Is policy applicable to only full set or also subsets of attributes

Question

I am looking at the XACMLv3 specs and have a question about the applicability of policies and policy sets in case one of the combining algorithms allows for the situation that underlying rules or policies act on different sets of attributes from the request, returning a valid response. For example, a policy would define two rules with the first rule acting upon the attributes [A, B, C], the second rule would act upon attributes [A, B, D] and the rule combining algorithm is First-applicable. My question is what set of attributes the policy is applicable to: is it only applicable to the full set of attributes [A, B, C, D] or also to the subsets [A, B, C] and [A, B, D]: i.e. is this policy selected for evaluation in case the set of attributes is the full set or is it also evaluated for the subsets? Sections 2.2 and 2.3 mention nothing about this.

Answer 1

Please check section C.8 for complete pseudocode

Decision firstApplicableEffectRuleCombiningAlgorithm(Rule[] rules)
{
  for( i = 0 ; i < lengthOf(rules) ; i++ )
  {
          Decision decision = evaluate(rules[i]);
          if (decision == Deny)
          {
                return Deny;
          }
          if (decision == Permit)
          {
                return Permit;
          }
          if (decision == NotApplicable)
          {
                continue;
          }
          if (decision == Indeterminate)
          {
               return Indeterminate;
          }
   }
   return NotApplicable;
}

That means in your case the first rule is evaluated(which means the attributes[A,B,C] will be applicable)

--if have "Permit" or "deny" then it won't go further to evaluate the second rule(Which means the attributes[A,B,D] won't be evaluated).

--if have "NotApplicable" then it would go further to evaluate second rule(which means the attributes[A,B,D] will be applicable)

I actually use this free Xacml Editor myself. It’s a great, easy to use gui based and syntax guided editor to create XACML documents very conveniently. All you need to do is create an account on their website and then you can download it.

P.S. I work for the company that provides this XACML Editor.

Answer 2

The PDP will attempt to match the incoming request against rule 1; if there is a match, the PDP will reply with Permit or Denyand the evaluation stops. If rule 1 does not match, the PDP attempts to match with rule 2. If there is a match, the PDP replies with Permit or Deny. If neither rule 1 or rule 2 match, the PDP returns NotApplicable.

Answer 3

A Policy(Set) is selected for evaluation if and only if its <Target> matches the request, regardless of any child Rule, Policy, etc. inside.

In your case, if the request attributes are:

• subject-organization = 'Acme'
• subject-role = 'role1'
• subject-auth-method = 'basic'
• resource-id = 'res1'
• action-id = 'read'

... but the policy's Target is: subject-organization = 'Wayne' and subject-role = 'role2' (using a XACML AllOf for the AND), then the policy will not be selected for evaluation, even if the policy has a rule rule1 with Target matching all the last 3 attributes of the request:

subject-auth-method = 'basic' and resource-id = 'res1' and action-id = 'read' No rule in the policy will be evaluated.