An ABAC permission can now be set on a user, a role or anybody.
For a decision request about a user or a role, it works the same way has
regular RBAC permissions execpt that moreover the ABAC rule must be
satisfied.
For permissions on anyone, it means that ACS is combined with a system
able to maintain sessions without authentication. The owner of such a
session must be able to bring (certified) attributes. It can then be granted
the permissions that have ABAC rules that are satisfied.
The following options for dealing with multivalued attributes in comparison are now supported:
All:
NO_MULTIVALUES
Both operand are single valued attributes
Equality:
EQUAL_ONE_VALUE
At least one value of the values of OP1 is equal to one value of the values of OP2
EQUAL_OP1_SUBSET_OP2
The values of OP1 is is a subset of the values of OP2
EQUAL_EXACT_MATCH
Equal set of values
Diff strict:
DIFF_ALL_OP1_WITH_UPPER_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT
All values of OP1 must be less than the highest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT
All values of OP1 must be greater than the highest value of OP2
DIFF_ALL_OP1_WITH_BOTTOM_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT
All values of OP1 must be less than the smallest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT
All values of OP1 must be greater than the smallest value of OP2
DIFF_ONE_OP1_WITH_UPPER_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT
At least one value of OP1 must be less than the highest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT
At least one value of OP1 must be greater than the highest value of OP2
DIFF_ONE_OP1_WITH_BOTTOM_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT
At least one value of OP1 must be less than the smallest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT
At least one value of OP1 must be greater than the smallest value of OP2
Diff or equal:
Same as for strict and equality is treated as follows:
DIFF_ALL_OP1_WITH_UPPER_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT_OE
All values of OP1 must be less than or equal to the highest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT_OE
All values of OP1 must be greater than or equal to the highest value of OP2
DIFF_ALL_OP1_WITH_BOTTOM_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT_OE
All values of OP1 must be less than or equal to the smallest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT_OE
All values of OP1 must be greater than or equal to the smallest value of OP2
DIFF_ONE_OP1_WITH_UPPER_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT_OE
At least one value of OP1 must be less than or equal to the highest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT_OE
At least one value of OP1 must be greater than or equal to the highest value of OP2
DIFF_ONE_OP1_WITH_BOTTOM_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT_OE
At least one value of OP1 must be less than or equal to the smallest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT_OE
At least one value of OP1 must be greater than or equal to the smallest value of OP2
To deal with richer comparison and equality of multivalued attributes, a 'or' statement should be used
The following options for dealing with multivalued attributes in comparison are now supported:
All:
NO_MULTIVALUES
Both operand are single valued attributes
Equality:
EQUAL_ONE_VALUE
At least one value of the values of OP1 is equal to one value of the values of OP2
EQUAL_OP1_SUBSET_OP2
The values of OP1 is is a subset of the values of OP2
EQUAL_EXACT_MATCH
Equal set of values
Diff strict:
DIFF_ALL_OP1_WITH_UPPER_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT
All values of OP1 must be less than the highest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT
All values of OP1 must be greater than the highest value of OP2
DIFF_ALL_OP1_WITH_BOTTOM_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT
All values of OP1 must be less than the smallest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT
All values of OP1 must be greater than the smallest value of OP2
DIFF_ONE_OP1_WITH_UPPER_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT
At least one value of OP1 must be less than the highest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT
At least one value of OP1 must be greater than the highest value of OP2
DIFF_ONE_OP1_WITH_BOTTOM_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT
At least one value of OP1 must be less than the smallest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT
At least one value of OP1 must be greater than the smallest value of OP2
Diff or equal:
Same as for strict and equality is treated as follows:
DIFF_ALL_OP1_WITH_UPPER_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT_OE
All values of OP1 must be less than or equal to the highest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT_OE
All values of OP1 must be greater than or equal to the highest value of OP2
DIFF_ALL_OP1_WITH_BOTTOM_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT_OE
All values of OP1 must be less than or equal to the smallest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT_OE
All values of OP1 must be greater than or equal to the smallest value of OP2
DIFF_ONE_OP1_WITH_UPPER_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT_OE
At least one value of OP1 must be less than or equal to the highest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT_OE
At least one value of OP1 must be greater than or equal to the highest value of OP2
DIFF_ONE_OP1_WITH_BOTTOM_LIMIT_OP2
ACS_XACML_COMPARISON_INTEGER_LT_OE
At least one value of OP1 must be less than or equal to the smallest value of OP2
ACS_XACML_COMPARISON_INTEGER_GRT_OE
At least one value of OP1 must be greater than or equal to the smallest value of OP2
To deal with richer comparison and equality of multivalued attributes, a 'or' statement should be used
The attribute single_value is added to PredicateRequired model to indicate
that each source satisfying this predicate must provide an attribute with a
single value.
The attributes operand1_single_value and operand2_single_value are added
to PredicateComparison to enforce than a unique value must be provided
to have the predicate evaluated.
We need to substitute number by other in a string. To avoid case where the
substitution string will match another substitution, a preliminary
substitution with random strings is done. Then, random strings are substituted
by the final strings.
- A root ABAC admin role has been created
- Each policy has an ABAC admin role
- Add interface to give this role to administrators
- Add items on the modify policy view to add or remove ABAC permissions
- Manage deletion of ABAC permissions
- Files for the administration to add ABAC permissions created,
but not yet implemented
The following options to compare attributes are now supported:
All:
NO_MULTIVALUES,
Equality:
EQUAL_ONE_VALUE, EQUAL_OP1_SUBSET_OP2,
EQUAL_EXACT_MATCH,
Diff strict:
DIFF_ONE_VALUE, DIFF_ALL_VALUES,
Diff or equal:
DE_ONE_VALUE_ONE_VALUE, DE_ONE_VALUE_OP1_SUBSET_OP2,
DE_ONE_VALUE_EXACT_MATCH, DE_ALL_VALUES_ONE_VALUE,
DE_ALL_VALUES_OP1_SUBSET_OP2, DE_ALL_VALUES_EXACT_MATCH
The namespace declarations and the attribute mappings between namespaces
are defined in two JSON files that can be edited.
The script load-abac is used to add these definitions to the database.
Mikaël Ates