Today’s Friday, the weather is definitely telling us winter is right around the corner. Morning temperatures have been heading south and are flirting with the freezing point. The skies are still clear and a bright blue.
Before the weekend comes knocking, it’s this time of the week when I share a bit of XACML know-how to chew on over the next couple of days. In the training sessions we regularly give at Axiomatics, attendees sometimes struggle with the notion of authorization conflict resolution. At times, you might write policies that overlap or contradict one another. This is where combining algorithms come into play.

Combining Algorithm

Example

Imagine the following use case:

• Managers in purchasing can approve transactions.
• A user cannot approve a transaction outside their region.

What happens if Alice, the purchasing manager from Vermont, is trying to approve transaction #123 based in Alabama? If we look at the first rule, then Alice should be able to approve transaction #123. But if we consider the second rule, then should Alice still be allowed to approve the transaction?

We all understand of course that in this example, the overall result should be to deny Alice the right to approve the transaction. The English language has an implicit notion that the restriction applies first. But of course, computers don’t do ‘implicit’. This means we have to declare explicitly what the behavior should be. And in this case, we want the deny case to supersede the permit case. In XACML, that’s achieved by choosing the deny-overrides combining algorithm.

Here’s the OASIS XACML standard‘s definition for combining algorithms.

XACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the <Policy> or <PolicySet> elements, respectively. The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules. Similarly, the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies.

Where can I use a combining algorithm?

Combining algorithms must be used in PolicySet and Policy elements.
Use them in policies to combine the effect of multiple rules. Use them in policy sets to combine the effect of multiple policies, policy sets, policy references, and policy set references.

Example

The following uses the ALFA syntax. You can download the plugin for free from the Axiomatics website. Check out YouTube for a video example.

/**
 * A manager in purchasing can approve a transaction in the same region
 */
 policy readDocument{
    target clause actionId=="approve" and resourceType=="transaction"
    apply firstApplicable
    rule denyDifferentRegion{
        condition not(userLocation==transactionRegion)
        deny
    }
    rule allow{
    	target clause userRole=="manager" and department=="purchasing"
    	permit
    }
}

The above code implements the example used in the first paragraph. The combining algorithm used is firstApplicable which means that if the user is not in the same region as the transaction, then access will be systematically denied.

References

ALFA Reference

• denyOverrides: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides
• permitOverrides: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides
• firstApplicable: urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable
• orderedDenyOverrides: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides
• orderedPermitOverrides: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides
• denyUnlessPermit: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit
• permitUnlessDeny: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny
• denyOverrides: urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides
• permitOverrides: urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides
• firstApplicable: urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable
• onlyOneApplicable: urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable
• orderedDenyOverrides: urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides
• orderedPermitOverrides: urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides
• denyUnlessPermit: urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit
• permitUnlessDeny: urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny
• onPermitApplySecond: urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:on-permit-apply-second

Other references

• eXtensible Access Control Markup Language (XACML) Version 3.0 – OASIS Standard – 22 January 2013
• Formal definition of combining algorithms
• XACML Identifiers for combining algorithms
• XACML combining algorithms reference

Conclusion

I hope this simple example helps to understand the XACML policy language. Stay tuned for more TGIF XACML tidbits.

Previously in TGIF XACML…

Previous tidbits can be found here: