我们能否在单个 XACML 请求中执行多个操作，如果可以，如何操作？

Question

假设我有以下示例 xacml 请求。我如何修改它以评估对多个操作的多个决策。

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
        IncludeInResult="false">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Resource</AttributeValue>
    </Attribute>
</Attributes>
<Attributes
    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
        IncludeInResult="false">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Subject</AttributeValue>
    </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
        IncludeInResult="true">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Action</AttributeValue>
    </Attribute>
</Attributes>

Answer 1

当然可以，这是一本使用 XACML v3.0 Multiple Decision Profile Version 1.0 (standard | blog post) 中定义的 Multiple Decision 请求的教科书。

您只需重复操作类别几次（<Attributes/> 元素），即重复整个元素：

   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">View</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>

只需更改里面的属性，即 add/remove 里面的 <Attribute/> 个元素，只要你喜欢。

<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Edit</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">View</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Resource</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

在 Axiomatics Policy Administration Point 中，它是这样的：

我们能否在单个 XACML 请求中执行多个操作，如果可以，如何操作？

Can we have multiple actions in a single XACML request, if yes how?

authorization

access-control

xacml

xacml3

pdp