Authzforce condition evaluation of matchAny in multi-valued string - authzforce

I'm looking for a way to define a condition in a policy rule, so that when we pass a multiple string value in our certificate and try to authenticate authzforce against that rule, assuming the string value in the condition is equal to one of the string values we passed in the certificate, I want the rule to evaluate to 'true'.
For example if the attribute value of the condition is "DNS:google.com" and the multiple value string we receive from the certificate are: ["DNS:google.nl" ,"DNS:google.com"], I would expect to get the rule evaluated to 'true' as one of those values are equal to the value of the condition ("DNS:google.com").
I tried to achieve this defining a rule with this condition:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate" AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
I used the 'string-is-in' XACML operator in the condition, however the rule evaluates to false.
The attributes I send via the certificate using the crypto library look like this when they reach the PDP:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>
Right now, the way I defined the condition rule and the the way I sent the multi-string in the certificate, I manage to get the rulet to evaluate to 'true' only if ALL values of the certificate are equal or contain the string value of the condition as a substring. So its more of a "matchAll". That is not what I want - I would like the rule to be evaluated to 'true' if we even have one string on the multi-string in the certificate equal to the string in the condition - meaning a an i'm looking to implement a "matchAny" approach rather than the "matchAll" approach I have here.
Could you please advise me why the rule evaluates to 'false' with my current implementation and how to correct it, using perhaps a different XACML operator?
Pasting the policy below as well as in the comments.
<PolicySet PolicySetId="root" Version="0.1.2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit"
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Target/>
<Policy PolicyId="dbfcb643-cb39-4560-9c11-95112df970d0" Version="0.1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" MaxDelegationDepth="10">
<Description>Policy for EAP authentications by SAN dns domains</Description>
<Target/>
<Rule RuleId="86ef9adb-2acb-43a1-aac6-b01fdeab9a44" Effect="Permit">
<Description>Permit by certificate's SAN dns domain</Description>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Description>new condition</Description>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">EAP</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:radius-auth-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate" AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
<AdviceExpressions>
<AdviceExpression AdviceId="authorization-result" AppliesTo="Permit">
<AttributeAssignmentExpression AttributeId="profile-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bbfc5e21-0e9f-40a6-a5c6-fedd921bff2c</AttributeValue>
</AttributeAssignmentExpression>
</AdviceExpression>
</AdviceExpressions>
</Rule>
</Policy>

I found the bug, it was in the way build our request, originally our request was structured it like:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>`
The way it should be is like:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>
Meaning the are nesting all the attributes within them rather than wrapping each attribute separately. When I structure the request as the latter the policy evaluation returns 'Permit'.

Related

WSO2 Idenity, XACML Simple Editor, Try It tool - Rules Evaluation

I wrote a basic test case with XACML using the Simple Editor tool.
My rule: "Only doctor can access medical records"
When using the role name "admin", all works OK and the answer from the request is "permit".
Case I update the role, both in the policy and request and set it to the value: "doctor", then the rules engine returns a erroneous "deny". For testing, I've also recorded a user role name with the value "doctor", which is the desired value and added one ID under the WSO2 console.
Why XACML under WSO2 constantly denies any evaluation request when using other role then "doctor"? (see the resulting policy and request statements below)
Policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="MedicalRecords" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>doctors</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Deny-Rule"/>
</Policy>
Request
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
</Attribute>
</Attributes>
</Request>
Thanks for feedback and support.
Regards,
Claude
Since you have added http://wso2.org/claims/role as the AttributeId for the subject, following should be your XACML request
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="http://wso2.org/claims/role" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
</Attribute>
</Attributes>
</Request>
in XAML values are matches against AttributeId, you must use the same AttributeId. Butm you have used urn:oasis:names:tc:xacml:1.0:subject:subject-id as the AttributeId in the request.

WSO2 Identity / XACML Evaluation for Standard Editor / Any Debug Feature Available?

having difficulties to interpret the "Try It" result data from a policy definition made by a WSO2 XACML standard editor.
Questions about the handling of the XACML engine and definitions:
Is there a debug support available that shows the partial results
from each rule and statement evaluation?
Does the boolean logic apply to "or", "and" combinations?
Is there a tool available to modify the default attribute values (string), like for example the use of "current-time" attribute as a valid environment setting?
Policy (typed by Standard Editor)
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="TodaysPolicy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Description>Standard Editor Doctor Rule </Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(http:)</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="DoctorAdmin">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(http:)</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">07:00:00 05:00</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-less-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">20:00:00 05:00</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
Request (generated by Try It)
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">08:00:00 05:00</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:9444/medicalrecords</AttributeValue>
</Attribute>
</Attributes>
</Request>
Results via [Test Evaluate]
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>NotApplicable</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>
</Response>
Thanks in advance for your guidance.
The debug feature is missing indeed in WSO2. I write and test all my policies using the Axiomatics Policy Administration Point and its alfa plugin.
I tried your policy within the PAP. This is what it looks like when expanded inside the PAP.
Now I checked your XACML request too.
There one major reason why your policy won't work.
the policy expects a resource id but your request sends in an environment id.
That said, there are other issues with your policy:
first of all you use a string-regexp-match on resource-id but in fact you should use string-starts-with since what you want to do is check that the string starts with http://. You would also want to make that an anyURI type not a string.
secondly you do the check twice: once in the policy and once in the rule. Once is enough, not twice.
thirdly you compare subject-id to doctor. Doctor is a role not a subject id so create an attribute for that
you use environment-id to convey the current time when in fact there is an attribute in XACML for that called urn:oasis:names:tc:xacml:1.0:environment:current-time.
you use conditions for things you could easily express in a target.
lastly you put too much logic in the condition e.g. the 4 different actions which you could split across 4 rules.

XACML PolicySet and Request with example

I am new in XACML.I am planing to implement RBAC in our organization applications using XACML policy and Wso2 ID server. I had read many articles on creating different different XACML policy using wso2 and I also try many policy example.but after go through all the available example I didn't find proper way to creating XACML policyset and reuest for policy set. I try it by my self to create XACML PolicySet but when I try to execute this policyset in wso2 Id server then it gives me 'not applicable' error every time.I try a lot for creating XACML policyset in different way but when i create request for that then it not gives me proper result.
Help me to give proper example of XACML policyset and it's request.
Here I added my policyset and policy and also it's request. please let me know what was wrong in it.
Role Created in wso2Id is :- testRole
and assign this role to testUser
PolicySet is :-
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" PolicySetId="PolicySetExample" Version="1.0">
<Description>TestPolicySet</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<PolicyIdReference>ComplexPolicy</PolicyIdReference>
</PolicySet>
Policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="ComplexPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="PermitForTestUser">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index.jsp</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testRole</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
PolicySet Request
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testU</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index.jsp</AttributeValue>
</Attribute>
</Attributes>
If you are using Policy Set with WSO2IS, Please note following.
You need to publish both Policy Set policy and reference policies in to PDP.
Then you need to enable the Policy Set in the PDP. You can keep the reference policies as disabled policies.
Please refer more detail from here as well
If you are going to implement RBAC and ABAC with WSO2 Identity Server, I recommnad for you to go through this to get more understanding.
I tested your policy using the Axiomatics Policy Server (see screenshot):
I then tested the policy set using our simulator:
I received Indeterminate back as a response. The root cause of the Indeterminate is that your Condition inside the Rule has a flag called MustBePresent set to true on the http://wso2.org/claims/role attribute and that for some reason the evaluation did not retrieve any values.
It seems like the WSO2 IS is not retrieving the values for the role attribute. You want to check your configuration w/in WSO2 IS. Alternatively, test out the Axiomatics Policy Server.
HTH

Multiple Decisions Profile Policy in XACML 3.0

I have requirement to write a policy for the particular user it will return the xacml response like this :
This policy is based on single user : bob
FirstName: Create= true , Read = true, Update = true, Delete = false
MiddleName: Create= true , Read = true, Update = true, Delete = false
LastName: Create= true , Read = true, Update = true, Delete = false
How to write a xacml policy for such requirement and how the request will look like for the same policy.
How to achieve this policy using Axiomatics Alfa plugin and WSO2 identity server.
Let get as following... This policy is based on single user : bob
FirstName: Create= true , Read = true, Update = true, Delete = false
MiddleName: Create= true , Read = true, Update = false, Delete = false
LastName: Create= false , Read = true, Update = false, Delete = false
Following is the policy, policy is based on user ("bob"). Therefore we can take the user name as the policy target and can create three rules. In rules, "FirstName", "MiddleName" and "LastName" have been taken as resources and for each resource, rule has been created.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="NamePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">FirstName</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="Rule-2">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MiddleName</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="Rule-3">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LastName</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<Rule Effect="Deny" RuleId="Rule-4"></Rule>
</Policy>
Following is the XACML multiple decision profile request that you can try out. Here, you can change the resource value and see the authorization for each resource. It would return permit result for the actions that are permit for "bob"
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LastName</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Attribute>
</Attributes>
</Request>
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LastName</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Attribute>
</Attributes>
</Request>

Balana and WSO2 Identity Server giving different results

I have a policy and when i run a request in WSO2 Identity Server i get permit decision as expected. But when i create another sample policy from:
http://svn.wso2.org/repos/wso2/carbon/platform/tags/4.0.7/products/is/4.1.0/modules/distribution/conf/policies/sample-kmarket-sliver-policy.xml
And send my same request again, i get following error:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
<StatusMessage>Couldn't find AttributeDesignator attribute</StatusMessage>
<StatusDetail>
<MissingAttributeDetail AttributeId="http://kmarket.com/id/role" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" ></MissingAttributeDetail>
</StatusDetail>
</Status>
</Result>
</Response>
For some reason request is being run against this sample policy instead of my original policy. Now interesting thing is I downloaded Balana (XACML Engine used by WSO2 Identity Server) source code and ran tests with both policies and my request and i am getting Permit as expected. But when i do the same in WSO2 its not working and i am getting Indeterminate error. I tried both 'Try It' feature and 'Evaluate with PDP' with same results.
Here is the request i used, why is this being applied to the sample policy and not my original policy via WSO2 but not Balana?
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:subject:provider-npi" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1548797430</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:subject:provider-npi" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1347570297</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:purpose-of-use">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:purpose-of-use-code" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TREAT</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">#outlook.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-dateTime" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime">2013-07-12T00:00:00-04:00</AttributeValue>
</Attribute>
</Attributes>
</Request>
According to the error, it seems that attribute finder is not configure. I guess policy has a attribute id called "http://kmarket.com/id/role" But it is not in the request, so attribute finder is called. you need to register an attribute finder to support it... Please find sample attribute finder from here [1]. In balana sample, this attribute finder has been already there with the sample itself
[1] http://svn.wso2.org/repos/wso2/carbon/platform/tags/4.0.7/components/identity/org.wso2.carbon.identity.samples.entitlement.pip/