OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] "Simple example" for the specification

  • 1.  [xacml] "Simple example" for the specification

    Posted 08-13-2002 19:48
    This is in response to my Action Item to provide a "simple example" for the specification. Assume Medi Corporation (medico.com) has a policy that any user with an e-mail name in the "medico.com" namespace is allowed to perform any action on any resource. In XACML, this policy is expressed as follows: <?xml version=1.0" encoding="UTF-8"?> <Policy PolicyId="urn:oasis:names:tc:xacml:1.0:example:PolicyStatement1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" xmlns="urn:oasis:names:tc:xacml:0.1:context" xmlns:function="urn:oasis:names:tc:xacml:1.0:function" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" ; xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-policy-01.xsd" ;> <Description> Any subject with an e-mail name in the medico.com domain can perform any action on any resource. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function:rfc822name-equal"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:datatype:rfc822name"/> <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:rfc822name"> @medico.com </AttributeValue> </SubjectMatch> </Subject> </Subjects> <AnyResource/> <AnyAction/> </Target> <RuleSet> <Rule RuleId="urn:oasis:names:tc:xacml:1.0:example:Rule1" Effect="Permit"> <Description> Always return Permit if Target matches. </Description> </Rule> </RuleSet> </xacml:Policy> If Bart Simpson, with e-mail name "bs@simpsons.com", attempts to read his medical record at Medico Corporation, his request looks as follows in XACML: <?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:1.0:context" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" ; xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context-01.xsd" ;> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"> <AttributeValue> bs@simpsons.com </AttributeValue> </Attribute> </Subject> <Resource> <ResourceSpecifier Format="xs:anyURI" ResourceId=" http://medico.com/record/patient/BartSimpson"/ > </Resource> <Action Namespace="urn:oasis:names:tc:xacml:1.0:example:action"> read </Action> </Request> The XACML Policy Decision Point compares the Subject, Resource, and Action in the Request against the Subjects, AnyResource, and AnyAction in the policy Target. The requested resource matches "AnyResource" and the requested action matches "AnyAction", but the requesting subject-id does not match "@medico.com". As a result, there is no Rule in this Policy that returns a "Permit" result for this request. The Rule Combining Algorithm specifies that in this case, a result of "Deny" should be returned. In XACML, this response looks as follows: <?xml version="1.0" encoding="UTF-8"?> <Response xmlns="urn:oasis:names:tc:xacml:1.0:context" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context-01.xsd" ;> <Result> <Decision> Deny </Decision> </Result> </Response> Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692