xacml3 - XACML 3.0 policy with multiple conditions -


i need define policy allows request

  • to resources /tenant-3/*
  • for user belonging finance role , organization payrol

the condition i've defined not accepted standard xacml.3.0 policy wso2is editor. tell me how define such policy ? great ? regards vpl

<policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="tenant-3" rulecombiningalgid="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" version="1.0">    <target>       <anyof>          <allof>             <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">                <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">/tenant-3/*</attributevalue>                <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"/>             </match>          </allof>       </anyof>    </target>    <rule effect="permit" ruleid="rule-1">       <condition>          <apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-is-in">             <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">finance</attributevalue>             <attributedesignator attributeid="http://wso2.org/claims/role" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"/>          </apply>          <apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-is-in">             <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">payrol</attributevalue>             <attributedesignator attributeid="http://wso2.org/claims/organization" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator>          </apply>        </condition>    </rule> </policy>

your policy invalid. in condition, need combine 2 <apply/> elements inside single <apply/> element using urn:oasis:names:tc:xacml:1.0:function:and function.

i updated policy , works fine in axiomatics policy server:

<xacml3:policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="tenant-3" version="1.0" rulecombiningalgid="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"> <xacml3:policydefaults><xacml3:xpathversion>http://www.w3.org/tr/1999/rec-xpath-19991116</xacml3:xpathversion></xacml3:policydefaults>   <xacml3:target>     <xacml3:anyof>       <xacml3:allof>         <xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">           <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">/tenant-3/*</xacml3:attributevalue>           <xacml3:attributedesignator category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"/>         </xacml3:match>       </xacml3:allof>     </xacml3:anyof>   </xacml3:target>   <xacml3:rule ruleid="rule-1" effect="permit">     <xacml3:condition >       <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:and">         <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-is-in">           <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">finance</xacml3:attributevalue>           <xacml3:attributedesignator category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  attributeid="http://wso2.org/claims/role" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"/>         </xacml3:apply>         <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-is-in">           <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">payrol</xacml3:attributevalue>           <xacml3:attributedesignator category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  attributeid="http://wso2.org/claims/organization" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"/>         </xacml3:apply>       </xacml3:apply>     </xacml3:condition>   </xacml3:rule> </xacml3:policy>

note not need condition comparison simple 1 doing. can rewrite entire policy <target/> follows:

<xacml3:policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="tenant-3" version="1.0" rulecombiningalgid="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">   <xacml3:description></xacml3:description> <xacml3:policydefaults><xacml3:xpathversion>http://www.w3.org/tr/1999/rec-xpath-19991116</xacml3:xpathversion></xacml3:policydefaults>   <xacml3:target>     <xacml3:anyof>       <xacml3:allof>         <xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">           <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">/tenant-3/*</xacml3:attributevalue>           <xacml3:attributedesignator category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"/>         </xacml3:match>       </xacml3:allof>     </xacml3:anyof>   </xacml3:target>   <xacml3:rule ruleid="rule-1" effect="permit">     <xacml3:description></xacml3:description>     <xacml3:target>       <xacml3:anyof>         <xacml3:allof>           <xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">             <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">finance</xacml3:attributevalue>             <xacml3:attributedesignator category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  attributeid="http://wso2.org/claims/role" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="false"/>           </xacml3:match>           <xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">             <xacml3:attributevalue datatype="http://www.w3.org/2001/xmlschema#string">payrol</xacml3:attributevalue>             <xacml3:attributedesignator category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  attributeid="http://wso2.org/claims/organization" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="false"/>           </xacml3:match>         </xacml3:allof>       </xacml3:anyof>     </xacml3:target>   </xacml3:rule> </xacml3:policy>

here's screenshot in axiomatics policy administration point:

the policy structure in axiomatics policy administration point

note way have typo: payrol should written payroll.


Comments

Post a Comment

Popular posts from this blog

javascript - jquery or ashx not working -

i using ajax file upload control. it creating html: <form action="/pages/handlers/asyncfileuploadhandler.ashx" method="post" enctype="multipart/form-data" target="ajaxuploader-iframe-1397144545"> <input type="hidden" name="type" value="mindvoice"> <input type="file" id="imagefile" style="display: block; width: 80%; margin-right: auto; margin-left: auto;"> </form> and target is: <iframe width="0" height="0" style="display:none;" name="ajaxuploader-iframe-1397144545" id="ajaxuploader-iframe-1397144545"></iframe> the form submitted using .submit() . my ashx handler: <%@ webhandler language="c#" class="asyncfileuploadhandler" %> using system; using system.web; using nettpals.core; public class asyncfileuploadhandler : ihttphandler { public void processre...
Read more

opencv - DataType<cv::detail::deriv_type>::depth what is it used for -

i wondering why line used in lucas kanade tracker in opencv: datatype<cv::detail::deriv_type>::depth can explain me? in opencv, depth of mat refers type of data contained in mat 's data buffer. represented integer values correspond given data type. these integers commonly abstracted appropriate macro definition (e.g. uchar data represented macro cv_8u ). cv::datatype type-traits class provides method obtain corresponding integer value without having memorize macro means data type. there few cases user code needs use datatype::depth . more common datatype::type . a simple example shows 1 possible use of datatype::depth : cv::mat uchar_data = cv::mat::ones(3, 3, cv_8uc1); cv::mat float_data; uchar_data.convertto(float_data, cv::datatype<float>::depth); // ^^ equivalently replaced // cv_32f macro float_data.at<float>(0,1) += 0.5f; std::cout << float_data << std::endl;...
Read more

python 3.x - Mapping specific letters onto a list of words -

can please suggest approach write piece of codes automatically maps letter in letter_str onto dic_key (a dict key string type contains dashes match length of words in word_lst)? so, mapping occurs if letter appears in every words in list @ same position no matter how many words in list. if no letter appears @ position words in word list new_dic_key '----'. please see examples below thanks word_lst = ['ague', 'bute', 'byre', 'came', 'case', 'doze'] dic_key = '----' letters_str ='abcdefghijklmnopqrstuvwxyz' new_dic_key = '---e' if word_list = ['bute', 'byre'] new_dic_key = 'b--e' or word_list = ['drek', 'drew', 'dyes'] new_dic_key = 'd-e-' if words in word_list of same length code give want: word_list = ['drek', 'drew', 'dyes'] cols = [] in range(len(word_list[0])): cols.append([]) word in ...
Read more