是否可以比较 XACML 策略中的属性? [英] Is it possible to compare attributes in a XACML policy?

问题描述

以下规则表示角色为acme_manager"的主体可以对资源/acme/widgets"执行任何操作:

The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets":

<Rule Effect="Permit" RuleId="PermitRule">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acme_manager</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
         </Apply>
      </Condition>
   </Rule>

是否可以创建一个更动态的规则，例如:角色为 X_manager 的主体可以对资源/Y/widgets 执行任何操作，如果 X 等于 Y"

Would it be possible to create a more dynamic rule that says something like: "subjects with the role X_manager can perform any action on the resource /Y/widgets, if X equals Y"

所以我可以使用相同的策略来强制执行:

So I could use the same policy to enforce:

• foo_manager .../foo/widgets
• bar_manager .../bar/widgets
• baz_manager .../baz/widgets
• 等

无需创建多个相似的政策.

without creating multiple, similar policies.

推荐答案

当然，这实际上是 XACML 相对于其他授权框架以及绝对优于 RBAC 的主要优势之一.

Yes of course, this is in fact one of the key benefits of XACML over other authorization frameworks and definitely over RBAC.

在 XACML 中，您可以使用 2 个元素来定义授权的适用性.它们是:

In XACML, there are 2 elements you can use to define the applicability of the authorization. These are:

• XACML 目标
  • 目标存在于策略集元素、策略元素和规则元素中.
  • 目标用于属性和值之间的简单匹配，例如角色==经理"
  • 条件适用于任何类型的匹配，包括您正在寻找的匹配.通过条件，您可以比较任意数量的属性，例如用户部门==资源部门.

  我建议您使用 ALFA 编写您的政策.它比普通的旧 XACML 容易得多.ALFA 是 Axiomatics 开发的免费工具(免责声明:我为 Axiomatics 工作).OASIS XACML 技术委员会也正在对其进行标准化.

  I recommend you use ALFA to write your policies. It's much easier than plain old XACML. ALFA is a free tool developed by Axiomatics (disclaimer: I work for Axiomatics). It is also in the process of being standardized at the OASIS XACML Technical Committee.

  这篇关于是否可以比较 XACML 策略中的属性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！