This blog will look more closely at the scenarios where you want to evaluate an attribute on a particular target.

First, let’s define a few XACML terms right from the start:

  • An Attribute is defined as the “characteristic of a subject, resource, action or environment that may be referenced in policies and rules.
  • A Bag is an “unordered collection of values, in which there may be duplicate values”.
  • ALFA (Abbreviated Language for Authorization) is a pseudocode language used in the formulation of access-control policies.
  • A Target is a “set of simplified conditions for the subject, resource, and action that must be met for a policy set, policy, or rule to apply to a given request.”

Scenario

Sometimes you want to do things like evaluate attributes of a particular target. For example, perhaps you want to return a DENY if citizenship == Canadian or if age < 18. But, how can you assure that those retrieved attributes actually contain data?

Policy Decision Points (PDPs) commonly pull attribute values from sources (e.g. LDAP) that can provide multiple values per named attribute. These collections of multiple attribute values are known as bags in XACML terms. Bags will always contain attributes of the same data type.

XACML provides a set of functions to provide information about a given bag. The functions assist policy authors in determining how the attribute values will be handled by the PDP. These bag functions include returning a bag’s data type, comparing two bags’ data types, and returning an integer indicating the number of values in a bag.

This last function is where we find the answer to this week’s Question of the Week. XACML offers a bag function as defined:

  • <type>bag-size()
    • urn:oasis:names:tc:xacml:x.x:function:type-bag-size
    • This function SHALL take a bag of ‘type’ values as an argument and SHALL return an “http://www.w3.org/2001/XMLSchema#integer” indicating the number of values in the bag.
    • Where ‘type’ = string, Boolean, integer, double, time, date, dateTime, anyURI, hexBinary, base64Binary, dayTimeDuration, yearMonthDuration, x500Name, rfc822Name, ipAddress, and dnsName.

By using this bag function, a policy author can compose validation requests such as (ALFA notation)

  • stringBagSize(citizenship)
  • integerBagSize(age)

These functions return an integer (http://www.w3.org/2001/XMLSchema#integer) providing the number of attribute values within a given bag. If the integer is less than one (1), then the bag is empty.

So let’s revisit our previous example:

  • >Deny if age < 18

Written this way, the policy is ambiguous. What if the PDP did not read any value for age? Lack of value is not less than 18 and therefore access will not be denied. To remove the ambiguity, let’s rework the policy as follows:

  • Deny if age < 18 or integerBagSize(age)== 0 or integerBagSize(age)>1 

It should be noted that, in our scenario here using such attributes as age or nationality, these values may be critical to making a decision. Therefore, a value must be present. These checks for the existence of values may not be necessary if an absence of a value will not affect the returned decision.  

Conclusion

The <type>bag-size() bag function is a useful tool for validating that a bag contains at least one attribute data value, or to determine if there are multiple values that must be handled by the PDP.  

There are alternative approaches to determining the presence of attributes within bags which will be visited in subsequent Questions of the Week.

Further Reading on XACML Version 3.0 (Oasis Standard).