Hi IAM Team,
Currently we don't have $subject. What we have currently are two APIs.
1. RemoteAuthorizationManagerService.isUserAuthorized(user, resource,
action) - a SOAP API that evaluates the permission tree.
2. XACML3.0 Rest/JSON API - a Restful API which takes a JSON payload and
evaluates the XACML3.0 policies in the PDP.
What we need to have is a Restful API to evaluate the permission tree, so
that users can add their application permissions using the Service Provider
UI in IS, and evaluate them by calling the Restful API from their
application. Rather than innovating our own Rest API to do this, the best
way would be using the XACML3.0 Rest API, because it conforms to an
industry standard.
Therefore what I am proposing is to have XACML3.0 policy shipped with IS
5.4.0 which will be used to evaluate the permission tree. Some of the
considerations when designing this policy.
a. A permission is the combination of resource + action. Both resource and
action are defined attribute categories in XACML3.0. Therefore we don't
need to define a new category for this.
b. If we use the same category "Resource" to identify resources in the
permission tree, as well as any other resources defined in any other
policies, we may not be able to exclusively evaluate permission tree only,
or exclusively evaluate the other policies which don't need permission
tree. The solution for this would be to have a policy target which matches
the action "ui.execute", which is the constant action for all our UI
permissions, or a policy target that checks for resource startwith
"/permission/" because all our UI permissions start with "/permission".
Attached is the kind of policy I am having in mind. We can define a new
XACML function to evaluate permission tree, that takes two arguments,
subject-id and resource-id. This XACML function will internally invoke the
AuthorizationManager.isUserAuthorized() OSGi service and return the result.
Comments and suggestions are welcome.
Thanks & Regards,
Johann.
--
*Johann Dilantha Nallathamby*
Senior Lead Solutions Engineer
WSO2, Inc.
lean.enterprise.middleware
Mobile - *+94777776950*
Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="evaluate_permission_tree" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This policy provides the ability to authorize users based on permission tree.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>ui.execute</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permission-tree-authorized">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:eval-permission-tree">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy> _______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
