[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] D024
John Merrells, Thank you for reporting this. I have fixed it by adding a second instance of a subject-id attribute to the Request <Subject>, causing the one-and-only function in policy3 to report an error. This change will be in the next release of the Conformance Test Suite, and is attached below. Anne Anderson On 4 December, John Merrells writes: [xacml-comment] D024 > From: John Merrells <merrells@jiffysoftware.com> > To: xacml-comment@lists.oasis-open.org > Subject: [xacml-comment] D024 > Date: Wed, 04 Dec 2002 11:23:09 -0800 > > > Policy3 is documented to return Indeterminate, but actually it returns > NotApplicable. > It compares 'Julius Hibbert' with 'Zaphod Beedlebrox' gets false, which > becomes > NA for the rule, so NA for the policy. > > John > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
<?xml version="1.0" encoding="UTF-8"?>
<Request
xmlns="urn:oasis:names:tc:xacml:1.0:context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
cs-xacml-schema-context-01.xsd">
<Subject>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string";>
<AttributeValue>Julius Hibbert</AttributeValue>
</Attribute>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string";>
<AttributeValue>Zaphod Beedlebrox</AttributeValue>
</Attribute>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:age"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
<AttributeValue>45</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
<AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string";>
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
<Environment>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:bart-simpson-age"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
<AttributeValue>10</AttributeValue>
</Attribute>
</Environment>
</Request>
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy
cs-xacml-schema-policy-01.xsd"
PolicySetId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policyset"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">
<Description>
PolicySet for Conformance Test IID024.
</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Policy
PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policy1"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>
Policy1 for Conformance Test IID024.
</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule
RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:rule1"
Effect="Deny">
<Description>
A subject whose name is J. Hibbert may not
read Bart Simpson's medical record. NOT-APPLICABLE
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>J. Hibbert</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
</Rule>
</Policy>
<Policy
PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policy2"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>
Policy2 for Conformance Test IID024. NOT-APPLICABLE
</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule
RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:rule2"
Effect="Permit">
<Description>
A subject who is at least 55 years older than Bart
Simpson may read Bart Simpson's medical record. NOT-APPLICABLE.
</Description>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:age"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<EnvironmentAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:bart-simpson-age"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer";>55</AttributeValue>
</Condition>
</Rule>
</Policy>
<Policy
PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policy3"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>
Policy3 for Conformance Test IID024. INDETERMINATE.
</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule
RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:rule3"
Effect="Deny">
<Description>
A subject whose name is Zaphod Beedlebrox may not
read Bart Simpson's medical record (ERROR in
passing multi-valued bag to one-and-only function) INDETERMINATE.
</Description>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
MustBePresent="true"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>Zaphod Beedlebrox</AttributeValue>
</Condition>
</Rule>
</Policy>
</PolicySet>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC