Multiple attributes in the same category in XACML 3.0

Question

I'm learning XACML 3.0 and want to ask, if I have two attributes with different ID But in the same category i.e (Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"), this interpretation as two different attributes for the same category or as two separate request with a single attribute.

Thank you .

Answer 1

If you create a XACML request with 4 different categories (e.g. Subject, Action, Resource, and Environment) and you add one or more attributes per category, then you will always obtain a single request and therefore a single response.

Example:

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="resource-type" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medical record</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="resource-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doc#123</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="user.role" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="user.identifier" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

The aforementioned XACML request means

Can Alice the manager view medical record doc#123?

If you create a XACML request where you repeat a category several times, then you are building a Multiple Decision Request. For instance we could ask

Can Alice the manager view and edit medical record doc#123?

In XACML this would become:

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="resource-type" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medical record</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="resource-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doc#123</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="user.role" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="user.identifier" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">edit</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

Note that the order of the categories do not matter. You can also give your categories XML identifiers and create a XACML multiple decision request by reference but this is not as commonly used.

You will find an interesting article on the topic and on the Axiomatics SDK here.

Answer 2

It appears that my answer was wrong. I'm leaving it here, however, as it discusses the related issue of multiple decision requests.

The XACML 3.0 Multiple Decision Profile is quite clear about that:

Such a request context SHALL be interpreted as a request for access to all situations specified in the individual elements. Each element SHALL represent one Individual Resource, subject, or another category unless that element utilizes the other mechanisms described in this Profile. For each combination of repeated elements, one Individual Decision Request SHALL be created. This Individual Request SHALL be identical to the original request context with one exception: only one element of each repeated category SHALL be present. If such a element contains a “scope” attribute having any value other than “Immediate”, then the Individual Request SHALL be further processed according to the processing model specified in Section 5 .
This processing may involve dec omposing the one Individual Decision Request into other Individual Decision Requests before evaluation by the PDP

So our request is interpreted as two different requests, each with one attribute from the category you mention. This is, of course, assuming that your PDP does implement the multiple decision profile.