XACML policies

For its Authorization feature, Talend ESB is using three types of XACML policies: the Role Policies, the Permission Assignment Policies, and the Permission Policies. Their role can be summarized as follows:

A PDP receives a request from a PEP, which contains the resource, action, role, date, and some other optional data.
The PDP first goes through the Role Policies it has to try to match the given role name.
If it finds a match, then it finds the Permission Policies that are referenced via the Permission Assignment Policy associated with the Role Policy.
It matches these policies against the request: the resource and the action name.
If they all match then the authorization decision is "permit".

Otherwise, it is "deny" or "indeterminate".

Permission Policies

The Permission Policy is a <PolicySet> that contains the actual permissions associated with a given role. It contains <Policy> elements and <Rules> that describe the resources and actions that subjects are permitted to access, along with any further conditions on that access, such as time of day. For example:

<PolicySet PolicySetId="org.talend.xacml.permissions.boss.doubleit"
                PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >
                
                <Target/>
                
                <Policy PolicyId="doubleit" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
                
                <Target/>
                <Rule RuleId="doubleit" Effect="Permit">
                <Target>
                <Resources>
                <Resource>
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal ">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">{http://www.example.org/contract/DoubleIt}DoubleItService#DoubleIt</AttributeValue>
                <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId=" urn:oasis:names:tc:xacml:1.0:resource:resource-id "/>
                </ResourceMatch>
                </Resource>
                </Resources>
                <Actions>
                <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">execute</AttributeValue>
                <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
                </ActionMatch>
                </Action>
                </Actions>
                </Target>
                </Rule>
                </Policy>
                </PolicySet>

In this case, the resource is the {SOAP Target namespace}SOAP Service name#SOAP Operation name: {http://www.example.org/contract/DoubleIt}DoubleIt.

And the action is execute.

So, this permission policy associates the above resource with the execute action. It does not say anything about who is allowed to access this resource, simply that a particular resource is grouped with an action.

For REST, you match against the request URL of the service, and also the HTTP Verb that was used to access the service. For example:

<PolicySet PolicySetId="org.talend.xacml.permissions.boss.doubleit-rest" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >
                
                <Target/>
                
                <Policy PolicyId="doubleit-rest" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
                
                <Target/>
                <Rule RuleId="doubleit-rest" Effect="Permit">
                <Target>
                <Resources>
                <Resource>
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">(/services)?/numberservice/doubleit/(\d)*</AttributeValue>
                <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
                </ResourceMatch>
                </Resource>
                </Resources>
                <Actions>
                <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
                <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
                </ActionMatch>
                </Action>
                </Actions>
                </Target>
                </Rule>
                </Policy>
                </PolicySet>

Permission Assignment Policy

The Permission Assignment Policy or PolicySet is a <Policy> or <PolicySet> that defines which permissions can be enabled or assigned to which subjects. It may also specify restrictions on combinations of permissions or total number of permissions assigned to or enabled for a given subject. For example:

<PolicySet PolicySetId="org.talend.xacml.permissions.assignment.boss" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
                
                <Target/>
                
                <PolicySetIdReference>org.talend.xacml.permissions.boss.doubleit</PolicySetIdReference>
                <PolicySetIdReference>org.talend.xacml.permissions.boss.doubleit-rest</PolicySetIdReference>
                <PolicySetIdReference>org.talend.xacml.permissions.boss.quadrupleit</PolicySetIdReference>
                <PolicySetIdReference>org.talend.xacml.permissions.boss.quadrupleit-rest</PolicySetIdReference>
                </PolicySet>

Role Policies

The Role PolicySet or RPS is a <PolicySet> that associates holders of a given role attribute and value with a Permission <PolicySet> that contains the actual permissions associated with the given role. The <Target> element of a Role <PolicySet> limits the applicability of the <PolicySet> to subjects holding the associated role attribute and value. Each Role <PolicySet> references a single corresponding Permission <PolicySet> but does not contain or reference any other <Policy> or <PolicySet> elements.

A Role Policy associates a Subject with a Permission Assignment Policy. For example:

<PolicySet PolicySetId="org.talend.xacml.permissions.role.boss" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >
                <Target>
                <Subjects>
                <Subject>
                <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">boss</AttributeValue>
                <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"/>
                </SubjectMatch>
                </Subject>
                </Subjects>
                </Target>
                <PolicySetIdReference>org.talend.xacml.permissions.assignment.boss</PolicySetIdReference>
                </PolicySet>

So in this case, a Subject of "boss" is associated with the given permission assignment policy Id.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here