+

How Can I Use Booleans in a XACML Target?

The Data Type

The XACML identifier for the boolean data type is http://www.w3.org/2001/XMLSchema#boolean and the values accepted are ‘true’, ‘false’, ‘1’ and ‘0’. Note that booleans have to be specified in lowercase characters, so ‘True’ is considered as ‘false’.

XACML inherits the data type from the XML schema which defines it in this document.

Example Attributes

Booleans are great to express the state of certain objects we are using in access control. For instance, we may want to check whether a document is published. This would lead to the creation of an attribute called isPublished. In XACML, try to follow the same convention as in Java and other programming languages in terms of naming your boolean attributes.

Other uses include the ability to express an age via a boolean rather than via the age itself. For instance an attribute called over18.

Policy Example in ALFA

The Abbreviated Language For Authorization (4,5,6) supports the boolean data type as defined in the OASIS XACML Core Specification. Here follows an example of a simple policy with a rule and a target using boolean attributes: 

namespace exampleBoolean {
   policy documentsAccess {
       target clause itemType=="document" and roleType == “employee”
       apply firstApplicable
       rule readDocument {
           target clause isPublished == true
           permit
       }
   }
}

Caveats

Given that attributes in XACML can be multi-valued (0, 1, or more values), think about what it means to not have a value for a boolean or to have more than 1. For instance if access is allowed if isPublished==true, what happens if there is no value for isPublished? Access would be denied. What happens if isPublished is both true and false? Access would be allowed. What then of negative rules e.g. “Deny if over18 == false”? If we do not know whether the person is over 18, then we will be letting them in. Was that the intended effect?

Think about controlling the number of values for an attribute. This applies to boolean but also other data types. More on that in a future Question of the Week.

Additional Reading

Related Articles

Meeting today’s dynamic authorization and access challenges: The Axiomatics story | Dynamically Speaking
Dynamically Speaking
For more than 15 years, Axiomatics has worked with companies worldwide to define and deliver solutions to the most complex authorization and access challenge. In...
Getting started with Zero Trust using dynamic authorization | Dynamically Speaking
Dynamically Speaking
Zero Trust. It’s everywhere. It’s a methodology that’s been around for years, and we are now seeing a significant uptick in the number of enterprises...
The case for dynamic authorization in banking and finance
Attribute Based Access Control (ABAC)
More than other organizations, banks, and financial institutions face the highest levels of scrutiny when it comes to how they protect critical assets and sensitive...