+

Using ALFA Eclipse plugin to author XACML policies – Part 1

The scenario we will use is that of a car dealership company. In the company, purchase orders are deemed as sensitive resources and hence they need to be protected. The policies we will write will revolve around purchase orders.

Let’s define some vocabulary. A purchase order has an identifier, an amount in US dollars, a geographic location (i.e. where it was created), a purchaser (i.e. the identity of the employee who initiated the PO), and a status (whether the PO has been approved or not). The users in the system also have attributes: their identity or username; their role; their assigned location; and their personal approval limit. In this exercise, we can also consider additional attributes such as the action we want to use e.g. raise or approve, as well as environmental attributes such as the time of the day or the IP address of the user.

Let’s now define an authorization rule:
users in the purchasing department can raise purchase orders

Let’s identify the building blocks of the rule:
users in the purchasing department can raise purchase orders

In this rule, there are 3 building blocks:

  • purchasing department is a subject attribute
  • raise is an action attribute
  • purchase orders is a resource attributes

The overall effect of the rule is a Permit as expressed by “can”.

The video below summarises what has been covered so far.

{source}
[iframe width="560" height="315" src="//www.youtube.com/embed/u_qqv66WUXM?rel=0" frameborder="0" allowfullscreen]][[/iframe]
{/source}

Now let us see how ALFA can be used to express this authorization rule in XACML.

Initial Instructions

First of all, follow these simple steps:

  1. Open up the Eclipse IDE
  2. In the workspace area to the left, right-click on blank space and go to New… Project.
  3. Choose a generic project (alternatively a Java project) and call it ‘ALFA Tutorial’
  4. Right-click on the newly created project, click on New… Folder. Call the new folder ‘src’.
  5. Right-click on the newly created folder, click on New… File. Call the new file rule1.alfa. As explained in the video, this will cause Eclipse to prompt you, the user, about adding the XText nature to the project. XText is the add-on that enables auto-complete, syntax coloring, and translation abilities to your ALFA project.

You are now ready to start writing your first rule. As we write the first rule, we uncover several concepts described hereafter.

Attributes

As discussed in the previous article, attributes are the building blocks of attribute-based access control and in particular XACML. Attributes are like labels used to describe everything and anything from users to resources to context. Attributes are essentially a key-value pair e.g. role==manager or citizenship==Canadian. In XACML, attributes are made up of

  • an identifier e.g. https://www.axiomatics.com/tutorial/role
  • a datatype e.g. http://www.w3.org/2001/XMLSchema#string
  • a category e.g. urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, and
  • an optional issuer (e.g. ‘Corporate AD’)

In the ALFA tutorial here, we define attributes. For instance, we define the attribute user.department as follows:

namespace com.axiomatics.alfa.tutorial{
	namespace attributes{
		namespace user{
			attribute department{
				category = subjectCat
				id = "department"
				type = string
			}			
		}
	}
}

Rule and Policy

In XACML, as in ALFA, there are 3 structural elements used to structure and break down the authorization challenge into smaller pieces. These elements are policy set, policy, and rule. In this example, we use a single rule which is then linked to from inside a policy. The ALFA plugin for Eclipse detects all new policies and translates them automatically into XACML 3.0 syntax.

namespace com.axiomatics.tutorial{
import com.axiomatics.tutorial.attributes.*
/**
 * Users in the purchasing department can raise purchase orders
 */
 rule raisePO{
       permit
 }
 
 /**
  * Global policy : ties it all together
  */
  policy main{
        apply firstApplicable
        raisePO
  }
}

Target

XACML and ALFA introduce the notion of targets. The target is the element through which the policy / rule scope of applicability can be defined. For instance, if one wishes to write a rule about users in the purchasing department, then the target is the place to do it. Inside a target, one can add any number of attributes and compare them to static values e.g. user.department==”purchasing”. The code sample below illustrates the use of a target.

namespace com.axiomatics.tutorial{
import com.axiomatics.tutorial.attributes.*
/**
 * Users in the purchasing department can raise purchase orders
 */
 rule raisePO{
       target clause user.department=="purchasing“
    	  and action.actionId=="raise"
          and resource.rType=="purchase order"
       permit
 }
}

Combining Algorithm

Lastly, we introduce the notion of combining algorithms. There are two types of combining algorithms:

  • rule-combining algorithms, and
  • policy-combining algorithms

Both are equivalent. The former is used inside policies to combine the results of different children rules whereas the latter is used inside policy set to combine the results of different policies and policy sets.

Combining algorithms are great to resolve conflicts. Imagine the following: a policy contains 2 rules that both trigger. One says Permit, the other says Deny. Which one wins? That’s what the combining algorithms tell us. In the case of a deny-overrides, then Deny wins no matter how many rules said Permit so long as one rule did say Deny.

For a complete list of combining algorithms check out the XACML specification at

The video below gives you a visual walk-through of what was covered in the latter part of this blog post.

{source}
[iframe width="560" height="315" src="//www.youtube.com/embed/NuR6yuZBzxY?rel=0" frameborder="0" allowfullscreen]][[/iframe]
{/source}

Conclusion

In this blog post we laid out the sample usage scenario for using ALFA plugin for Eclipse to wrote XACML policies and then showed how to start working with ALFA. In the next post in this series we will look at more involved authorization rules and how they can be captured using ALFA.

 

Related Articles

Meeting today’s dynamic authorization and access challenges: The Axiomatics story | Dynamically Speaking
Dynamically Speaking
For more than 15 years, Axiomatics has worked with companies worldwide to define and deliver solutions to the most complex authorization and access challenge. In...
Getting started with Zero Trust using dynamic authorization | Dynamically Speaking
Dynamically Speaking
Zero Trust. It’s everywhere. It’s a methodology that’s been around for years, and we are now seeing a significant uptick in the number of enterprises...
The case for dynamic authorization in banking and finance
Attribute Based Access Control (ABAC)
More than other organizations, banks, and financial institutions face the highest levels of scrutiny when it comes to how they protect critical assets and sensitive...