OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] How do I require subject not to be a member of a givengroup?

  • 1.  Re: [xacml] How do I require subject not to be a member of a givengroup?

    Posted 08-22-2002 11:47
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] How do I require subject not to be a member of a givengroup?


    
    If you allow the following:
    
    <AttributeValue DataType="xacml:sequence-string">
      <AttributeValue DataType="xs:string">Value1</AttributeValue>
      <AttributeValue DataType="xs:string">Value2</AttributeValue>
    </AttributeValue>
    
    You must introduce a whole new set of functions that deal with sequences
    of each primative type.
    
    For example, these things can show up in the Subject or a Resource.
    
    Such as
    <Subject>
    <Attribute AttributeId="FirstNames" DataType="xacml:sequence-string">
        <AttributeValue DataType="xacml:sequence-string">
          <AttributeValue DataType="xs:string">James</AttributeValue>
          <AttributeValue DataType="xs:string">Jimbo</AttributeValue>
        </AttributeValue>
    </Attribute>
    </Subject>
    
    Now, performing a
    
    	<SubjectAttributeDesingator AttributeId="FirstNames">
    
    returns a sequence of length 1, containing:
    
    [
        <AttributeValue DataType="xacml:sequence-string">
          <AttributeValue DataType="xs:string">James</AttributeValue>
          <AttributeValue DataType="xs:string">Jimbo</AttributeValue>
        </AttributeValue>
    ]
    
    You need functions to pull that apart.
    
    If we want to find out the amount of "first names" in the list we must:
    
    <Apply FunctionId="function:string-sequnence-length">
      <Apply FunctionId="function:string-sequence-first">
         <SubjectAttributeDesingator AttributeId="FirstNames">
      </Apply>
    </Apply>
    
    so we need functions that deal with sequence of each primiative type.
    
    time-sequence-length
    dateTime-sequence-length
    anyURIsequence--length
    Qname-sequence-length
    x500Name-sequence-length
    rfc822Name-sequence-length
    NOTATION-sequence-length
    gregorian-sequence-length
    hex-binary-sequence-length
    base64-sequence-length
    
    and the analogous ones for -equal, -first, -rest, -member-of, -union,
    -intersection,
    
    Question: Do we really want to make the "xacml:*-sequence" data types
    equivalent with the sequences returned from XPATH or AttributeDesignators?
    
    -Polar
    
    
    On Wed, 21 Aug 2002, Anne Anderson wrote:
    
    > Daniel: This may be a use case for your issue with specifying a
    > sequence in an AttributeValue.  Could you let me know if this is
    > the correct way to do it?
    >
    > Rule in English: Any subject who is not a member of the
    > "convicted-felons" group may perform any action on any resource.
    >
    > Rule in  XACML:
    >
    >     <Rule
    >           RuleId="identifier:conformance-test:IIC008:rule"
    >           Effect="Permit">
    >         <Description>
    >             Any subject who is not a member of the
    >             convicted-felons group may perform any action on any
    >             resource.
    >         </Description>
    >         <Target>
    >             <Subjects>
    >                 <AnySubject/>
    >             </Subjects>
    >             <Resources>
    >                 <AnyResource/>
    >             </Resources>
    >             <Actions>
    >                 <AnyAction/>
    >             </Actions>
    >         </Target>
    >         <Condition FunctionId="function:integer-equal">
    >             <Apply FunctionId="function:integer-length">
    >                 <Apply FunctionId="function:string-intersection">
    >                     <SubjectAttributeDesignator
    >                           AttributeId="identifier:conformance-test:group"
    >                           DataType="xacml:sequence-string"/>
    >                     <AttributeValue
    >                           DataType="xacml:sequence-string">
    >                         <AttributeValue
    >                               DataType="xs:string">convicted-felon</AttributeValue>
    >                     </AttributeValue>
    >                 </Apply>
    >             </Apply>
    >             <AttributeValue
    >                   DataType="xs:integer">0</AttributeValue>
    >         </Condition>
    >     </Rule>
    >
    >
    >
    > --
    > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    > Sun Microsystems Laboratories
    > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
    > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    >
    >
    > ----------------------------------------------------------------
    > To subscribe or unsubscribe from this elist use the subscription
    > manager: <http://lists.oasis-open.org/ob/adm.pl>
    >
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC