[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] D024
John Merrells, Thank you for reporting this. I have fixed it by adding a second instance of a subject-id attribute to the Request <Subject>, causing the one-and-only function in policy3 to report an error. This change will be in the next release of the Conformance Test Suite, and is attached below. Anne Anderson On 4 December, John Merrells writes: [xacml-comment] D024 > From: John Merrells <merrells@jiffysoftware.com> > To: xacml-comment@lists.oasis-open.org > Subject: [xacml-comment] D024 > Date: Wed, 04 Dec 2002 11:23:09 -0800 > > > Policy3 is documented to return Indeterminate, but actually it returns > NotApplicable. > It compares 'Julius Hibbert' with 'Zaphod Beedlebrox' gets false, which > becomes > NA for the rule, so NA for the policy. > > John > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
<?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:1.0:context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context cs-xacml-schema-context-01.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Zaphod Beedlebrox</AttributeValue> </Attribute> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:age" DataType="http://www.w3.org/2001/XMLSchema#integer"> <AttributeValue>45</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:bart-simpson-age" DataType="http://www.w3.org/2001/XMLSchema#integer"> <AttributeValue>10</AttributeValue> </Attribute> </Environment> </Request>
<?xml version="1.0" encoding="UTF-8"?> <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy cs-xacml-schema-policy-01.xsd" PolicySetId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policyset" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"> <Description> PolicySet for Conformance Test IID024. </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Policy PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> <Description> Policy1 for Conformance Test IID024. </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:rule1" Effect="Deny"> <Description> A subject whose name is J. Hibbert may not read Bart Simpson's medical record. NOT-APPLICABLE </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">J. Hibbert</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> </Rule> </Policy> <Policy PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policy2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> <Description> Policy2 for Conformance Test IID024. NOT-APPLICABLE </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:rule2" Effect="Permit"> <Description> A subject who is at least 55 years older than Bart Simpson may read Bart Simpson's medical record. NOT-APPLICABLE. </Description> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:age" DataType="http://www.w3.org/2001/XMLSchema#integer"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:bart-simpson-age" DataType="http://www.w3.org/2001/XMLSchema#integer"/> </Apply> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">55</AttributeValue> </Condition> </Rule> </Policy> <Policy PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policy3" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> <Description> Policy3 for Conformance Test IID024. INDETERMINATE. </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:rule3" Effect="Deny"> <Description> A subject whose name is Zaphod Beedlebrox may not read Bart Simpson's medical record (ERROR in passing multi-valued bag to one-and-only function) INDETERMINATE. </Description> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Zaphod Beedlebrox</AttributeValue> </Condition> </Rule> </Policy> </PolicySet>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC