Brian is a part of the Axiomatics Sales team where he helps our customers become ABAC proficient.

Why don’t I get Obligations or Advice back on Indeterminate or Not Applicable responses?

Background

When a policy is being evaluated in XACML 3.0 Policy Decision Points (PDP), Obligations and Advice elements will be ignored for “Indeterminate” and “Not Applicable” results. Only a "Permit " or "Deny" condition will result in an Obligation or Advice message being returned. This installment of our Question of the Week explores the reason for this behavior. 

Continue reading
1002 Hits
0 Comments

How Can I Return the Reason for a Denial in a XACML Response?

The XACML standard provides a means of returning the reason for an access request denial through the use of the Obligations and Advice expressions, which were added in the 3.0 standard. A comprehensive explanation of Obligations and Advice can be found in our blog entry titledYou are not obliged to follow my advice: Obligations and Advice in XACML part 1. More specifically, an in-depth explanation of how denial reasons can be returned in an Advice message can be found in Obligations and Advice in XACML part 2.

Continue reading
423 Hits
0 Comments

ABAC, the dynamic authorization solution for your APIs and Applications

ABAC, the dynamic authorization solution for your APIs and Applications

Scale the heights of enterprise access control:

IT and security leaders in large organizations often find themselves standing at the foot of a daunting mountain. That mountain is a mandate from their leadership to “improve security,” “do a better job in protecting data,” and “improve visibility on who can see what data and when it is accessed.”  And,do this for the entire enterprise.

Continue reading
815 Hits
0 Comments

When and How Can I Express Negative Logic in XACML?

When authoring an access control policy, you may be creating a logical structure that calls for a negative expression. For example, you might be protecting a resource where access approval requires that the requestor not be a part-time employee [e.g. not(employeeType==partTime)].

Continue reading
805 Hits
0 Comments

Is ALFA a Part of the OASIS XACML Technical Committee Series of Standards?

The Abbreviated Language for Authorization (ALFA)is a pseudocode language used in the formulation of access control policies. ALFA maps directly into the eXtensible Access Control Markup Language (XACML) and contains the same structural elements as XACML (i.e. PolicySet, Policy, and Rule).

Continue reading
978 Hits
0 Comments

How Do I Check for the Presence of an Attribute?

This blog will look more closely at the scenarios where you want to evaluate an attribute on a particular target.

Continue reading
1189 Hits
0 Comments