+

Stack Overflow: What’s the difference between policy target and rule target in XACML?

Are you looking for further clarification in working with XACML? This post originally appeared on Stack Overflow.

Question: XACML allows us to specify <Target> tag in both <Policy> as well as in <Rule> tags.

What I would like to understand is that:

  • What is the utility of having these at both levels?
  • What is the individual effect of both of these methods?
  • How and when one should use them together or separately?

Any help in this regard would be appreciated. Thanks.

Answer:

You can have a Target in PolicySetPolicy, and Rule. They all achieve the same thing i.e. restrict the scope of the element (PolicySetPolicy, or Rule).

Your question should be more around why the three elements? it’s actually a way to divide and conquer your authorization challenge. Imagine you’re tackling authorization for an entire bank. You might have a policy set that focuses on the retail part of the bank and another that focuses on the commercial side of the bank. You would have an attribute in the target of the PolicySet element that would distinguish between retail and commercial.

Inside the retail bank PolicySet you could have another series of policy sets or maybe just policies where the Target would distinguish between different applications. Inside each Policy element you could have Rule elements that would have targets that would distinguish between functions of the applications.

Answered by David Brossard, VP of Customer Relations at Axiomatics

Related Articles

The one with all the authorization vendors | Dynamically Speaking
Dynamically Speaking
Does it feel as though everyone’s suddenly talking about authorization? We think so too and asked Axiomatics President & CCO Jim Barkdoll his thoughts on...
The one about identity-first security | Dynamically Speaking
Dynamically Speaking
Few have their finger on the pulse of all things Identity and Access Management (IAM) like Jackson Shaw, Chief Strategy Officer for Clear Skye. In...
The Log4j vulnerability – What you need to know
Customer Alerts
As many of you know, on December 9, 2021 the Apache Log4j vulnerability (CVE-2021-4422) was discovered, affecting somewhere between 0 and 3 billion-plus devices currently...