Target
Description
In XACML all the attributes are categorized into four main categories:
- Subjects
(urn:oasis:names:tc:xacml:3.0:attribute-category:subject) - Resources
(urn:oasis:names:tc:xacml:3.0:attribute-category:resource) - Actions
(urn:oasis:names:tc:xacml:3.0:attribute-category:action) - Environments
(urn:oasis:names:tc:xacml:3.0:attribute-category:environment)
A target can contains more than one subject, environment, resource or action or none of them. The target is the way to define the scope of an autorization policy.
- Attribute Designator: lets the policy specify an attribute with a given name and type, and optionally an issuer as well.
- Attribute Value: contains a literal attribute value.
Screen
Subjects
An actor whose attributes may be referenced by a predicate.
Allows you to add one or more subjects as a target where the policy will be applied.
To configure a subject, first of all you need to select an attribute. You can select a value for an attribute designator list, or write the attribute selector value and select the data type.
Then, you need to select the operator, it will be used to compare or compute attributes.
And finally, you need to set a value, with which the attribute will be computed or compared. The value data type depends on the attribute data type.
Resources
Data, service or system component.
Allows you to add one or more resources as a target where the policy will be applied.
To configure a resource, first of all you need to select an attribute. You can select a value for a attribute designator list, or write the attribute selector value and select the data type.
Then, you need to select the operator, it will be used to compare or compute attributes.
And finally, you need to set a value, with which the attribute will be computed or compared. The value data type depends on the attribute data type.
Actions
An operation on a resource.
Allows you to add one or more actionss as a target where the policy will be applied.
To configure an action, first of all you need to select an attribute. You can select a value for a attribute designator list, or write the attribute selector value and select the data type.
Then, you need to select the operator, it will be used to compare or compute attributes.
And finally, you need to set a value, with which the attribute will be computed or compared. The value data type depends on the attribute data type.
Environments
The set of attributes that are relevant to an authorization decision and are independent of a particular subject, resource or action.
Allows you to add one or more environments as a target where the policy will be applied.
To configure an environment, first of all you need to select an attribute. You can select a value for a attribute designator list, or write the attribute selector value and select the data type. The
Then, you need to select the operator, it will be used to compare or compute attributes.
And finally, you need to set a value, with which the attribute will be computed or compared. The value data type depends on the attribute data type.
https://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf