OASIS eXtensible Access Control Markup Language (XACML) TC

Back to discussions
Expand all | Collapse all

Example: 35. Policy on revealing missing attributes

  • 1.  Example: 35. Policy on revealing missing attributes

    Posted 10-27-2003 18:51 
     MHonArc v2.5.0b2 -->

















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]
    


    







    Subject: Example: 35. Policy on revealing missing attributes
    







    



    We agreed to close #35 so long as someone wrote up how an
existing XACML policy can be used for this.  This is a proof of
concept example.  Other representations are possible and probably
better.

Use model: the PDP-side component that builds the Response
Context (response-context-builder) has its own PDP.  This PDP is
configured with the policies used to determine which actions the
response-context-builder is allowed to perform.

For each action the response-context-builder attempts to perform
(such as add a missing attribute to the list), it issues an XACML
Request to the PDP that looks as follows:

  <Request>
    <Subject/>
    <Resource>
      <Attribute AttributeId="resource-id">
        <AttributeValue>urn:someorg:attr9</AttributeValue>
      </Attribute>
    </Resource>
    <Action>
      <Attribute AttributeId="action-id">
        <AttributeValue>urn:actions:add-missing-attr-to-response</AttributeValue>
      </Attribute>
    </Action>
  </Request>


This is an example of a policy that the
response-context-builder's PDP might be configured with:

<Policy PolicyId="25" PolicyCombiningAlg="deny-overrides">
  <Rule Effect="Permit">
    <Condition FunctionId="and">
      <Apply FunctionId="anyURI-equal">
        <ActionAttributeDesignator AttributeId="action-id"/>
        <AttributeValue>urn:actions:add-missing-attr-to-response</AttributeValue>
      </Apply>
      <Apply FunctionId="all-of-any">
        <Function FunctionId="anyURI-equal">
        <ResourceAttributeDesignator AttributeId="resource-id"/>
        <Apply FunctionId="anyURI-bag">
          <!-- list of all AttributeIds the component is allowed to
               return ->
          <AttributeValue>urn:someorg:attr1</AttributeValue>
          <AttributeValue>urn:someorg:attr5</AttributeValue>
          <AttributeValue>urn:someorg:attr6</AttributeValue>
          <AttributeValue>urn:someorg:attr7</AttributeValue>
          <AttributeValue>urn:someorg:attr8</AttributeValue>
      </Apply>
    </Condition>
  </Rule>
</Policy>

If the result is "Permit", then the component adds the attribute
to the return list.  Otherwise, the component omits the attribute
from the return list.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


    





    






    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]


Related Content