The examples are a step forward, but they need to be valid per the wd-17 schema and use the proposed IPC attribute ids. One way to create valid XML is to use a schema-aware xml editor. I just updated
http://wiki.oasis-open.org/xacml/RelaxNG_Schemas with the wd-17 schema for the benefit of those who use emacs nxml-mode or some other RelaxNG tool. I’ve attached a partially-corrected version of the first policy—it is schema-valid but still has some nonstandard AttributeIds. Also attached is an html view of the policy which employs a graphical notation to show attribute constraints in target matches and conditions. I will have more comments on the business intent of the policies, but my first impression is that they are more academic in nature than real-world. Copyrights and trademarks are by definition already protected IP, and although XACML can be used to enforce license agreements around these types of IP I do not see that as the biggest challenge in this space. The trade secret policy is meatier; I will have more comments and some alternate approaches for this. Regards, --Paul From:
xacml@lists.oasis-open.org [mailto:
xacml@lists.oasis-open.org] On Behalf Of John Tolbert Sent: Friday, October 14, 2011 12:27 To:
xacml@lists.oasis-open.org Subject: [xacml] Groups - IPC WD-05 uploaded Submitter's message WD-05 contains sample requests and policies. -- Mr. John Tolbert Document Name : IPC WD-05 Description XACML Intellectual Property Controls profile, working draft 5 Download Latest Revision Public Download Link Submitter : Mr. John Tolbert Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2011-10-14 10:26:53 Title: copyright-approve Policy: copyright-approve Version: 1 Description Example access control policy for copyright material Target This policy applies to requests that meet the following conditions. string-equal COPYRIGHT Resource@ip-type Rules The rule combining algorithm is deny-overrides . Rule: right to use copyrighted material match allow if subject's association to the designated custodian of the copyright agrees Target This policy applies to requests that meet the following conditions. and string-equal Wiley Corp Subject@Organizational-Affiliation string-equal CR101 Subject@Agreement-Designator string-equal CR101 Resource@agreement-designator string-equal Acme Resource@ip-owner string-equal Wiley Corp Resource@ip-designee Condition IF THEN and date-greater-than-or-equal date-one-and-only Environment@current-date date-one-and-only Resource@effective-date date-less-than-or-equal date-one-and-only Environment@current-date date-one-and-only Resource@expiration-date Permit Obligations Obligation: urn:oasis:names:tc:ipc:1.0:obligation:encrypt Fulfill on Permit Obligation: urn:oasis:names:tc:ipc:1.0:obligation:marking Fulfill on Permit Attribute assignments id value urn:oasis:names:tc:xacml:2.0:example:attribute:text ©2011 Acme <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="copyright-approve" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description>Example access control policy for copyright material</Description> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string" ;>COPYRIGHT </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-type" DataType="
http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="right to use copyrighted material match" Effect="Permit"> <Description> allow if subject's association to the designated custodian of the copyright agrees </Description> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string" ;>Wiley Corp </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizational-Affiliation" DataType="
http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string" ;>CR101 </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Agreement-Designator" DataType="
http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string" ;>CR101 </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:agreement-designator" DataType="
http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string" ;>Acme </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-owner" DataType="
http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string" ;>Wiley Corp </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-designee" DataType="
http://www.w3.org/2001/XMLSchema#string" ; MustBePresent="false"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="
http://www.w3.org/2001/XMLSchema#date" ; AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" MustBePresent="false"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:effective-date" DataType="
http://www.w3.org/2001/XMLSchema#date" ; MustBePresent="false"/> </Apply> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="
http://www.w3.org/2001/XMLSchema#date" ; AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" MustBePresent="false"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:expiration-date" DataType="
http://www.w3.org/2001/XMLSchema#date" ; MustBePresent="false"/> </Apply> </Apply> </Apply> </Condition> </Rule> <ObligationExpressions> <ObligationExpression ObligationId="urn:oasis:names:tc:ipc:1.0:obligation:encrypt" FulfillOn="Permit"/> <ObligationExpression ObligationId="urn:oasis:names:tc:ipc:1.0:obligation:marking" FulfillOn="Permit"> <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text"> <AttributeValue DataType="
http://www.w3.org/2001/XMLSchema#string" ;> ©2011 Acme</AttributeValue> </AttributeAssignmentExpression> </ObligationExpression> </ObligationExpressions> </Policy>