fernandorr21
commented
4 years ago I have already done it with a GET request, but with a POST request I don't know how to get the attributes of the body and compare them with certain values in XACML.
Closed fernandorr21 closed 4 years ago
fernandorr21
commented
4 years ago I have already done it with a GET request, but with a POST request I don't know how to get the attributes of the body and compare them with certain values in XACML.
cdanger
commented
4 years ago Sorry I can't help much on this. Getting the attributes from the HTTP request (and sending them to AuthzForce) is the job of Wilma proxy, so you'll have to ask the Wilma team, either on their github or Stackoverflow (tag 'fiware-wilma').
fernandorr21
commented
4 years ago Thanks, you were right, I had to modify pep proxy, but I get an error when creating this policy, would you know why?
curl --location --request POST 'http://localhost:8080/authzforce-ce/domains/B49kCNu2EeqxHQJCrBIBDA/pap/policies' \
--header 'Content-Type: application/xml' \
--data-raw '<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="f8194af5-8a07-486a-9581-c1f05d05483f" Version="1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Politicas para escenarios sanitarios</Description>
<Target />
<Policy PolicyId="Politica_agentes_iot_hospital_central" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Politicas para el envio de informacion por parte de los agentes iot en el hospital central</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">escenario_sanitario</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="Reglas_Agente_IoT_Hospital_Central" Effect="Permit">
<Description>Regla para agentes IoT Hospital Central</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HospitalCentral</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123456789F</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_patient" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agente1000</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:publisher" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">00:1E:C0:25:E6:99</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_device" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>'error: Failed to find a root PolicySet with id = 'f8194af5-8a07-486a-9581-c1f05d05483f', Version=1,EarliestVersion=,LatestVersion=: Matched PolicySet 'f8194af5-8a07-486a-9581-c1f05d05483f' (version 1) is invalid or its content is unavailable
condition, I want to implement a kind of if: if( (organization== HospitalCentral) && ( id_patient == 123456789F) && ( id_device ==00:1E:C0:25:E6:99) && ( publisher == agente1000)
I would also like to implement an if: if( ((organization== HospitalCentral) && ( id_patient == 123456789F) && ( id_device ==00:1E:C0:25:E6:99) && ( publisher == agente1000)) || ( (organization== HospitalMadrid) && ( id_patient == 123456781F) && ( id_device ==01:1E:C0:25:E6:99) && ( publisher == agente1001))
cdanger
commented
4 years ago You cannot apply string-equal function directly to an AttributeDesignator which returns a bag of values (a list so to speak). So you have two wrap each AttributeDesignator in a Apply with function string-one-and-only, e.g.:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply> You could also use string-is-in function instead of string-equal if the attributes can be actually multi-valued.
fernandorr21
commented
4 years ago Sorry, but I have same error...
curl --location --request POST 'http://localhost:8080/authzforce-ce/domains/B49kCNu2EeqxHQJCrBIBDA/pap/policies' \
--header 'Content-Type: application/xml' \
--data-raw '<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="f8194af5-8a07-486a-9581-c1f05d054834" Version="1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Politicas para escenarios sanitarios</Description>
<Target />
<Policy PolicyId="escenario_sanitario" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Politicas para el envio de informacion por parte de los agentes iot en el hospital central</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">escenario_sanitario</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="Reglas_Agente_IoT_Hospital_Central" Effect="Permit">
<Description>Regla para agentes IoT Hospital Central</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HospitalCentral</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123456789F</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_patient" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agente1000</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:publisher" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">00:1E:C0:25:E6:99</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_device" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>'There was a misunderstanding. You must apply string-one-and-only only on the AttributeDesignator, not the AttributeValue. A more complete example to clarify:
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HospitalCentral</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123456789F</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_patient" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
</Apply>
.... to be completed the same way with the other <Apply>s ...
</Apply>Btw to make your life easier, you could convert all that into an extra AnyOf/AllOf inside the Target and get the same result! No need to use the string-one-and-only then (a Match can take a AttributeDesignator/AttributeSelector as second argument). For example:
<Rule RuleId="Reglas_Agente_IoT_Hospital_Central" Effect="Permit">
<Description>Regla para agentes IoT Hospital Central</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<!-- THE NEW PART CORRESPONDING TO THE CONDITION BEFORE -->
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HospitalCentral</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123456789F</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_patient" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
.... to be completed the same way with the rest...
</AllOf>
</AnyOf>
</Target>
</Rule>Thank you very much, that was it. I want to do it with condition to be able to work with the and, or sentences.
cdanger
commented
4 years ago OK. Just so you know:
fernandorr21
commented
4 years ago true, I think it's better as you say, I'm trying through conditions and it doesn't work out. I will try as you say.
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HospitalCentral</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_patient" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123456789F</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:publisher" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Agente1000</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_device" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">00:1E:C0:25:E6:99</AttributeValue>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:organization" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">HospitalCentral</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123456789F</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">987654321A</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123456789A</AttributeValue>
</Apply>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_patient" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:publisher" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Agente1001</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">00:1E:C0:25:E6:99</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">00:1E:C0:25:F6:90</AttributeValue>
</Apply>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:id_device" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Agente_IoT_Hospital_Central</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#time" MustBePresent="true"></AttributeDesignator>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
</Apply>
</Apply>
</Condition>```I see now that you have more complex expressions with string-at-least-one-member-of / string-bag and time-in-range functions. For these you can't use a Target Match (which accepts only one AttributeValue at a time) unfortunately. So a Condition is the only way here.
When you have a HTTP 400 response from the server because the policy is invalid, you can find out the reason in Tomcat logs, as explained in the User Guide.
You can also upgrade to AuthzForce Server 9.0.1 (latest) which now gives more info in the HTTP response.
fernandorr21
commented
4 years ago Fix it, it was a little mistake. Another thing, I want a role to only be able to request GET if the url is /v2 /entities or /v2/entities?q=organization: Hosp. For example, I do a GET to /v2 /entities?q=organization:Hosp2 should be rejected, I am doing multiple tests like this, but I can't.
<Description>Reglas</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">"
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities?q=organization:Hosp</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities</AttributeValue>
</Apply>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Apply>
</Condition>organization is an attribute of several entities
fernandorr21
commented
4 years ago Sorry, another question, if for example there are several entities and each one has an id, how could you indicate in XACML in resource-id that an id can be accessed ?, for example that the resource is /v2/entities/id3, I would like to indicate for example let it be / v2/entities/ and all its children.
cdanger
commented
4 years ago Please create a new issue or use the mailing list for this one. This is off topic.
Hello, I would like to carry out two types of policies but I do not achieve them. One would be, to make a POST request to wilma to / v2 / entities where it is intended to create an entity with a series of attributes, the policy that I want to carry out is to restrict this request, for example, a user registered can only create entities if it has as an attribute by example user_id = 1234, if it is another value, you do not have permissions to create that entity. The other policy that I want to carry out is a GET request, it would be the same case, but knowing that the entity has already been created, now it is intended to obtain the information of said entity, for example the user can only make a GET request to / v2 / entities / if the entity has the attribute id_usr = 1234, in case no entity has said attribute, it does not have permission to see said information.