How Can I Use Booleans in a XACML Target?

Axiomatics   ·   Tuesday, May 3rd, 2016

The Data Type

The XACML identifier for the boolean data type is http://www.w3.org/2001/XMLSchema#boolean and the values accepted are ‘true’, ‘false’, ‘1’ and ‘0’. Note that booleans have to be specified in lowercase characters, so ‘True’ is considered as ‘false’.

XACML inherits the data type from the XML schema which defines it in this document.

Example Attributes

Booleans are great to express the state of certain objects we are using in access control. For instance, we may want to check whether a document is published. This would lead to the creation of an attribute called isPublished. In XACML, try to follow the same convention as in Java and other programming languages in terms of naming your boolean attributes.

Other uses include the ability to express an age via a boolean rather than via the age itself. For instance an attribute called over18.

Policy Example in ALFA

The Abbreviated Language For Authorization (4,5,6) supports the boolean data type as defined in the OASIS XACML Core Specification. Here follows an example of a simple policy with a rule and a target using boolean attributes: 

namespace exampleBoolean {
    policy documentsAccess {
        target clause itemType=="document" and roleType == “employee”
        apply firstApplicable
        rule readDocument {
            target clause isPublished == true
            permit
        }
    }
}

Caveats

Given that attributes in XACML can be multi-valued (0, 1, or more values), think about what it means to not have a value for a boolean or to have more than 1. For instance if access is allowed if isPublished==true, what happens if there is no value for isPublished? Access would be denied. What happens if isPublished is both true and false? Access would be allowed. What then of negative rules e.g. “Deny if over18 == false”? If we do not know whether the person is over 18, then we will be letting them in. Was that the intended effect?

Think about controlling the number of values for an attribute. This applies to boolean but also other data types. More on that in a future Question of the Week.

Additional Reading

• http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047233
• https://axiomatics.com/blog/entry/xacml-language-structure.html
• https://en.wikipedia.org/wiki/XACML
• https://axiomatics.com/solutions/products/authorization-for-applications/developer-tools-and-apis/192-axiomatics-language-for-authorization-alfa.html
• https://www.oasis-open.org/committees/download.php/55228/alfa-for-xacml-v1.0-wd01.doc
• https://en.wikipedia.org/wiki/ALFA_(XACML)