Every time an object is accessed, the ABAC policies are evaluted using the attributes relevant to the requesting session. The policy is evaluated as a logical expression, using limited python syntax. The namespace available includes the following. Some attributes may be zero length strings, if they are not in the current session. Some attributes may also use a “dictlib.Obj” syntax where you can use
obj.name syntax instead of
obj['name'] – for performance, this is not available in all cases.
re– regular expression library (re from python)
rx()– shortcut for re.search
cert_cn– common name of the client SSL certificate pending implementation
user_name– the HTTP Basic Auth username pending implementation
ip– the client IP address (as a string)
token_nbr– the internal number of the authorized token
token_name– the name of the authorized token
http_headers– a dictionary containing the HTTP headers of the current session (dictlib.Obj dot parameter notation is available)
groups– a sub dictionary containing all of the available groups of tokens (dictlib.Obj dot parameter notation is available)
action– the action being performed (read, write)
sensitive– a boolean expression defining if the current access request is for sensitive data or not (to be decrypted). If a policy of this nature evaluates false, the data element is not decrypted, but the overall object may still be returned.
obj_type– the type of object (config, instance, service, etc)
obj– the object in question
pwin(password, group)– true if password matches any of the hashes in the designated group object
There are two data elements that are used to define a complete ABAC scenario for an object:
- The Policy – where the access expression is defined
- The Policy Scope – an object that defines how the policy is matched to other objects
The Policy Scope is a separate expression that is used to limit policies to specific data.
Policies should be focused on analyzing data unique to the session, not the object. Where Policy Scopes should be focused on the object itself. Scope expressions are evaluated whenever an object changes, where Policy objects are evaluated when an object is accessed.
Example Policy Expressions:
Example Scope Expressions: