TGIF XACML – What’s a XACML target?

Today’s Friday, the weather has been amazingly nice these past few weeks in Stockholm which is all the more surprising since September is on the slope down to darker, wetter, and colder days. The weekend ahead looks promising. I’ll be heading out to fellow colleague, Andreas’ summer house out in the archipelago.

The view from the Axiomatics offices towards Skeppsholmen and AF Chapman

The view from the Axiomatics offices towards Skeppsholmen and AF Chapman


But before I walk out the door, I thought I’d share a bit of XACML know-how to chew on over the next couple of days. In the training sessions we regularly give at Axiomatics, attendees often ask what a target is.

XACML Target

Definition

A target is an element of the XACML policy language. It can occur in policy sets, policies, and rules. The target is used to define their scope. The scope defines when the policy (set) / rule will trigger. For instance, for a rule to trigger and yield a Permit decision for managers in Greece, the target would have to contain two attribute matches:

  • role==manager, and
  • userLocation==Greece

There can be any number of matches. A match is always between an attribute (role, department, location, classification…) and a value. Matches can then be assembled together using logical operands (AND, OR).

Where can I use the target?

Targets can be used in:

  • Policy Set elements
  • Policy elements
  • Rule elements

Example

The following uses the ALFA syntax. You can download the plugin for free from the Axiomatics website. Check out YouTube for a video example.

/**
 * A user in Greece can read a document in the Greece region
 */
 policy readDocument{
 	target clause actionId=="read" and resourceType=="document"
 	apply firstApplicable
 	rule allowReadIfCorrectRegion{
 		target clause userLocation=="Greece" and documentRegion=="Greece"
 		permit
 	}
 }

The above example will yield a Permit if and only if the user trying to read a document based in Greece is also based in Greece.

Conclusion

I hope this simple example helps to understand the XACML policy language. Stay tuned for more TGIF XACML tidbits.

Previously in TGIF XACML…

Previous tidbits can be found here:

One Response to “ TGIF XACML – What’s a XACML target? ”

  1. […] condition is an element of the XACML policy language. Unlike targets, it can only occur in rules. The condition is used to further define the scope of XACML rules. The […]

Leave a Reply