FactQualifiers and Constraints

Coordinator
Mar 14, 2007 at 4:23 PM
One point of confusion that we see time and time again is with regard to the difference between FactQualifiers and Constraints. In particular people tend to assume that because information has been specified in the FactQualifier for a Fact that this information will automatically be enforced by policy. This is not the case. A Fact may contain a FactQualifier that describes the context within which the assertor intended the fact to be applicable. Unlike a Constraint or a Condition, a FactQualifier has no special impact on the evaluation of a query. So if you want your policy to ensure that certain properties relating to the fact qualifiers are true, they you must ensure your policies specify constraints that verify values of the fact qualifiers.

For example, the following claim specifies a FactQualifier that implies the posssession fact should only be trusted for the month of December, which on first site leads many people to believe that the policy would automagically enforce this behavior. This is not the case.
                claims.Add(
                    new Claim(
                        new PossessFact(
                            userPrincipal,
                            new SecPalAttribute(
                                AttributeType.rfc822Name,
                                "Joe@fabrikam.com"),
                            new FactQualifier(
                                new DateTime(DateTime.UtcNow.Year, 12, 1),
                                new DateTime(DateTime.UtcNow.Year, 12, 31),
                                null,
                                TimeSpan.MaxValue))));
The following policy does not have any constraints specified on these FactQualifiers, hence this Claim would evalaute to True at any time of the year.
                claims.Add(
                    new Claim(
                        new CanSayFact(
                            this.stsPrincipal,
                            new PossessFact(
                                new PrincipalVariable("p"),
                                new AttributeVariable("a"),
                                new FactQualifier(
                                    new DateTimeVariable("t1"),
                                    new DateTimeVariable("t2"),
                                    new LocationPatternVariable("f"),
                                    new DurationVariable("ts")))),
                        new Constraint[] {}));
However, if you modify the policy to include a constraint similar to this the the values in the FactQualifier will be verified.
                            new DurationConstraint(
                                "t1", "t2", new TimeSpan(366, 0, 0, 0)),
                            new TemporalConstraint("t1", "t2"),
                            new AttributeMatchConstraint(
                                "a",
                                AttributeType.rfc822Name,
                                @".*@fabrikam\.com") 
Samples extracts are from the AttributeScenario in the samples, so feel free to modify the samples to prove this for yourself.