MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] How do I require subject not to be a member of a givengroup?
If you allow the following:
<AttributeValue DataType="xacml:sequence-string">
<AttributeValue DataType="xs:string">Value1</AttributeValue>
<AttributeValue DataType="xs:string">Value2</AttributeValue>
</AttributeValue>
You must introduce a whole new set of functions that deal with sequences
of each primative type.
For example, these things can show up in the Subject or a Resource.
Such as
<Subject>
<Attribute AttributeId="FirstNames" DataType="xacml:sequence-string">
<AttributeValue DataType="xacml:sequence-string">
<AttributeValue DataType="xs:string">James</AttributeValue>
<AttributeValue DataType="xs:string">Jimbo</AttributeValue>
</AttributeValue>
</Attribute>
</Subject>
Now, performing a
<SubjectAttributeDesingator AttributeId="FirstNames">
returns a sequence of length 1, containing:
[
<AttributeValue DataType="xacml:sequence-string">
<AttributeValue DataType="xs:string">James</AttributeValue>
<AttributeValue DataType="xs:string">Jimbo</AttributeValue>
</AttributeValue>
]
You need functions to pull that apart.
If we want to find out the amount of "first names" in the list we must:
<Apply FunctionId="function:string-sequnence-length">
<Apply FunctionId="function:string-sequence-first">
<SubjectAttributeDesingator AttributeId="FirstNames">
</Apply>
</Apply>
so we need functions that deal with sequence of each primiative type.
time-sequence-length
dateTime-sequence-length
anyURIsequence--length
Qname-sequence-length
x500Name-sequence-length
rfc822Name-sequence-length
NOTATION-sequence-length
gregorian-sequence-length
hex-binary-sequence-length
base64-sequence-length
and the analogous ones for -equal, -first, -rest, -member-of, -union,
-intersection,
Question: Do we really want to make the "xacml:*-sequence" data types
equivalent with the sequences returned from XPATH or AttributeDesignators?
-Polar
On Wed, 21 Aug 2002, Anne Anderson wrote:
> Daniel: This may be a use case for your issue with specifying a
> sequence in an AttributeValue. Could you let me know if this is
> the correct way to do it?
>
> Rule in English: Any subject who is not a member of the
> "convicted-felons" group may perform any action on any resource.
>
> Rule in XACML:
>
> <Rule
> RuleId="identifier:conformance-test:IIC008:rule"
> Effect="Permit">
> <Description>
> Any subject who is not a member of the
> convicted-felons group may perform any action on any
> resource.
> </Description>
> <Target>
> <Subjects>
> <AnySubject/>
> </Subjects>
> <Resources>
> <AnyResource/>
> </Resources>
> <Actions>
> <AnyAction/>
> </Actions>
> </Target>
> <Condition FunctionId="function:integer-equal">
> <Apply FunctionId="function:integer-length">
> <Apply FunctionId="function:string-intersection">
> <SubjectAttributeDesignator
> AttributeId="identifier:conformance-test:group"
> DataType="xacml:sequence-string"/>
> <AttributeValue
> DataType="xacml:sequence-string">
> <AttributeValue
> DataType="xs:string">convicted-felon</AttributeValue>
> </AttributeValue>
> </Apply>
> </Apply>
> <AttributeValue
> DataType="xs:integer">0</AttributeValue>
> </Condition>
> </Rule>
>
>
>
> --
> Anne H. Anderson Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
> Burlington, MA 01803-0902 USA Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC