In a typical access control model (ie. JAAS), access to an "object" or functions is controlled. I have a need to control access based on the properties of the requested/returned data, and the attributes of the user (Principal/Subject) making the request. For example:
User_A can access Application_A, and perform all functions contained in that application. However, if User_A requests data that contains his own "Customer Number", he is not allowed to change the data, nor even access the data.
A real-world example of this would be a representative of a credit card processing company can normally process credit card transactions, but if the transaction is for his own card number, he can't process those transactions because there would be a conflict of interest.
Now, if the user's "Subject" contains a list of credit cards that the representative personally "owns", any request for a new transaction could compare the Subject's "owned cards" against the card number from the transaction data, and deny access for that card.
There are 2 possible scenarios for managing this as an access control issue:
1) The card number of the transaction is part of the request from the application when the user asks to process a new transaction. In this case, the request could be denied before any data is collected to respond to the request. (Call this a "pre-eval" for access control.)
2) The card number of the transaction isn't known until after the data is being collected for the response. The request is based on some other attribute of the transaction (e.g. trans number), so the request doesn't even know what the card number is. (Call this a "post-eval" for access control.)
So, the question is... "What are my options for implementing such a solution?" Is there a standard already in existence (XACML, SAML, etc.) that provides this level of fine-grained access control automatically, or do I have to build this from scratch?
In the past, I have implemented such features by embedding fine-grained access control logic in the application's business logic. I'd like to abstract this (the same way that JAAS abstracts role-based access controls) from the application entirely - so that the container can be configured to manage fine-grained access control policies, without modifying the application logic...