ABAC Rule
Attribute
An attribute consists of a name and of a value, and can be either true, false, or unknown.
For instance, consider a policy for an organisation where Alice is staff member, Bob is an intern, and we want to manage the access to two resources: a printer and a scanner.
We need 6 different attribute_values:
USER_AliceUSER_BobGROUP_internGROUP_staffRESOURCE_printerRESOURCE_scanner
Each attribute value can evaluate to either True or False, depending on the request being considered (we will see in the next Section that it can also be Unknown). For instance, a request from Alice to access the printer would mean that USER_Alice, GROUP_staff and RESOURCE_printer are True, while the others are false.
Rule
A rule returns a decision (Permit or Deny) if a target evaluates to True, and returns Not-Applicable otherwise. In other words, the rule:
R: Decision if Target
evaluates to:
Decision, ifTargetevaluates to TrueNot-ApplicableifTargetevaluates to False
A target can either be a simple attribute_value, a conjunction of targets (using the operator AND), or a disjunction of targets (using the operator OR).
Example
Let us consider a simple example for two rules: R1 expresses a blanket denial for access to the printer, while R2 expresses that access to the printer is granted for members of the staff group. The yellow box below contains the definitions of these rules, while the black box contains the evaluation, using the evaluation of the attributes provided in the radio table at the bottom.
Try to change the operator from OR to AND in R2 to see the difference in the evaluation.