XACML - Altinn Studio
XACML stands for "eXtensible Access Control Markup Language".
The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
The Altinn Studio and Altinn Studio Apps solution uses the XACML standard for the following
- XACML Reference Architecture: Used as input for defining the Altinn Studio Apps authorization architecture
- XACML Policy: Used to define the authorization rules for apps
- XACML Request: Format used for PEP to call PDP
- XACML Response: Format used for response from PDP to PEP.
XACML Policy
In Altinn a XACML Policy can describe the following
- The Access rules for an APP created in Altinn Studio
- The Access rules for a resource in Altinn Resource Registry
- The Access rules for a correspondence or broker service in Altinn 3
The XACML format in Altinn 3 follows XACML 3.0 standard with a limited feature set.
A Policy consist of 1-many rules. And each rule consist of three parts.
- Resources - describes the resource a rule applies to. It can be an app, a resource in the resource register, a specific task, or any other sub-resources to an app or resource in the rescource registry. A rule can combine multiple resources
- Action - describes which action the rules apply to. This can be any action like read, write, sign, fire, Opendoor +++. A rule can target multiple actions.
- Subject - describes who the rules apply to. It can be a role, access group, an organization number or a specific user, and many more. A rule can target multiple subjects
The example below show the structure of a XAMCL Policy.
<?xml version="1.0" encoding="utf-8"?>
<xacml:Policy PolicyId="urn:altinn:policyid:1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml:Target />
<xacml:Rule RuleId="urn:altinn:example:ruleid:1" Effect="Permit">
<xacml:Description>Describe the rules with subject, action and </xacml:Description>
<xacml:Target>
<xacml:AnyOf>
<xacml:AllOf>
// One set of possible subject attributes that rule is for is targeted for. See real examples below
</xacml:AllOf>
<xacml:AllOf>
// Alternative set of possible subject attributes that rule is targeted for. See real examples below
</xacml:AllOf>
</xacml:AnyOf>
<xacml:AnyOf>
<xacml:AllOf>
// One set of possible resource attributes that rule is for is targeted for. See real examples below
</xacml:AllOf>
</xacml:AnyOf>
<xacml:AnyOf>
<xacml:AllOf>
// One set of possible action attributes that rule is for is targeted for. See real examples below
</xacml:AllOf>
<xacml:AllOf>
// Alternative set of possible action attributes that rule is targeted for. See real examples below
</xacml:AllOf>
</xacml:AnyOf>
</xacml:Target>
</xacml:Rule>
<xacml:ObligationExpressions>
<xacml:ObligationExpression ObligationId="urn:altinn:obligation:authenticationLevel1" FulfillOn="Permit">
</xacml:ObligationExpression>
</xacml:ObligationExpressions>
</xacml:Policy>
Resource
The resource describes the resource a rule applies to. It can be an app, a resource in the resource register, a specific task, or any other sub-resources to an app or resource in the rescource registry.
<xacml:AnyOf>
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">srf</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:altinn:org" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</xacml:Match>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">melding-til-statsforvalteren</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:altinn:app" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</xacml:Match>
</xacml:AllOf>
</xacml:AnyOf>
Action
- Action - describes which action the rules apply to. This can be any action like read, write, sign, fire, Opendoor +++
- Subject - describes who the rules apply to. It can be a role, access group, an organization number or a specific user, and many more
- Obligation - describes additional information like minimum authentication level.
- Condition - Describes additional conditions like the reportee needs to be registered in SRR/RRR for this resource/service.
Subject
Obligation
See example policy from application in production
XACML Request
The XACML Request will follow XACML 3.0 JSON profile. See documentation.
Single request
The below example show how a request try to verify that a user is allowed to read a given instance.
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": [
{
"Attribute": [
{
"AttributeId": "urn:altinn:user-id",
"Value": "1"
}
]
}
],
"Action": [
{
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "read",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Resource": [
{
"Attribute": [
{
"AttributeId": "urn:altinn:instance-id",
"Value": "1000/26133fb5-a9f2-45d4-90b1-f6d93ad40713"
}
]
}
]
}
}
Request for Multiple Decisions
Policy Decision Point supports Request for Multiple Decisions. The below request show how you can request decision for both read an write for the same resource.
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": [
{
"Id": "s1",
"Attribute": [
{
"AttributeId": "urn:altinn:user-id",
"Value": "1"
}
]
}
],
"Action": [
{
"Id": "a1",
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "read",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
}
]
},
{
"Id": "a2",
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "write",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
}
]
}
],
"Resource": [
{
"Id": "r1",
"Attribute": [
{
"AttributeId": "urn:altinn:instance-id",
"Value": "1000/26133fb5-a9f2-45d4-90b1-f6d93ad40713",
"IncludeInResult": true
},
{
"AttributeId": "urn:altinn:org",
"Value": "skd"
},
{
"AttributeId": "urn:altinn:app",
"Value": "taxreport"
},
{
"AttributeId": "urn:altinn:partyid",
"Value": "1000"
},
{
"AttributeId": "urn:altinn:task",
"Value": "formfilling"
}
]
}
],
"MultiRequests": {
"RequestReference": [
{
"ReferenceId": [
"s1",
"a1",
"r1"
]
},
{
"ReferenceId": [
"s1",
"a2",
"r1"
]
}
]
}
}
}
XACML Response
The XACML Response will follow XACML 3.0 JSON profile. See documentation.
Response for single decision request
{
"Response": [
{
"Decision": "Permit",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Obligations": [
{
"id": "urn:altinn:obligation:authenticationLevel1",
"attributeAssignment": [
{
"attributeId": "urn:altinn:obligation1-assignment1",
"value": "2",
"category": "urn:altinn:minimum-authenticationlevel",
"dataType": "http://www.w3.org/2001/XMLSchema#integer",
"issuer": null
}
]
}
],
"Category": [
{
"CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute": [
{
"AttributeId": "urn:altinn:partyid",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"Value": "1000"
}
]
}
]
}
]
}
Response for multipe decision
{
"Response": [
{
"Decision": "Permit",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Obligations": [
{
"id": "urn:altinn:obligation:authenticationLevel1",
"attributeAssignment": [
{
"attributeId": "urn:altinn:obligation1-assignment1",
"value": "2",
"category": "urn:altinn:minimum-authenticationlevel",
"dataType": "http://www.w3.org/2001/XMLSchema#integer",
"issuer": null
}
]
}
],
"Category": [
{
"CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"Value": "read"
}
]
},
{
"CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute": [
{
"AttributeId": "urn:altinn:instance-id",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"Value": "1000/26133fb5-a9f2-45d4-90b1-f6d93ad40713"
}
]
}
]
},
{
"Decision": "Permit",
"Status": {
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Obligations": [
{
"id": "urn:altinn:obligation:authenticationLevel1",
"attributeAssignment": [
{
"attributeId": "urn:altinn:obligation1-assignment1",
"value": "2",
"category": "urn:altinn:minimum-authenticationlevel",
"dataType": "http://www.w3.org/2001/XMLSchema#integer",
"issuer": null
}
]
}
],
"Category": [
{
"CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"Value": "write"
}
]
},
{
"CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute": [
{
"AttributeId": "urn:altinn:instance-id",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"Value": "1000/26133fb5-a9f2-45d4-90b1-f6d93ad40713"
}
]
}
]
}
]
}