Attached is a concrete proposal for a possibly simpler AttributeDesignator syntax. It does not require XPATH, and is capable of supporting other query formats. It requires more work, but I want to see if people are interested in pursuing this approach. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 Title: AttributeDesignators without XPATH Author: Anne Anderson Version: 1.2, 02/07/23 (yy/mm/dd) Source: /home/aa74233/projects/xacml/SCCS/s.SimpleTargets.txt One possible way to simplify AttributeDesignator is to make it a set of attribute values that are to be matched against attribute values present in the Request. The semantics of an AttributeDesignator become: "return the requested value(s) where all specified xml attribute values match" This has the advantage (for at least some people) of not requiring support for XPATH. If the value you want to select is a sub-element of an Attribute in the Request, I have provided a way for you to specify the "path" to that sub-element. The default format for such a path is XPATH 1.0, but I provide a way to specify other formats. Below are possible schemas for the Request Subject and for the Policy SubjectAttributeDesignator that illustrate this approach. If it seems worth pursuing, I will produce schemas for Resource, Action, ResourceAttributeDesignator, and ActionAttributeDesignator as well. -Anne A. Request Context Subject element <xs:complexType name="SubjectType"> <xs:sequence> <xs:element name="Attribute" type="xacmlContext:AttributeType" minOccurs="0" maxOccurs="unbounded"/> <!-- an Attribute can be a ds:KeyInfo --> </xs:sequence> <xs:attribute name="SubjectCategory" type="xs:anyURI" default="identifier:AccessSubject"/> <xs:attribute name="SubjectIdFormat" type="xs:anyURI" default="xs:string"/> <xs:attribute name="SubjectIdQualifier" type="xs:string" use="optional"/> <xs:attribute name="SubjectId" type="xs:string" use="optional"/> </xs:complexType> B. SubjectAttributeDesignator <xs:complexType name="SubjectAttributeDesignatorType"> <xs:attribute name="SubjectCategory" type="xs:anyURI" default="identifier:AccessSubject"/> <xs:attribute name="SubjectIdFormat" type="xs:anyURI" default="xs:string"/> <xs:attribute name="SubjectIdQualifier" type="xs:string" use="optional"/> <xs:attribute name="SubjectId" type="xs:string" use="optional"/> <xs:attribute name="AttributeName type="xs:string" use="optional"/> <xs:attribute name="AttributeNamespace" type="xs:anyURI" use="optional"/> <!-- Namespace is required if Name is present --> <xs:attribute name="AttributeIssuer" type="xs:anyURI" use="optional"/> <xs:attribute name="AttributeIssueInstant" type="xs:dateTime" use="optional"/> <xs:attribute name="AttributePath" type="xs:any" use="optional"/> <!-- Used when DataElement is "AttributeValue" and you want a sub-element of the Attribute value --> <xs:attribute name="AttributePathFormat" type="xs:urn" default="xs:oasis:1.0:XPATH"/> <xs:attribute name="DataType" type="xs:urn" use="required"/> <xs:attribute name="DataElement" type="SubjectDataElementType" use="required"/> <!-- this attribute indicates the actual data you want to select --> </xs:complexType> <xs:simpleType name="SubjectDataElementType"> <xs:restriction base="xs:string"> <xs:enumeration value="SubjectCategory"/> <xs:enumeration value="SubjectIdFormat"/> <xs:enumeration value="SubjectIdQualifier"/> <xs:enumeration value="SubjectId"/> <xs:enumeration value="AttributeName"/> <xs:enumeration value="AttributeNamespace"/> <xs:enumeration value="AttributeIssuer"/> <xs:enumeration value="AttributeIssueInstant"/> <xs:enumeration value="AttributeValue"/> </xs:restriction> </xs:simpleType> A list of data elements is returned, consisting of all entries under Request/Subject for which all specified xml attributes match. C. Example: Request in English: A user with role "System Administrator" and date of birth "11/6/50" requests access to a resource from code that was downloaded from "file:/net/base/classes/app.jar". The code was signed by "cn=Corporate Auditor, o=Acme Corp, c=US" and by "cn=AppSigner, o=Acme Corp, c=us". <Request> <Subject SubjectCategory="urn:j2se:XACML:subjectcategories:CodeSource" SubjectIdFormat="url" SubjectId="file:/net/base/classes/app.jar"> <Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner" DataType="urn:x500:DistinguishedName"> "cn=AppSigner, o=Acme Corp, c=US" </Attribute> <Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner" Issuer="urn:acme:cn=CFO,o=Acme_Corp,c=US" DataType="urn:x500:DistinguishedName"> "cn=Corporate Auditor, o=Acme Corp, c=US" </Attribute> </Subject> <Subject> <Attribute AttributeId="urn:role" DataType="xs:string"> "System Administrator" </Attribute> <Attribute AttributeId="urn:dateOfBirth" DataType="xs:dateTime"> "11/6/50" </Attribute> </Subject> <Resource> .... <Action> .... </Request> Rule in English: Only a system administrator is allowed to access Resource X, and only from code signed by the Corporate Auditor. <Rule RuleId="urn:Acme:rules:Rule1" Effect="Permit"> <Target> <Subjects MatchId="function:alwaysTRUE"/> <Resources MatchId="function:string-equal"> <ResourceAttributeDesignator Format="xs:string" DataElement="ResourceId"/> <Attribute DataType="xs:string"> "X" </Attribute> </Resources> <Actions MatchId="function:alwaysTRUE"/> </Target> <Condition FunctionId="function:and"> <Function FunctionId="function:string-equals"> <SubjectAttributeDesignator Format="xs:string" DataElement="AttributeValue" AttributeName="urn:role"/> <Attribute DataType="xs:string"> "System Administrator" </Attribute> </Function> <Function FunctionId="function:string-equals"> <SubjectAttributeDesignator Format="urn:x500:DistinguishedName" DataElement="AttributeValue" AttributeName="urn:j2se:XACML:attributes:CodeSigner"/> <Attribute DataType="xs:string"> "cn=Corporate Auditor, o=Acme Corp, c=US" </Attribute> </Function> </Condition> <Rule>