# Prior Art ## XACML/ALFA ### Summary XACML/ALFA is capable of: 1. Sending a yes/no (binary) question e.g. "Can Alice view doc #123?" 2. Producing a response that must include a decision (Permit, Deny, Not Applicable, or Indeterminate). It may include 1. the list of policy identifiers used 2. additional statements (called obligation & advice) to make the client (PEP) do more things e.g. "Permit + trigger MFA" or "Deny and notify the manager" 3. The API spec also allows for multiple questions to be asked in a single request. For instance "Can Alice view, edit, delete documents 1, 2, and 3?". The request contains metadata that dictates how decisions should be returned: 1. The response contains as many decisions as questions (9 in this example) or 2. a specific combination as specified in the request e.g. view doc 1 and edit/delete docs 2 and 3 (5 decisions) 3. a single decision - a result of combining all decisions into one (1 decision) XACML/ALFA is not capable of partial evaluation/reverse query/search. Vendors such as Axiomatics have implemented their own proprietary approach. ### Specification XACML/ALFA is specified at OASIS: - [Request/response scheme](https://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os-complete.html#_Toc489959550) - [REST Profile of XACML](https://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html) - [JSON Profile of the Request/Response scheme](https://docs.oasis-open.org/xacml/xacml-json-http/v1.0/xacml-json-http-v1.0.html) - [UML Class Diagram of XACML](https://stackoverflow.com/questions/31320704/uml-representation-of-xacml) - [XACML v3.0 Multiple Decision Profile Version 1.0](https://docs.oasis-open.org/xacml/3.0/multiple/v1.0/xacml-3.0-multiple-v1.0.html) - [Multiple Decision Profile](https://en.wikipedia.org/wiki/XACML#The_Multiple_Decision_Profile_of_XACML_3.0) #### Sample Request ``` { "Request": { "ReturnPolicyIdList": false, "AccessSubject": { "Attribute": [ { "AttributeId": "user.employeeId", "Value": "Alice" } ] }, "Resource": { "Attribute": [ { "AttributeId": "object.objectType", "Value": "record" }, { "AttributeId": "record.recordId", "Value": "123" } ] }, "Action": { "Attribute": [ { "AttributeId": "action.actionId", "Value": "view" } ] }, "Environment": { "Attribute": [] } } } ``` #### Sample Response ``` { "Response": [ { "Decision": "Permit", "PolicyIdentifierList": { "PolicyIdReference": [ { "Id": "http://axiomatics.com/alfa/identifier/tutorial.records.mainRecords.viewRecords.managersViewRecords", "Version": "1.0" } ], "PolicySetIdReference": [ { "Id": "http://axiomatics.com/alfa/identifier/tutorial.records.mainRecords.viewRecords", "Version": "1.0" }, { "Id": "http://axiomatics.com/alfa/identifier/tutorial.records.mainRecords", "Version": "1.0" }, { "Id": "http://axiomatics.com/alfa/identifier/tutorial.main.tutorialRecords", "Version": "1.0" }, { "Id": "http://axiomatics.com/alfa/identifier/tutorial.main", "Version": "1.0" } ] } } ] } ``` ## Open Policy Agent / Rego ## 3Edges Can user abroccoli Read account M0012 ? ``` query { getAuthorizationDecision( input: { subjectType: "User", subjectID: "abroccoli", resourceType: "Account", resourceID: "M0012", isRelationship: false, resourceNamingProperty: "accountNb", actionType: "Niam_Read" } ) } ``` ## Cedar ## Aserto / Topaz (OPA + ReBAC/Zanzibar) ### Specification - Request/Response: https://aserto.readme.io/reference/authorizeris-1 (REST convention) #### Sample Request > Is user morty@the-citadel.com allowed to perform a GET operation on resource 12345? > ``` { "identity_context": { "type": "IDENTITY_TYPE_SUB", "identity": "morty@the-citadel.com" }, "policy_context": { "decisions": [ "allowed" ], "path": "todoApp.GET.todos.__id" }, "resource_context": { "id": "12345" } } ``` (Check convention) > Does user morty@the-citadel.com have the *can_read* permission on resource 12345? ``` { "identity_context": { "type": "IDENTITY_TYPE_SUB", "identity": "morty@the-citadel.com" }, "policy_context": { "decisions": [ "allowed" ], "path": "rebac.check" }, "resource_context": { "object_type": "resource", "object_id": "12345", "relation": "can_read" } } ``` #### Sample Response @omri to complete - Query: https://aserto.readme.io/reference/authorizerquery-1 ## SGNL (Access API) ### Specification - API definition: https://developer.sgnl.ai/#sgnl-public-api #### Sample Request #### Sample Response ## permit.io