RE: [xacml-dev] Policy editor? Gui?

["Kuketayev, Argyn" <argyn_kuketayev@fanniemae.com>]

I was suspecting that.

First I copied policies from RBAC profile doc. They didn't work with
SunXACML, because of Target elements incomplete. So, I put all Any*
stuff there, it started working. Then I removed elements one by one
until it stopped working. That's how I got my minimal policy :)

> -----Original Message-----
> From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
> Sent: Friday, November 12, 2004 11:30 AM
> To: Kuketayev, Argyn
> Cc: diego gonzalez; xacml-dev@lists.oasis-open.org
> Subject: RE: [xacml-dev] Policy editor? Gui?
> 
> 
> On Fri, 2004-11-12 at 11:03, Kuketayev, Argyn wrote:
> > here's a policy, it's a part of my version of RBAC profile 
> > implementation
> >  
> > ======================
> >  
> > <?xml version="1.0" encoding="UTF-8"?>
> > <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
> >     PolicySetId="RBAC:PPS:role:default"
> >  
> > 
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-al
> > go
> > rithm:permit-overrides">
> >  
> >     <Target/>
> >     <Policy PolicyId="RBAC:Permissions:role:default"
> >  
> > 
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algori
> > th
> > m:permit-overrides">
> >         <Target/>
> >  
> >         <Rule RuleId="FinalRule" Effect="Deny"/>
> >     </Policy>
> > </PolicySet>
> > ======================
> 
> The problem is that this is not a valid 1.x policy. The 
> Target may not be empty. Instead, you need to specify all 
> three Target sections with the Any* elements (eg, 
> <AnySubject/>). The SunXACML code doesn't complain because it 
> doesn't try to reproduce all the error-checking that can be 
> done using schema validation, which would recognize your 
> policy as invalid. Try running your policy through a schema 
> checker and it should complain.
> 
> 
> seth
> 
>