CrowdStrike joins the Axiomatics partner community with risk-based authorization for enterprise Learn more  

Do Attribute Data Types Matter?

Yes, they do, they absolutely do. There are several data types defined in the XACML specification. The X in XACML is short for eXtensible, meaning that it is possible to extend the specification and with that it is actually possible to define custom data types and functions to use with those custom data types.

The most common data types are string, integer, double, boolean, date, dateTime, time and anyURI. Most of them follow the W3C schema for built in datatypes but some are defined by the XACML standard. More details in the Data-types section of the XACML specification available here.

Several aspects define an attribute when a request is constructed by the Policy Enforcement Point (PEP) and sent to the Policy Decision Point (PDP). AttributeId, DataType, Issuer and Category are the building blocks that make up and define the Attribute.

It is critical that the attribute in the request also matches what is defined in the policy. Let us take a security classification scenario as an example. In a request the PEP would pass the following details for an Attribute (Issuer is not mandatory and omitted in the example):

AttributeId: com.axiomatics.attributes.clearance
DataType: string
Category: access-subject

The policy that is defined and in place in the PDP that the PEP is sending the request to is defined as (pseudo policy):

A user can edit records if com.axiomatics.attributes.clearance == com.axiomatics.attributes.recordClassification

Clearance that is used in the policy and in use by the PDP might be defined like this:

AttributeId: com.axiomatics.attributes.clearance
DataType: integer
Category: access-subject

The PDP would then receive the clearance attribute of data type string. However there is nothing in the policy using the attribute clearance of data type string, so the PDP will simply not match the condition (or target) and instead continue its evaluation. This might result in a NotApplicable result back from the PDP or could even result in Indeterminate depending on the policy (rules) in place and what functions that are used to process the attributes that are passed in where the data type does not match.

So the bottom line is that all aspects of the attributes that are in use in a policy are important and that includes the data type. Make sure that when an attribute is passed as part of a request from the PEP to the PDP that the data type is defined correctly.

Archived under:
  Join us on LinkedIn for more insights
About the author