OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] Fwd: Updated Attribute Designator examples

  • 1.  [xacml] Fwd: Updated Attribute Designator examples

    Posted 08-02-2002 01:02
    See attached message. Anne Anderson Anne.Anderson@Sun.COM Internet Security Research Group, Sun Labs Sun Microsystems, Inc., Burlington, MA ---  Begin Message  --- From : Anne Anderson <aha@ieee.org> To : Anne.Anderson@sun.com Date : Thu, 1 Aug 2002 20:47:29 -0400 () Cases: 1. Selecting one attribute value from a subject based on the subject having another attribute with a specified value. 2. CASE: Same as above, but Request has two Subjects that match the query. 3. Target matches a subject with either one attribute and value or a different attribute and value. 4. Target matches a subject having both of two specified attributes and values. 1. CASE: Return Attribute of a subject that has another attribute with a specified value. Select AttributeID=B for an AccessSubject that has AttributeID=A with value C. Request example: <Subject Category="AccessSubject"> <Attribute AttributeID="B"> <AttributeValue>D</AttributeValue> </Attribute> <Attribute AttributeID="A"> <AttributeValue>C</AttributeValue> </Attribute> </Subject> <SubjectAttributeDesignator AttributeId="B" Category="AccessSubject"> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="A"> <AttributeValue DataType="xs:string">C</AttributeValue> </SubjectMatch> </SubjectAttributeDesignator> 2. CASE: Same as above, but Request has two Subjects that match the query. Select AttributeID=B for AccessSubject that has AttributeID=A with value C Request Context: <Subject> <Attribute AttributeId="SubjectCategory"> <AttributeValue DataType="xs:String"> AccessSubject </AttributeValue> </Attribute> <Attribute AttributeId="SubjectIdentifier"> <AttributeValue DataType="xacml:x500name"> Anne.Anderson@Sun.COM </AttributeValue> </Attribute> <Attribute AttributeID="B"> <AttributeValue> D </AttributeValue> </Attribute> <Attribute AttributeID="A"> <AttributeValue> C </AttributeValue> </Attribute> </Subject> <Subject> <Attribute AttributeId="SubjectCategory"> <AttributeValue DataType="xs:String"> AccessSubject </AttributeValue> </Attribute> <Attribute AttributeId="SubjectIdentifier"> <AttributeValue> Anne </AttributeValue> </Attribute> <Attribute AttributeID="B"> <AttributeValue> E </AttributeValue> </Attribute> <Attribute AttributeID="A"> <AttributeValue> C </AttributeValue> </Attribute> </Subject> <SubjectAttributeDesignator AttributeId="B"> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeId="SubjectCategory"> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="A"> <AttributeValue DataType="xs:string"> C </AttributeValue> </SubjectAttributeDesignator> </SubjectMatch> <AtttributeValue DataType="xs:string"> AccessSubject </AttributeValue> </SubjectAttributeDesignator> </SubjectMatch> </SubjectAttributeDesignator> This returns sequence of two Attributes with AttributeId="B", one with value D and one with value E since there are two separate <Subject>s in the context that match this specification. 3. CASE: Target matches a subject with either one attribute and value or a different attribute and value. Want to have Target that matches either Context <Subjects> that have AttributeID=B with value C OR Context <Subjects> that have AttributeId="D" with value "E". <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="B"> <AttributeValue DataType="xs:string"> C </AttributeValue> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="D"> <AttributeValue DataType="xs:string"> E </AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target> 4. CASE: Target matches Requests containing a subject having both of two specified attributes and values. <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeId="SubjectId"> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeId="Format"/> <AttributeValue DataType="xs:string"> X500Name </AttributeValue> </SubjectMatch> </SubjectAttributeDesignator> <AttributeValue DataType="xs:string"> C </AttributeValue> </SubjectMatch> </Subject> </Subjects> <anyResource/> <anyAction/> </Target> 5. CASE: Target matches Requests containing one subject having both of two specified attributes AND another subject having one specified attribute. <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="SubjectId"> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeId="Format"/> <AttributeValue DataType="xs:string"> X500Name </AttributeValue> </SubjectMatch> </SubjectAttributeDesignator> <AttributeValue DataType="xs:string"> C </AttributeValue> </SubjectMatch> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="SubjectId"> <AttributeValue DataType="xs:string"> C </AttributeValue> </SubjectMatch> </Subject> </Subjects> <anyResource/> <anyAction/> </Target> ---  End Message  ---