authorization - XACML Policy with Multiple Resources with Multiple Rules and Multiple Actions -

in multiple decision profile scenario want create policy particular tenant , root resources customer. here scenario have tenant t1 , tenant t1 allowed access root resource customer. customer top level resource , contain sub child resources like: sub-resources: name, email. in scenario how can create policy can enforce multiple rules each sub resources like:

rule-1: admin permit access resource- {name: create,read,update,delete}, {email: create,read,update,delete} rule-2: employee permit access resource- {name: read,update}, {email: read} please share policy structure , request format same.

in request format want pass tenant id , root level resource customer .

in scenario, want pass in field id interested in.

the request be: "can alice view name field of customer record #123"?

you express multiple decision request e.g.:

"can alice view name, email, , job title fields of customer record #123"?

either way policy field-centric. protect given field or set of fields. define set of non-sensitive fields , set of sensitive fields. write policy in terms of field metadata. instead of saying "a user can view field 'email'", write "a user can view field if user's clearance > field's sensitivity".

alternatively, use reverse query - that's specific axiomatics' apis though. reverse query lets following type of requests / responses:

• q: list fields alice can view
• a: name, email