Attribute designators without xpath example.
Supporting schemas included (Schemas include only updated types).
This example builds on my previous post on selectors and designators, and xml document use case
submitted by Michiharu. Flat context was proposed before by Michiharu Kudo, and
Tim Moses.
example 1: A person may read any record for which
he or she is the designated patient.
Look in the core spec for medical record
definition.
<Policy
PolicyId="RecordOwnerPolicy">
<Target>
<Subjects>
<AnySubject>
</Subjects>
<Resources>
<Resource MatchId="function:string-match"
DataType="xs:boolean">
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xamcl:identifiers:resource-uri"
DataType="xs:anyURI"/>
<AttributeValue
DataType="xs:string">//medico.com/record*</AttributeValue>
</Resource>
</Resources>
<Actions>
<Action MatchId="function:subset" DataType="xs:boolean">
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:action:ufs"
DataType="xs:string"/>
<AttributeValue
DataType="xs:string">read</AttributeValue>
</Action>
</Actions>
</Target>
<RuleSet>
<Rule RuleId="id:100">
<Target>
<Subjects>
<AnySubject>
</Subjects>
<Resources>
<Resource MatchId="function:node-equal"
DataType="xs:boolean">
<ResourceAttributeDesignator
AttributeId="Node" DataType="xs:string"/>
<AttributeValue DataType="xs:string"
xmlns:xc="urn:oasis:names:tc:xacml:context"
xmlns:m="//medico.com/records.xsd">
/xc:XacmlContext/xc:Request/xc:Resource/xc:ResourceContent/m:*
</AttributeValue>
</Resource>
</Resources>
<Actions>
<AnyAction>
</Actions>
</Target>
<Condition
FunctionId="function:string-equal" DataType="xs:boolean>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:identifier:rfc822Name"
DataType="urn:oasis:names:tc:xacml:identifier:rfc822Name"
SubjectCategory="urn:oasis:names:tc:xacml:identifier:access-subject"/>
<AttributeSelector Format="urn:names:xpath"
xmlns:xc="urn:oasis:names:tc:xacml:context"
Path="/xc:XacmlContext/xc:Request/xc:Resource/xc:ResourceContent/m:record/m:patient/m:patientName"/>
</Condition>
</Rule>
</RuleSet>
</Policy>
Simon
|