Attribute Based Access Control (ABAC) configuration in SDS through Policy Conditions¶
Note
ABAC is supported only in Virtual Private Cloud environments.
SDS service provides fine-grained access control using policies, where the Tenant Administrator configures the resources inside policies. These resources can have attributes or properties i.e. metadata key values. Similarly, users can also have their own attributes or properties. More granular and flexible access control of resources can be managed using resource/user attributes or properties. This authorization strategy is known as ABAC. Tenant administrators and application developers can use the SDS policy conditions to further refine the access based on certain attribute conditions.
You can realize ABAC configuration in SDS through policy conditions as explained below.
Policy Conditions¶
Policy conditions allow you to manage access based on resource or user attribute or property values of the resource that is protected. Attribute in policy conditions refers to any property or metadata-key associated with a file or folder. For example, 'BusinessSensitivity', 'CountryOfOrigin' can be considered as attributes or properties or metadata-keys.
Policy condition consists of one or more logical expressions which are combined through logical conjunction operators.
Example¶
{
"owner":"tenantA",
"id":"8b64e3a0-a315-4eed-babc-58a06cabe614",
"name":"Simulation_Files_Policy",
"active":true,
"description":"Policy to provide access to simulation related files.",
"subjects":[
"mdsp:core:identitymanagement:gbl:tenantA:usergroup:mdsp_usergroup:AllSimulationUsers"
],
"rules":[
{
"name":"Rule1",
"actions":[
"mdsp:core:idl:prefix:create",
"mdsp:core:idl:prefix:delete",
"mdsp:core:idl:prefix:read"
],
"resources":[
"mdsp:core:idl:gbl:tenantA:prefix:/data/ten=tenantA/PLISimulationData"
],
"propagationDepth":-1,
"conditions":[
{
"resourceType":"mdsp:core:idl:prefix",
"expression":"prefix.Global.countryOfOrigin eq 'IN' AND prefix.SAPData.businessSensitivity eq user.clearanceLevel"
}
]
}
]
}
In the above example policy, a new JSON element "conditions" has been added into the policy schema, which contains 2 sub-elements "resourceType" and "expression". Condition is an expression(s) with selection criteria defined on resource attributes or user attributes, based on which access to the resource(s) is determined. For example, in IDL, metadata keys are considered as resource attributes.
ResourceTyperepresents the type of resource for which expression has been defined. Resource attributes which belong to the givenresourceTypecan only be used in the expression. For example, if value ofresourceTypeismdsp:core:idl:prefixthen, all the metadata keys or resource attributes in underlying expression should have following format:prefix.<collectionId>.<metadataKey>. For example:prefix.SAPData.businessSensitivity.Expressionis a combination of resource attributes and user attributes compared against some value. Larger expressions can be formed by joining individual expressions using logical operators (AND, OR, NOT). Details of valid resource attributes/user attributes and supported operators can be found be in the owning service. For example, metadata keys/resource attributes and supported operators around resourceTypemdsp:core:idl:prefixare defined in IDL API documentation. Similarly, user attributes definitions and supported operators are defined in "Identity and Access Management" (IAM) API documentation. For more details about these API specifications, please refer to the relevant documentation.
Constraints¶
- Currently, only one expression is allowed per
resourceType resourceTypecannot be duplicated inside conditions- Currently, only supported
resourceTypeis IDL prefix (mdsp:core:idl:prefix). Asset resourceType is not yet supported - A maximum of 15000 characters are allowed in a condition
expression - Policy conditions should only be used when SDS basic policy configuration is no longer sufficient, because it performs a more elaborate policy search and evaluation that demands more processing power and time
- Any changes done in IDL metadata/User Attribute definitions or assignments, it may take up to 1 hour to reflect in Policy configuration due to caching mechanism
Supported Operators in Policy Conditions¶
| Type of operator | Operator | Symbols |
|---|---|---|
| Logical Operator | OR | 'or' or '||' |
| Logical Operator | AND | 'and' or '&&' |
| Logical Operator | NOT | 'not' or '!' |
| Binary Operator | Equal to | 'eq' or '==' |
| Binary Operator | Not equal to | 'ne' or '!=' |
| In Operator | IN | in |
| Not In Operator | NOT IN | not in |
| Other | Parenthesis | '(' and ')' |
Supported Data Types in Policy Conditions¶
| Data Type | Symbols |
|---|---|
| Enum | 'SOME_ENUM_VALUE' |
| Enum List | ('SOME_ENUM_VALUE', 'SOME_OTHER_ENUM_VALUE') |
| String | 'some_string_value' |
| String List | ('some_string_value', 'some_other_string_value') |
Exceptions
There are some exceptions to supported data types in policy conditions:
"In" and "Not in" Operators are not supported for the following combinations.
- List
"in"/"not in"List - List
"in"/"not in"Enum/String - String/Enum
"in"/"not in"String/Enum
- List
Error Handling Scenarios in Policy Conditions¶
Sample Invalid Expression:
prefix. global.country : eq 'GB'Here, ':' is unsupported character in the expression
Error response:
{ "errors": [ { "code": "mdsp.core.resourceaccessmanagement.validation.malformedExpression", "message": "Malformed Expression provided. Please correct the expression syntax and try again.", "messageParameters": [ { "name": "offendingSymbol", "value": ":" }, { "name": "expression", "value": "prefix.global.country : eq 'GB" }, { "name": "resourceType", "value": "mdsp:core:idl:prefix" } ], "logRef": "6478534b8ef9a8ef16a7eda2ce3e7231" } ] }In case unsupported characters are found in expression.
Sample Invalid Expression:
prefix.global.country eq !'GB'Here, Not(!) Operator is incorrectly placed in the expression.
Error response:
{ "errors": [ { "code": "mdsp.core.resourceaccessmanagement.validation.malformedExpression", "message": "Malformed Expression provided. Please correct the expression syntax and try again.", "messageParameters": [ { "name": "resourceType", "value": "mdsp:core:idl:prefix" }, { "name": "expression", "value": "prefix.global.country eq !'GB" }, { "name": "offendingSymbol", "value": "!" } ], "logRef": "647854481fcbb128ef84d7798151c1f5" } ] }The system considers this expression as invalid at the beginning and therefore so sends (!) as an offending symbol.
Sample Invalid Expression:
(prefix.global.country eq 'GB' and prefix.global.country eq 'GB'prefix.global.country eq 'GB' and (prefix.global.country eq 'GB'If closing parenthesis is missing
prefix.global.country eq 'GB'and after part of valid expression if any known keyword is used by mistake.Error response:
{ "errors": [ { "code": "mdsp.core.resourceaccessmanagement.validation.malformedExpression", "message": "Malformed Expression provided. Please correct the expression syntax and try again.", "messageParameters": [ { "name": "resourceType", "value": "mdsp:core:idl:prefix" }, { "name": "offendingSymbol", "value": "<EOF>" }, { "name": "expression", "value": "prefix.global.country eq 'GB' and (prefix.global.country eq 'GB'" } ], "logRef": "647991aaf9e2343b6dabf18ca31a2608" } ] }Missing ) parenthesis shows offending symbol as EOF by the system which can be manually updated.
After part of valid expression if any known keyword is used mistakenly, system gives EOF as offending symbol.
Sample Invalid Expression:
pref.global.country eq 'GB'user11.country eq 'GB'Invalid start of compound Expression.
Error response:
{ "errors": [ { "code": "mdsp.core.resourceaccessmanagement.validation.invalidExpression", "message": "metaDataKey/userAttribute in the given expression pref.global.country should start with prefix/user respectively.", "messageParameters": [ { "name": "resourceType", "value": "mdsp:core:idl:prefix" }, { "name": "expression", "value": "pref.global.country eq 'GB'" } ], "logRef": "647855e952352a455f14cea5e581ae05" } ] }Compound Expression can either start with prefix or user.
Sample Invalid Expression:
user.xxxx eq 'IN'Invalid User Attribute.
Error response:
{ "errors": [ { "code": "mdsp.core.resourceaccessmanagement.validation.invalidUserAttribute", "message": "Invalid user attribute xxxxx found in part of given expression user.xxxxx", "messageParameters": [ { "name": "userAttribute", "value": "xxxxx" }, { "name": "expression", "value": "user.xxxxx > 'IN'" }, { "name": "resourceType", "value": "mdsp:core:idl:prefix" } ], "logRef": "64788932907235062517cb154df5c348" } ] }Sample Invalid Expression:
prefix.global.citylist in user.cityInvalid Condition as List in String/Enum combination is not supported
Error response:
{ "errors": [ { "code": "mdsp.core.resourceaccessmanagement.validation.leftOperandDatatypeNotSupported", "message": "Attribute datatype of left operand not supported for the given operator 'in' in the given expression prefix.global.citylist in user.city", "messageParameters": [ { "name": "expression", "value": "prefix.global.citylist in user.city" }, { "name": "resourceType", "value": "mdsp:core:idl:prefix" } ], "logRef": "64788932907235062517cb154df5c348" } ] }
*[SDS]: Secure Data Sharing *[ABAC]: Attribute Based Access Control *[IDL]: Integrated Data Lake