OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] [schema] AttributeDesignators without XPATH

  • 1.  Re: [xacml] [schema] AttributeDesignators without XPATH

    Posted 07-25-2002 11:02
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] [schema] AttributeDesignators without XPATH


    
    Since Anne's proposal and my old proposal (3rd June, unabbreviated format)
    look alike, I am also happy with the syntax of her proposal. That is a
    "flattened context structure" in my mind. I rather prefer that syntax
    because it is much simpler and manageable. The following links are my old
    proposal and examples.
    
    http://lists.oasis-open.org/archives/xacml/200206/msg00003.html
    http://lists.oasis-open.org/archives/xacml/200206/msg00002.html
    
    The following is an example of the context I used in my old proposal.
    
    <RequestContext>
      <ContextPrincipals>
        <Principal PrincipalType="RequestingUser">
          <Attribute AttributeName="NameIdentifier"
                           AttributeNamespace="//medico.com">
            Julius Hibbert
          </Attribute>
          <Attribute AttributeName="Role" AttributeNamespace
    ="//medico.com">
            Physician
          </Attribute>
        </Principal>
      </ContextPrincipals>
    
      <ContextResource>
        <Resource ResourceType="XML">
          <Attribute AttributeName="ResourceURI">
            //medico.com/med.xml
          </Attribute>
          <Attribute AttributeName="XPath">
            record/patient/patientDoB
          </Attribute>
          <Attribute AttributeName="XMLSchema">
            medico.com/records.xsd
          </Attribute>
        </Resource>
      </ContextResource>
    
      <ContextAction>
        <Action ActionType="XMLAction">
          <Attribute AttributeName="read"/>
        </Action>
      </ContextAction>
    </RequestContext>
    
    Michiharu Kudo
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
                                                                                                                                      
                          Anne Anderson                                                                                               
                          <Anne.Anderson@Su        To:       XACML TC <xacml@lists.oasis-open.org>                                    
                          n.com>                   cc:                                                                                
                                                   Subject:  [xacml] [schema] AttributeDesignators without XPATH                      
                          2002/07/24 03:03                                                                                            
                          Please respond to                                                                                           
                          Anne.Anderson                                                                                               
                                                                                                                                      
                                                                                                                                      
    
    
    
    Attached is a concrete proposal for a possibly simpler
    AttributeDesignator syntax.  It does not require XPATH, and is
    capable of supporting other query formats.
    
    It requires more work, but I want to see if people are interested
    in pursuing this approach.
    
    Anne
    --
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    Title:   AttributeDesignators without XPATH
    Author:  Anne Anderson
    Version: 1.2, 02/07/23 (yy/mm/dd)
    Source:  /home/aa74233/projects/xacml/SCCS/s.SimpleTargets.txt
    
    One possible way to simplify AttributeDesignator is to make it a
    set of attribute values that are to be matched against attribute
    values present in the Request.
    
    The semantics of an AttributeDesignator become:
    
       "return the requested value(s) where all specified xml
        attribute values match"
    
    This has the advantage (for at least some people) of not
    requiring support for XPATH.  If the value you want to select is
    a sub-element of an Attribute in the Request, I have provided a
    way for you to specify the "path" to that sub-element.  The
    default format for such a path is XPATH 1.0, but I provide a way
    to specify other formats.
    
    Below are possible schemas for the Request Subject and for the
    Policy SubjectAttributeDesignator that illustrate this approach.
    If it seems worth pursuing, I will produce schemas for Resource,
    Action, ResourceAttributeDesignator, and
    ActionAttributeDesignator as well.
    
    -Anne
    
    A. Request Context Subject element
    
       <xs:complexType name="SubjectType">
           <xs:sequence>
               <xs:element name="Attribute"
                         type="xacmlContext:AttributeType"
                         minOccurs="0" maxOccurs="unbounded"/>
               <!-- an Attribute can be a ds:KeyInfo -->
           </xs:sequence>
           <xs:attribute name="SubjectCategory" type="xs:anyURI"
                         default="identifier:AccessSubject"/>
           <xs:attribute name="SubjectIdFormat" type="xs:anyURI"
                         default="xs:string"/>
           <xs:attribute name="SubjectIdQualifier" type="xs:string"
                         use="optional"/>
           <xs:attribute name="SubjectId" type="xs:string"
                         use="optional"/>
       </xs:complexType>
    
    B. SubjectAttributeDesignator
    
       <xs:complexType name="SubjectAttributeDesignatorType">
           <xs:attribute name="SubjectCategory"
                         type="xs:anyURI"
                         default="identifier:AccessSubject"/>
           <xs:attribute name="SubjectIdFormat"
                         type="xs:anyURI" default="xs:string"/>
           <xs:attribute name="SubjectIdQualifier"
                         type="xs:string" use="optional"/>
           <xs:attribute name="SubjectId"
                         type="xs:string" use="optional"/>
           <xs:attribute name="AttributeName
                         type="xs:string" use="optional"/>
           <xs:attribute name="AttributeNamespace"
                         type="xs:anyURI" use="optional"/>
           <!-- Namespace is required if Name is present -->
           <xs:attribute name="AttributeIssuer"
                         type="xs:anyURI" use="optional"/>
           <xs:attribute name="AttributeIssueInstant"
                         type="xs:dateTime" use="optional"/>
           <xs:attribute name="AttributePath"
                         type="xs:any" use="optional"/>
           <!-- Used when DataElement is "AttributeValue"
                and you
    want a sub-element of the Attribute value -->
           <xs:attribute name="AttributePathFormat"
                         type="xs:urn" default="xs:oasis:1.0:XPATH"/>
           <xs:attribute name="DataType"
                         type="xs:urn" use="required"/>
           <xs:attribute name="DataElement"
                         type="SubjectDataElementType"
                         use="required"/>
           <!-- this attribute indicates the actual data you want to select -->
       </xs:complexType>
    
       <xs:simpleType name="SubjectDataElementType">
           <xs:restriction base="xs:string">
               <xs:enumeration value="SubjectCategory"/>
               <xs:enumeration value="SubjectIdFormat"/>
               <xs:enumeration value="SubjectIdQualifier"/>
               <xs:enumeration value="SubjectId"/>
               <xs:enumeration value="AttributeName"/>
               <xs:enumeration value="AttributeNamespace"/>
               <xs:enumeration value="AttributeIssuer"/>
               <xs:enumeration value="AttributeIssueInstant"/>
               <xs:enumeration value="AttributeValue"/>
           </xs:restriction>
       </xs:simpleType>
    
       A list of data elements is returned, consisting of all entries
       under Request/Subject for which all specified xml attributes
       match.
    
    C. Example:
    
    Request in English:
    
      A user with role "System Administrator" and date of birth
      "11/6/50" requests access to a resource from code that was
      downloaded from "file:/net/base/classes/app.jar".  The code was
      signed by "cn=Corporate Auditor, o=Acme Corp, c=US" and by
      "cn=AppSigner, o=Acme Corp, c=us".
    
    <Request>
        <Subject SubjectCategory="urn:j2se:XACML:subjectcategories:CodeSource"
                 SubjectIdFormat="url"
                 SubjectId="file:/net/base/classes/app.jar">
            <Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner"
                 DataType="urn:x500:DistinguishedName">
                 "cn=AppSigner, o=Acme Corp, c=US"
            </Attribute>
            <Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner"
                 Issuer="urn:acme:cn=CFO,o=Acme_Corp,c=US"
                 DataType="urn:x500:DistinguishedName">
                 "cn=Corporate Auditor, o=Acme Corp, c=US"
            </Attribute>
        </Subject>
        <Subject>
            <Attribute AttributeId="urn:role"
                    DataType="xs:string">
                "System Administrator"
            </Attribute>
            <Attribute AttributeId="urn:dateOfBirth"
                    DataType="xs:dateTime">
                "11/6/50"
            </Attribute>
        </Subject>
        <Resource>
            ....
        <Action>
            ....
    </Request>
    
    Rule in English:
      Only a system administrator is allowed to access Resource X,
      and only from code signed by the Corporate Auditor.
    
    <Rule RuleId="urn:Acme:rules:Rule1" Effect="Permit">
       <Target>
          <Subjects MatchId="function:alwaysTRUE"/>
          <Resources MatchId="function:string-equal">
              <ResourceAttributeDesignator Format="xs:string"
                     DataElement="ResourceId"/>
              <Attribute DataType="xs:string">
                     "X"
              </Attribute>
          </Resources>
          <Actions MatchId="function:alwaysTRUE"/>
       </Target>
       <Condition FunctionId="function:and">
          <Function FunctionId="function:string-equals">
              <SubjectAttributeDesignator Format="xs:string"
                     DataElement="AttributeValue"
                     AttributeName="urn:role"/>
              <Attribute DataType="xs:string">
                     "System Administrator"
              </Attribute>
          </Function>
          <Function FunctionId="function:string-equals">
              <SubjectAttributeDesignator Format="urn:x500:DistinguishedName"
                  DataElement="AttributeValue"
                     AttributeName="urn:j2se:XACML:attributes:CodeSigner"/>
              <Attribute DataType="xs:string">
                     "cn=Corporate Auditor, o=Acme Corp, c=US"
              </Attribute>
          </Function>
       </Condition>
    <Rule>
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC