OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Policy for Conformance Test IIC008 issue?


Here's the rule from the policy:

<Rule RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIC008:rule"  
Effect="Permit">
   <Description>Any subject who is not a member of the convicted-felons  
group may perform any action on any resource.</Description>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
   <AttributeValue  
DataType="http://www.w3.org/2001/XMLSchema#string";>convicted-felon</AttributeValue>
   <SubjectAttributeDesignator  
AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:group"  
DataType="http://www.w3.org/2001/XMLSchema#string"; />
   </Condition>
   </Rule>

according to a description this should deny grants to convicted felons,  
but looking at the rule it seems like it's doing excatly the oppoiste.  
This rule matches group with "felon" string, then effect is "Permit". Am I  
right or is it just Friday night? :)

thanks
Argyn


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]