OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] How do I require subject not to be a member of a givengroup?

  • 1.  Re: [xacml] How do I require subject not to be a member of a givengroup?

    Posted 08-21-2002 16:36
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] How do I require subject not to be a member of a givengroup?


    
    We currently take the values returned from *AttributeDesignator* to be
    sequences of a certain type, and those types are understood to be within
    the "xs:" namespace, which are simplistic, or should I say "primitive"
    types.
    
    Now, if we choose to make xacml:sequence-* types, we have to make more
    functions to handle them.
    
    This situation means you have to come up with a whole new array of
    functions. If an AttributeValue has these xacml:sequence-string types,
    then a *AttributeDesignator* returns a sequence-<xacml:sequence-string>.
    
    The two types xacml:sequence-string and "sequence:<xs:string>" are NOT the
    same.
    
    This leads to problems with the "*Match* elements such as SubjectMatch.
    What function do you specify when the AttributeDesignator returns a
    sequence-<xacml:sequence-string>?
    
    -Polar
    
    On Wed, 21 Aug 2002, Anne Anderson wrote:
    
    > Daniel: This may be a use case for your issue with specifying a
    > sequence in an AttributeValue.  Could you let me know if this is
    > the correct way to do it?
    >
    > Rule in English: Any subject who is not a member of the
    > "convicted-felons" group may perform any action on any resource.
    >
    > Rule in  XACML:
    >
    >     <Rule
    >           RuleId="identifier:conformance-test:IIC008:rule"
    >           Effect="Permit">
    >         <Description>
    >             Any subject who is not a member of the
    >             convicted-felons group may perform any action on any
    >             resource.
    >         </Description>
    >         <Target>
    >             <Subjects>
    >                 <AnySubject/>
    >             </Subjects>
    >             <Resources>
    >                 <AnyResource/>
    >             </Resources>
    >             <Actions>
    >                 <AnyAction/>
    >             </Actions>
    >         </Target>
    >         <Condition FunctionId="function:integer-equal">
    >             <Apply FunctionId="function:integer-length">
    >                 <Apply FunctionId="function:string-intersection">
    >                     <SubjectAttributeDesignator
    >                           AttributeId="identifier:conformance-test:group"
    >                           DataType="xacml:sequence-string"/>
    >                     <AttributeValue
    >                           DataType="xacml:sequence-string">
    >                         <AttributeValue
    >                               DataType="xs:string">convicted-felon</AttributeValue>
    >                     </AttributeValue>
    >                 </Apply>
    >             </Apply>
    >             <AttributeValue
    >                   DataType="xs:integer">0</AttributeValue>
    >         </Condition>
    >     </Rule>
    >
    >
    >
    > --
    > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    > Sun Microsystems Laboratories
    > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
    > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    >
    >
    > ----------------------------------------------------------------
    > To subscribe or unsubscribe from this elist use the subscription
    > manager: <http://lists.oasis-open.org/ob/adm.pl>
    >
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC