Version 5

     

    <<<- Go Back to XACML Dashboard


    XACML RBAC Locator

     

    This locator supports the core XACML RBAC profile. 

     

    Since

    v2.0.6.Final

     

    Concepts To Remember

     

    There are two types of Policy Sets defined in the RBAC profile.

    1. Role Permission PolicySets (RPS)
    2. Permission Policy Sets (PPS)

    Requirements for this Locator

    • The RPS Policy Sets should have an id starting with "RPS"
    • The PPS Policy Sets should have an id starting with "PPS"

     

    Configuration

     

     

    Config File

    Let us look at the config file to configure the locator as well as indicate the location where the policies are.

     

    Variant 1

     

    The first variant of the config file just indicates the directory where the policy files are located.

     

    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
      <ns:Policies> 
       <ns:PolicySet>
          <ns:Location>test/policies/rbac/</ns:Location> 
        </ns:PolicySet>
      </ns:Policies>
      <ns:Locators>
        <ns:Locator Name="org.jboss.security.xacml.locators.JBossRBACPolicySetLocator"/>
      </ns:Locators>
    </ns:jbosspdp>
    

     

     

    Variant 2

    In the second variant of the config file, you explicitly define the policy sets.

     

    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
      <ns:Policies>  
        <ns:PolicySet>
          <ns:Location>test/policies/rbac/employee-PPS-policyset.xml</ns:Location> 
        </ns:PolicySet>
        <ns:PolicySet>
          <ns:Location>test/policies/rbac/manager-PPS-policyset.xml</ns:Location> 
        </ns:PolicySet>
        <ns:PolicySet>
          <ns:Location>test/policies/rbac/employee-RPS-policyset.xml</ns:Location> 
        </ns:PolicySet>
        <ns:PolicySet>
          <ns:Location>test/policies/rbac/manager-RPS-policyset.xml</ns:Location> 
        </ns:PolicySet>
      </ns:Policies>
      <ns:Locators>
        <ns:Locator Name="org.jboss.security.xacml.locators.JBossRBACPolicySetLocator"/>
      </ns:Locators>
    </ns:jbosspdp>
    

     

    Depending upon the number of your RPS and PPS policy sets, choose the appropriate version.  Ideally, the policy sets should be small in number.

     

    Examples of Policy Sets

     

    Role Policy Sets (RPS)

     

     

    Employee

     

     

    <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
    PolicySetId="RPS:employee:role"
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
    <Target>
    <Subjects>
    <Subject>
    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
    <AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
    <SubjectAttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
    DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
    </SubjectMatch>
    </Subject>
    </Subjects>
    </Target>
    <!-- Use permissions associated with the employee role -->
    <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
    </PolicySet>
    

    Manager

     

     

    <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
    PolicySetId="RPS:manager:role"
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
    <Target>
    <Subjects>
    <Subject>
    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
    <AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>
    <SubjectAttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
    DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
    </SubjectMatch>
    </Subject>
    </Subjects>
    </Target>
    <!-- Use permissions associated with the manager role -->
    <PolicySetIdReference>PPS:manager:role</PolicySetIdReference>
    </PolicySet>
    

     

    Permission Policy Sets (PPS)

    Employee

     

     

    <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
        PolicySetId="PPS:employee:role"
        PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
        <Target />
        <!-- Permissions specifically for the employee role -->
        <Policy PolicyId="Permissions:specifically:for:the:employee:role"
            RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
            <Target />
            <!-- Permission to create a purchase order -->
            <Rule RuleId="Permission:to:create:a:purchase:order" Effect="Permit">
                <Target>
                    <Resources>
                        <Resource>
                            <ResourceMatch
                                MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
                                </AttributeValue>
                                <ResourceAttributeDesignator
                                    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
                            </ResourceMatch>
                        </Resource>
                    </Resources>
                    <Actions>
                        <Action>
                            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
                                <ActionAttributeDesignator AttributeId="urn:action-id"
                                    DataType="http://www.w3.org/2001/XMLSchema#string" />
                            </ActionMatch>
                        </Action>
                    </Actions>
                </Target>
            </Rule>
        </Policy>
        <!-- HasPrivilegesOfRole Policy for employee role -->
    <Policy PolicyId="Permission:to:have:employee:role:permissions"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
        <Target />
        <!-- Permission to have employee role permissions -->
        <Rule RuleId="Permission:to:have:employee:permissions" Effect="Permit">
            <Condition>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">employee</AttributeValue>
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
                    </Apply>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole
                        </AttributeValue>
                        <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
                    </Apply>
                </Apply>
            </Condition>
        </Rule>
    </Policy>
    </PolicySet>
    

     

    Manager

     

     

    <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
        PolicySetId="PPS:manager:role"
        PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
        <Target />
        <!-- Permissions specifically for the manager role -->
        <Policy PolicyId="Permissions:specifically:for:the:manager:role"
            RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
            <Target />
            <!-- Permission to sign a purchase order -->
            <Rule RuleId="Permission:to:sign:a:purchase:order" Effect="Permit">
                <Target>
                    <Resources>
                        <Resource>
                            <ResourceMatch
                                MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">purchase order
                                </AttributeValue>
                                <ResourceAttributeDesignator
                                    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
                            </ResourceMatch>
                        </Resource>
                    </Resources>
                    <Actions>
                        <Action>
                            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</AttributeValue>
                                <ActionAttributeDesignator AttributeId="urn:action-id"
                                    DataType="http://www.w3.org/2001/XMLSchema#string" />
                            </ActionMatch>
                        </Action>
                    </Actions>
                </Target>
            </Rule>
        </Policy>
        <!-- HasPrivilegesOfRole Policy for manager role -->
    <Policy PolicyId="Permission:to:have:manager:role:permissions"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
        <Target />
        <!-- Permission to have manager role permissions -->
        <Rule RuleId="Permission:to:have:manager:permissions" Effect="Permit">
            <Condition>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">manager</AttributeValue>
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
                    </Apply>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole
                        </AttributeValue>
                        <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
                    </Apply>
                </Apply>
            </Condition>
        </Rule>
    </Policy>
        <!-- Include permissions associated with employee role -->
        <PolicySetIdReference>PPS:employee:role</PolicySetIdReference>
    </PolicySet>
    

     

     

    Examples

    Permit condition - Request

     

     

    <Request 
          xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
             access_control-xacml-2.0-context-schema-os.xsd">
    <Subject>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
     DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>Anne</AttributeValue>
    </Attribute>
    
    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
     DataType="http://www.w3.org/2001/XMLSchema#anyURI">
    <AttributeValue>manager</AttributeValue>
    </Attribute>
    </Subject> 
    
    <Resource>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">
    <AttributeValue>manager</AttributeValue>
    </Attribute>
    </Resource>
    
    <Action>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
     DataType="http://www.w3.org/2001/XMLSchema#anyURI">
     <AttributeValue>urn:oasis:names:tc:xacml:2.0:actions:hasPrivilegesOfRole</AttributeValue>
    </Attribute>
    </Action>
    </Request>
    

     

    Deny Condition (Actually NotApplicable)

     

     

    <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
             access_control-xacml-2.0-context-schema-os.xsd">
        <Subject>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>Anne</AttributeValue>
            </Attribute>
    
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                <AttributeValue>manager</AttributeValue>
            </Attribute>
        </Subject>
    
        <Resource>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                <AttributeValue>manager</AttributeValue>
            </Attribute>
        </Resource>
    
        <Action>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                <AttributeValue>urn:nobody</AttributeValue>
            </Attribute>
        </Action>
    </Request>
    

     

    Employee Create Purchase Order - Permit

     

     

    <?xml version="1.0" encoding="UTF-8"?>
    <xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
        xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
     http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
        <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>500</AttributeValue>
            </Attribute>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>Tweetie</AttributeValue>
            </Attribute>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                <AttributeValue>employee</AttributeValue>
            </Attribute>
        </Subject>
        <Resource>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>purchase order</AttributeValue>
            </Attribute>
        </Resource>
        <Action>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>create</AttributeValue>
            </Attribute>
        </Action>
        <Environment />
    </xacml-context:Request>
    

     

    Employee Sign Purchase Order - Not Applicable (effectively, Deny)

     

     

    <?xml version="1.0" encoding="UTF-8"?>
    <xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
        xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
     http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
        <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>500</AttributeValue>
            </Attribute>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>Tweetie</AttributeValue>
            </Attribute>
    
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                <AttributeValue>employee</AttributeValue>
            </Attribute>
        </Subject>
        <Resource>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>purchase order</AttributeValue>
            </Attribute>
        </Resource>
        <Action>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>sign</AttributeValue>
            </Attribute>
        </Action>
        <Environment />
    </xacml-context:Request>
    

     

    Manager Sign Purchase Order  - Permit

     

     

    <?xml version="1.0" encoding="UTF-8"?>
    <xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
        xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
     http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
        <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>500</AttributeValue>
            </Attribute>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:user-name"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>Tweetie</AttributeValue>
            </Attribute>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                <AttributeValue>manager</AttributeValue>
            </Attribute>
        </Subject>
        <Resource>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>purchase order</AttributeValue>
            </Attribute>
        </Resource>
        <Action>
            <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <AttributeValue>sign</AttributeValue>
            </Attribute>
        </Action>
        <Environment />
    </xacml-context:Request>