是否有可能在一个XACML政策比较属性? [英] Is it possible to compare attributes in a XACML policy?
问题描述
以下规则表明受试者的作用acme_manager可以执行对资源的任何行动/ ACME /小工具:
The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets":
<Rule Effect="Permit" RuleId="PermitRule">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acme_manager</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
有没有可能创造一个更加动态的规则,说是这样的:
与角色X_manager科目可以在资源上执行任何操作/ Y /部件,如果X等于Y
Would it be possible to create a more dynamic rule that says something like: "subjects with the role X_manager can perform any action on the resource /Y/widgets, if X equals Y"
所以我可以使用相同的策略来执行:
So I could use the same policy to enforce:
- foo_manager ... /富/部件
- bar_manager ... /酒吧/小部件
- baz_manager ... /巴兹/部件
- 等
而无需创建多个类似的政策。
without creating multiple, similar policies.
推荐答案
是的,当然,这是事实的XACML超过其它授权框架,绝对超过RBAC的主要好处之一。
Yes of course, this is in fact one of the key benefits of XACML over other authorization frameworks and definitely over RBAC.
在XACML,还有你可以用它来定义授权的适用性2个元素。它们是:
In XACML, there are 2 elements you can use to define the applicability of the authorization. These are:
- XACML的目标
- 目标的政策集合中的元素,元素的政策存在,规则元素。
- 目标是为属性和值例如之间的简单匹配角色==经理
- 条件是任何类型的匹配,包括你正在寻找的人。有条件的,可以比较例如任意数量的属性userDepartment == resourceDepartment。
我建议你使用 ALFA 写您的策略。它比普通的旧XACML容易得多。 ALFA是公理化开发的免费工具(声明:我对公理化工作)。它也是在在OASIS XACML技术委员会正在标准化过程中。
I recommend you use ALFA to write your policies. It's much easier than plain old XACML. ALFA is a free tool developed by Axiomatics (disclaimer: I work for Axiomatics). It is also in the process of being standardized at the OASIS XACML Technical Committee.
这篇关于是否有可能在一个XACML政策比较属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!