What is a XACML condition?

It’s that time of the week when the creative juices go south and the urge to relax hits all-time records. And I know you are all craving for some XACML goodness before you head out for the weekend. After all, just a spoonful of XACML makes the… Uh who am I kidding? Let’s get on with this new episode of TGIF XACML. Today, let’s focus on a XACML condition.

Definition

A condition is an element of the XACML policy language. Unlike targets, it can only occur in rules. The condition is used to further define the scope of XACML rules. The scope defines when the rule will trigger. Both the target and the condition therefore help define the scope of policy sets, policies, and rules.

Here’s the OASIS XACML standard’s definition for conditions.

Condition represents a Boolean expression that refines the applicability of the rule beyond the predicates implied by its target. Therefore, it may be absent.

Where can I use a condition?

Conditions can only be used in:

  • rules

Use conditions to define a stricter scope on rules such that they only apply to specific scenarios. Bear in mind that conditions will only be triggered once all parent targets (in the containing rule and parent policy (set)) have been processed.

If we have targets, why use conditions?

Good question! I’m glad you asked. Targets are bit like the simple version of a condition. Targets can only be used to compare an attribute to a value e.g. role==manager. As a result, it’s impossible to express relationships using targets e.g. Permit if user.id==document.owner.id.Enter the condition, bright and bold. Conditions, by contrast to the simpler target, can use any of the functions available in the XACML standard and can compare any number of attributes one to another.

In other words, any time you have to implement relation-based access control, use a condition. Some examples include:

  • Users cannot approve a purchase order they created themselves (Deny if userId==purchaseOrder.creator)
  • Doctors can view the medical records of patients to whom they are assigned (Permit if userId==patient.assignedDoctor)

Other instances where you want to use XACML Conditions is when the attribute values need some kind of manipulation or combiniation. For instance if you want to compare the sum of two numbers to a given limit, then you will need to resort to a condition such as:

sum(integerOneAndOnly(a),integerOneAndOnly(b))<100

Example

The following uses the ALFA syntax. You can download the plugin for free from the Axiomatics website. Check out YouTube for a video example.

/**
 * A manager in purchasing can approve a transaction in the same region
 */
 policy readDocument{
    target clause actionId=="approve" and resourceType=="transaction"
    apply firstApplicable
    rule denyDifferentRegion{
        condition not(userLocation==transactionRegion)
        deny
    }
    rule allow{
    	target clause userRole=="manager" and department=="purchasing"
    	permit
    }
}

The above code implements the example used in a previous post on combining algorithms.

In the above example, note the use of:

  • a target: target clause userRole==”manager” and department==”purchasing”
  • a condition: condition not(userLocation==transactionRegion)

References

Conclusion

I hope this simple example helps to understand conditions in the XACML policy language. Stay tuned for more TGIF XACML tidbits.

Previously in TGIF XACML…

Previous tidbits can be found here: