Question

我是XACML的新手，正在使用ALFA编写策略。我想写的政策是在银行设定2000美元的转账限额。如果要转移的金额大于该金额，则应拒绝该操作。

我该如何解决？

谢谢！

Answer 1

您拥有的用例非常简单。我建议你先用英文写，然后用ALFA写：

当且仅当action==transfer（例如，在您的情况下为2000）==＆gt;时，用户才能对type==bank account资源执行amount transferred < the amount limit 许可
所有其他情况==＆gt; 拒绝

在ALFA中，上述政策成为

namespace policies{
    attribute actionId{
        category = actionCat
        id = "actionId"
        type = string
    }

    attribute resourceType{
        category = resourceCat
        id = "resourceType"
        type = string
    }

    attribute amount{
        category = resourceCat
        id = "amount"
        type = double
    }
    /**
     * The limit could be a subject attribute in the case it's user-specific
     */
    attribute limit{
        category = subjectCat
        id = "limit"
        type = double
    }

    /* 
     * A user can do the `action==transfer` on a resource of `type==bank account` if and only if the `amount transferred 
     * < the amount limit` (e.g. 2000 in your case) ==> **permit**
     * 
     */
     policy transfer{
        target clause actionId == "transfer" and resourceType=="bank account"
        apply firstApplicable
        rule allow{
            condition amount <= limit
            permit
        }
        rule denyTransfer{
            deny
        }
     }
}

使用ALFA和XACML编写示例ABAC授权策略

1 个答案: