Sample declarative access control policy

  • Article

In my previous post I mentioned that we have now released a parser for SecPAL that allows policies to be written in a human readable simplified English grammar. I thought it might be worth including an example - based on the scenario that was used in the GridToday post on Access Control in Grid Computing Environments which (funnily enough) is very similar to the two pages of F# available here and very similar to the C# sample AttributeScenario solution included inside the v1.1 release of SecPAL.

The sample shows the policies being specified in C# using a similar approach to that you might use to specify dynamic SQL. Such policies could just as easily be read from a file etc.  In the future I will provide some more advanced samples - including more discussion about each of the samples - but for now just remember that another of SecPAL's strengths is its ability to create generic access control policies through the use of variables. In the simplified English grammar variables are prefixed by % signs. Variables are substituted for concrete values during evaluation. Enjoy...

 

using System;

using

System.Collections.Generic;

using

System.Text;

using

Microsoft.Research.SecPal.Authorization;

using

Microsoft.Research.SecPal.Parser;

namespace

DeclarativeTest

{

class Program

{

static void Main(string[] args)

{

      // Input policies

      // 1. Policy restricting access to a resource to those principals possessing a valid email address

      string resourceAccessPolicy =

            "LA says %p can read digitalContent:'file://public/' " +

            " if %p possesses %a" +

            " where %a matches rfc822Name:'.*@microsoft.com' ";

      // 2. Policy delegating the rights to an STS to make statements about possession of email attributes

      string trustPolicy =

            "LA says K-STS can say %p possesses %a" +

            " where %a matches rfc822Name:'.*@microsoft.com' ";

 

      // 3. Identity assertion that would normally be included inside a token when the user requests access to a resource

      string identityPolicy = "K-STS says K-JAHOGG possesses rfc822Name:'jahogg@microsoft.com' ";

      // Authorization Query

      // Query created based on the specifics of the resource access request

      string authzQuery = "LA says K-JAHOGG can read digitalContent:'file://public/foo.txt' ";

      // Error - keyholder principals are getting recreated each time

      Assertion a1 = Interpretor.parseAssertion(resourceAccessPolicy);

      Assertion a2 = Interpretor.parseAssertion(trustPolicy);

      Assertion a3 = Interpretor.parseAssertion(identityPolicy);

      Assertion[] assertionList = new Assertion[3] { a1, a2, a3 };

      AuthorizationQuery aq = Interpretor.parseAuthQuery(authzQuery);

      Console.WriteLine("Authorization result");

      // Make an authorization decision

      IList<Answer> answers =

            AuthorizationEngine.MakeAuthorizationDecision(new LocalAuthorityPrincipal(),

assertionList,

aq,

                  new List<AuditRule>());

      Console.WriteLine("Answer was " + (answers.Count > 0));

}

}

}