[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Hellp on XACML policy
Hi Fujun.
> Anyone could help me describe the following policy using XACML?
>
> "Any person in organizaiton A can only access the experiment record
> he/she created."
Off the top of my head, the easiest way is to have a Target with
<Subjects>
<Subject>
<SubjectMatch MatchId="...:string-equal">
<AttributeValue DataType="...string">A</AttributeValue>
<SubjectAttributeDesignator DataType="...string"
AttributeId="...:organization/>
</SubjectMatch>
</Subject>
</Subjects>
and then in the Condition, specify
<Apply FunctionId="...:string-equal">
<SubjectAttributeDesignator DataType="...string"
AttributeId="...:subject-id"/>
<ResourceAttributeDesignator DataType="...string"
AttributeId=...:record-creator"/>
</Apply>
Then, the only trick is how you know about the record-creator
attribute. One option is to include this in the Request from the PEP,
so it's always available. The other is to let the Context Handler
look up the value based on the resource-id (in my SunXACML project
this is done through use of an AttributeFinderModule). For that
matter, if the document content is available as XML, you could easily
use an AttributeSelector to extract the creator element from the
document itself using XPath (there's an example of this in the
SunXACML 1.2 sample policies).
More simply, you could have a policy for each experiment record, and
then specify in each policy who the creator is, but I assume you're
looking for a single general policy rather than many resource-
specific ones..
Hope this helps. FYI, I've sent this only to the xacml-users lists.
Please take follow-ups there.
seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]