OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] one question regarding the use of Xpath

It seems your proposed function will not be a valid XACML extension
function. You may want to add some "select-patient-id" function that
takes a string as an argument. 

<apply FunctionId="select_patient_id"> 
<AttributeDesignator AttributeId="ns:subject-id"
Datatype="xs:string"/></apply>


But it does seem to me that you will be better off developing a library
of
XPath/XQuery functions to process you input data - outside of the scope
of XACML, to populate XACML context with relevant information.  It will
make policy administration much cleaner.

So in your context you define custom, outside of XACML accessors to
physician-patient-id, and just refer to it in XACML policy using
attributedesignator.   Using dynamic Xpath expressions in policy may be
quite cumbersome. 

Daniel;



-----Original Message-----
From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] 
Sent: Thursday, November 18, 2004 12:10 AM
To: xacml-dev@lists.oasis-open.org
Subject: [xacml-dev] one question regarding the use of Xpath

Dear all,

I have a confusion in the use of Xpath in AttributeSelector Element of
XACML

suppose i have a rule "

A Physician is allowed to check the record of Patient X , if an only if
he is the Primary care physician of patient X 
now Xpath would b 


/Physician/PhyID = PhysicianID  // I also wanted to check whether he is
a valid physician or not.
        AND  
/Physician/patients/patID = patientID of patient X   // for the checking
whether Physician is the primary care physician of the Patient X or not.
               

This kind of Xpath is not correct as the 2nd condition can be true for
any Physician who is taking care of the Patient X in addition to Primary
care Physician
can we introduce some context information like this

 
<Condition> 
<Apply FunctionId="function:string-equal"> 
<Apply FunctionId="function:string-one-and-only"> 
                    <SubjectAttributeDesignator AttributeID="PatientId"
DataType="String"/> 
 </Apply> 
  <Apply FunctionId="String-one-and-only-with-subject"> 
<AttributeSelector
RequestContextpath="/Hosptial/Physician[phyID='subjectID']/patients/patI
D/text()"       
 
DateType="String"> 
         </AttributeSelector> 
         </Apply> 
</Apply> 
. 
</Condition> 


is this new funciton additon is possible with XACML. ?? where subject ID
represent the caller in this case

May b i am wrong in writing Xpath , if yes plz help .

with Best regards.
Muhammad.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]