to take "the database server" or "the database xyz" as the resource, or just ignore the resource in your policy.
Dear Seth,
I have few questions regarding "Resource & Action".
1. Is is possible for me to define an object as Resource? Example, My policy is something like this. I have an Account object in my system and this account object can be accessible only by Teller roles. Not by any body else. No action is permitted on this object except the Tellers. How do i specify this in XACML?
2. Also lets say i have another policy, where only specfic Tellers are allowed to look at the 'available balance' on a employee account. In this case, my resource is an attribute of the object Account. How do i specify these in XACML.
3. What are the possible values of Action supported by XACML? I have seen in examples talk about 'read', 'create' and so on. How to configure or use XACML for an action like 'search accounts'? THis is a usecase in the system and i want this action can be performed only by Teller roles. I will have the Subject as the Teller. But how do i represent this action in XACML.
The answers to the above questions will help me deciding whether i should go with XACML for my security requirement or should i go for a security framework of my own to have these features.
I have gone through the UML diagram of the various objects available in XACML and felt this is the framework which i was trying to develop on my own. But when all the examples talking about either a URL or a String for the Resource and string for the action, i got confused. Please help me out and let me know whether my requirement is possible to implement using XACML or not.
Thanks,
Amjath Sharief
> 3a. What are the possible values of Action supported by XACML?
XACML allows any string as the "action-id". This string is defined by the application, so you only need to make sure that the values that are sent by the PEP will match those in the policy.
> 3b. How to configure or use XACML for an action like 'search accounts'?
This doesn't fit into the XACML model, since you always need a resource and an action. You only have an action here.
You may consider to take "the database server" or "the database xyz" as the resource, or just ignore the resource in your policy.
Here's an example in short-XACML:
<Subjects>
<Subject>
<SubjectMatch MatchId="string-equal">
<AttributeValue>Teller</AttributeValue>
<SubjectAttributeDesignator AttributeId="role"/>
</SubjectMatch>
</Subject>
</Subjects>
<Actions>
<Action>
<ActionMatch MatchId="string-equal">
<AttributeValue>search accounts</AttributeValue>
<ActionAttributeDesignator AttributeId="action-id"/>
</ActionMatch>
</Action>
</Actions>
The database server would then, before actually doing the search, query the PDP with the following request:
<Request>
<Subject>
<Attribute AttributeId="subject-id">...</Attribute>
<Attribute AttributeId="role">...</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="resource-id">whatever</Attribute>
</Resource>
<Action>
<Attribute AttributeId="action-id">search accounts</Attribute>
</Action>
</Request>
<!-- Roland -->