[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Broken Rule in Privacy Policy Profile
The rule in section 4.1 of Committee Specification 1 of the XACML v3.0 Privacy Policy Profile Version 1.0 is broken. The arguments to the string-regexp-match function are both bags (<AttributeDesignator>) when they should be primitive values. Noting that it is reasonable for the purpose attributes to be multi-valued, a correct form for the condition would be: <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <Function FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Condition> However, even when corrected, the rule is not as useful as it could be. The rule is described as stipulating "that access SHALL be denied unless the purpose for which access is requested matches ... the purpose for which the data resource was collected" but the rule actually permits access if the purposes match. The only way access is denied when the purposes don't match is if the specified rule is the *only* permit rule, which is a significant limitation. A better formulation would be to change the effect to Deny and negate the condition so that when the purposes don't match, the overall effect is Deny regardless of whether any other rules permit or deny access. That is, I think the rule should be: <Rule xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 xacml-core-v3-schema-wd-17.xsd" RuleId="urn:oasis:names:tc:xacml:2.0:matching-purpose" Effect="Deny"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <Function FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> </Condition> </Rule> Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]