Question on 'SAML 2.0 profile of XACML v2.0'

[Rüdiger Gartmann <R.Gartmann@conterra.de>]

Dear XACML experts,

we are about to implement the 'SAML 2.0 profile of XACML v2.0' in order to express licenses which contain access rights to certain services (currently using XACML 1.1). We store those licenses in a license manager which implements an XACMLPolicyQuery interface.

For querying this service for administration purposes we need a support for wildcards. For searching for certain subjects, for instance, the schema xacml-1.1-profile-saml2.0-v2-schema-protocol-wd-5.xsd allows the following query:

<xacml-context:Subject>
  <xacml-context:Attribute DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
    <xacml-context:AttributeValue>Alice</xacml-context:AttributeValue>
  </xacml-context:Attribute>
</xacml-context:Subject>

(This is similar for ressources and actions.)

For us this leads to two problems:

1. The query schema requires all three, a subject (at least one), a ressource and an action. If we want to query all licenses containing policies for a certain action on a certain ressource (no matter of the subject) we would need something like an 'AnySubject', which is not allowed by the schema.

2. In contrast to the policy schema in the query schema there is no a MatchID. So for querying we can only use exact matches and no 'like' operators or something like that. (In fact, this point is less important than the first one.)

Does anybody know a solution for this? Or at least any hint how to solve this issue? Or is my approach completely wrong?

Best regards,
Rüdiger
--
Dipl.-Wirt.Inform. Rüdiger Gartmann

con terra
Gesellschaft für Angewandte Informationstechnologie mbH
Martin-Luther-King-Weg 24
D-48155 Münster, Germany

Geschäftsführer: Dr. Albert Remke
Amtsgericht Münster HRB 4149

Tel: +49 251 / 7474 - 301
Fax: +49 251 / 7474 - 100

E-Mail: R.Gartmann@conterra.de
http://www.conterra.de