Skip to main content

Permission Policies

The Permission Policy is a <PolicySet> that contains the actual permissions associated with a given role. It contains <Policy> elements and <Rules> that describe the resources and actions that subjects are permitted to access, along with any further conditions on that access, such as time of day. For example:

<PolicySet PolicySetId="org.talend.xacml.permissions.boss.doubleit"
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >

    <Target/>

    <Policy PolicyId="doubleit" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">

        <Target/>
        <Rule RuleId="doubleit" Effect="Permit">
            <Target>
                <Resources>
                    <Resource>
                        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal ">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">{http://www.example.org/contract/DoubleIt}DoubleItService#DoubleIt</AttributeValue>
                            <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId=" urn:oasis:names:tc:xacml:1.0:resource:resource-id "/>
                        </ResourceMatch>
                    </Resource>
                </Resources>
                <Actions>
                    <Action>
                        <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">execute</AttributeValue>
                            <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
                        </ActionMatch>
                    </Action>
                </Actions>
            </Target>
        </Rule>
    </Policy>
</PolicySet>

In this case, the resource is the {SOAP Target namespace}SOAP Service name#SOAP Operation name: {http://www.example.org/contract/DoubleIt}DoubleIt.

And the action is execute.

So, this permission policy associates the above resource with the execute action. It does not say anything about who is allowed to access this resource, simply that a particular resource is grouped with an action.

For REST, you match against the request URL of the service, and also the HTTP Verb that was used to access the service. For example:

<PolicySet PolicySetId="org.talend.xacml.permissions.boss.doubleit-rest" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >

    <Target/>

    <Policy PolicyId="doubleit-rest" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">

        <Target/>
        <Rule RuleId="doubleit-rest" Effect="Permit">
            <Target>
                <Resources>
                    <Resource>
                        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">(/services)?/numberservice/doubleit/(\d)*</AttributeValue>
                            <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
                        </ResourceMatch>
                    </Resource>
                </Resources>
                <Actions>
                    <Action>
                        <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
                            <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
                        </ActionMatch>
                    </Action>
                </Actions>
            </Target>
        </Rule>
    </Policy>
</PolicySet>

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!