Thanks very much David; that was quick (smiley).
I will give it a go. I have used JBoss (now PicketBox) about two
years ago and I need to figure out how to form the request context.
Best wishes
Ali
On 09/27/2011 04:47 PM, David Brossard wrote:
Inside your condition you could use an And function to
combine:
(a) you must have role SeniorAdmin1
AND
(b) you must have value X > threshold
If threshold is a static value or X is a static value, you could
also express the comparison in the target. Note that you can also
express the role check inside the target too.
Here is sample XACML code which implements what you aim to
achieve.
<xacml2:Rule RuleId="_SwitchOn" Effect="Permit"
xmlns:xacml2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<xacml2:Target>
<xacml2:Actions>
<xacml2:Action>
<xacml2:ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml2:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SwitchOn</xacml2:AttributeValue>
<xacml2:ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml2:ActionMatch>
</xacml2:Action>
</xacml2:Actions>
</xacml2:Target>
<xacml2:Condition >
<xacml2:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml2:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml2:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<xacml2:SubjectAttributeDesignator
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml2:Apply>
<xacml2:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SeniorAdmin1</xacml2:AttributeValue>
</xacml2:Apply>
<xacml2:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<xacml2:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<xacml2:SubjectAttributeDesignator
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="user-value" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</xacml2:Apply>
<xacml2:Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<xacml2:ResourceAttributeDesignator
AttributeId="threshold" DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</xacml2:Apply>
</xacml2:Apply>
</xacml2:Apply>
</xacml2:Condition>
</xacml2:Rule>
Note though that in the RBAC profile, actual permissions are
separated from role matching. In your case you check the role in
the same rule as where you check other attributes e.g. the action.
It doesn't look like the RBAC profile (profile here: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf).
From an implementation perspective, there is a wide range of XACML
engines that implement XACML 2.0 such as Axiomatics (vendor) or
PicketBox, WS02, SICSACML, or SunXACML (all open source and freely
available).
I hope this helps,
David.
On Tue, Sep 27, 2011 at 10:17 AM, Ali
Ahmed <ali.fci@gmail.com>
wrote:
Dear All,
I have a small problem need
to work out a solution for basically for my academic
research. I am using an XACML policy file like this (the
RBAC profile)
I need to add another data item called Threshold
which is an integer number. Thus no SeniorAdmin1
role will be granted the resource unless bigger value than
Threshold is provided.
Where Can I put that and how?
Is there any implementation I can use?
Best wishes
Ali
--
David Brossard, M.Eng, SCEA, CSTP
VP Product
Marketing & Customer Relations
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics
|