match evaluation of multiple multi-valued attributes

Question

The XACML 3.0 specs state that for <Match> evaluation "the MatchId function SHALL be applied between the <AttributeValue> and each element of the bag returned from the <AttributeDesignator> or <AttributeSelector> element." 7.6 Match evaluation

In the case that, for example, the attribute access-subject / subject-id returns a bag with more than one value, one should iterate over these members until the matching function returns true. This is clear and obvious. Now in case the <AllOf> element has two <Match>es as in conformance test IIA007Policy.xml (see below). It has a Match on access-subject / subject-id being equal to "Julius Hibbert" and access-subject / some-attribute being equal to "riddle me this".

Now assume that in a request, there are two attributes having multiple members, how should the match be evaluated now? Attribute1 has bag [1, 2, 3] and attribute2 has bag [a, b]. One can start processing the members from the first attribute until a true is returned and than continue with processing the next attribute etc, but that would not cover all possible outcomes. Or, should the matching functions be simultaneously applied to all combinations of the members from the two bags [{1,a},{1,b},{2,a},{2,b},{3,a},{3,b}]? With large bags and/or many attributes, this will lead to a large set of combinations to process!

The specs, as far as I know, give no clue how the situation is handled in case two or more attributes return bags with multiple members within the same <AllOf> element. My questions are:

• did I miss something in the specs,
• is my interpretation correct?
• how is this handled in real implementations?

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA007:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:policy:schema:os         access_control-xacml-2.0-policy-schema-os.xsd">
    <Description>
        Policy for Conformance Test IIA007.
    </Description>
    <Target/>
    <Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA007:rule">
        <Description>
            Julius Hibbert can read or write Bart Simpson's medical record.
        </Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">riddle me this</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
    </Rule>
</Policy>

Answer 1

If you have a policy that states (using ALFA notation):

 policy example{
     target clause role == "manager" and department == "sales"
     apply firstApplicable
     rule allow{
         permit
     }
 }

If the request you send contains 2 values for role ("manager" and "employee") and 3 values for department ("sales", "engineering", "finance"), then the response will be Permit. In plain old English, your question would be "Can the user who happens to be a manager and an employee and who belongs to the sales, engineering, and finance departments do X?"

The way the policy will be evaluated is that each match will be handled one after the other, independently:

1. Is there at least one value equal to manager? Yes there is. The first match is true.
2. Is there at least one value equal to sales? Yes there is. The second match is true.

It does not matter that there is an AllOf (or an AnyOf). Each match is first handled independently. The spec is quite clear on that.

Answer 2

No, the Match does not apply to all combinations from the two attribute bags, because they have different AttributeIds. A Match applies only to the one AttributeId (and Category and Datatype and optional Issuer) specified in the AttributeDesignator. If the AttributeDesignator in the Match has AttributeId='attribute1', it only applies to attribute 'attribute1', it does not care about the others. Then, a Match always evaluates to True (if and only if any of the attribute value matched), or False, or Indeterminate.

Then, what the AllOf combines is just the Trues/Falses/Indeterminates returned by the Matches. The combination algorithm is defined in section 7.7 (Target evaluation) of the XACML spec. In the tables, it says "Match" for True, and "No Match" for False (don't ask me why they didn't just say True or False, I am not one of the authors). So for example, if all Matches return True, then AllOf returns True. But if at least one Match returns False, then AllOf returns False. (And you have the special case for Indeterminate.) So you may understand that the combination is actually more basic than what you had in mind, I guess.