Sep 6, 2018 · 2 min read
Great article with great insights on how ABAC is used in a well known application. I like the examples and the description of the ABAC flow of authorizing access to a file. The use case example is very similar to examples I use every day myself (access to a file you own). Its a relational type of authorization policy that is common and also from a policy perspective very easy to solve with ABAC but not so much with other authorization models.
Since I work with ABAC and specifically XACML all day every day I had a couple of comments
- The PRP component is actually not a part of the XACML standard. I believe it stems from Axiomatics historically where a previous version of the Axiomatics Policy Server (APS) used a component called PRP but it is not described by the XACML specification.
- Related to the PRP, in the flow, you show that policies are loaded from the PRP when a request hits the PDP. This seems highly inefficient. It would be much more efficient to load the entire policy into memory when the PDP starts instead of loading it on demand for each request.
- There is no official specification for encoding policies in JSON. There is however the JSON profile of XACML that defines how a XACML authorization request can be JSON encoded (as well as the response). A common way is to use ALFA to author policies as well as you mention use JSON for Request/Response. Theres a recording on this very topic here: https://www.youtube.com/watch?v=0AKY_yD6htw&t=50s
- The Indeterminate decisions usually happens when there is an error in the PDP when evaluating a request. You mention that it can happen “if the matching algorithm results in two different matching rules with differing responses and no clear way to decide which one is more important”. If that’s the case the policy would not be conforming to the XACML standard as there would have to be a combining algorithm to solve that conflict. A much more common scenario for Indeterminate is that you are trying to use a function on an attribute (bag) and the attribute contains no value or that you are trying to use a string function on an integer or similar.
Looking forward to the future post on build vs. buy.