Here is an example of an XACML policy which addresses the following requirement: a given resource can be accessed only by a user belonging to a particular role, and all requests to access any other resource should fail.
Code Block |
---|
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:sample:xacml:2.0:samplepolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"> <Description>Sample XACML Authorization Policy</Description> <Target> <Subjects> <AnySubject /> </Subjects> <Actions> <AnyAction /> </Actions> <Resources> <AnyResource /> </Resources> </Target> <Target></Target> <Rule Effect="Permit" RuleId="primary-group-rule"> <Target> <Subjects> <AnySubject<Resources> /> </Subjects> <Resources> <Resource> <ResourceMatch <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue> </AttributeValue> <ResourceAttributeDesignator <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />></ResourceAttributeDesignator> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <ActionAttributeDesignator <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />></ActionAttributeDesignator> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> </Apply> <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string" />></SubjectAttributeDesignator> </Apply> </Condition> </Rule> <Rule Effect="Deny" RuleId="deny-rule" ></>Rule> </Policy> |
The following are a few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.
...