[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Hellp on XACML policy
Hi Fujun. > Anyone could help me describe the following policy using XACML? > > "Any person in organizaiton A can only access the experiment record > he/she created." Off the top of my head, the easiest way is to have a Target with <Subjects> <Subject> <SubjectMatch MatchId="...:string-equal"> <AttributeValue DataType="...string">A</AttributeValue> <SubjectAttributeDesignator DataType="...string" AttributeId="...:organization/> </SubjectMatch> </Subject> </Subjects> and then in the Condition, specify <Apply FunctionId="...:string-equal"> <SubjectAttributeDesignator DataType="...string" AttributeId="...:subject-id"/> <ResourceAttributeDesignator DataType="...string" AttributeId=...:record-creator"/> </Apply> Then, the only trick is how you know about the record-creator attribute. One option is to include this in the Request from the PEP, so it's always available. The other is to let the Context Handler look up the value based on the resource-id (in my SunXACML project this is done through use of an AttributeFinderModule). For that matter, if the document content is available as XML, you could easily use an AttributeSelector to extract the creator element from the document itself using XPath (there's an example of this in the SunXACML 1.2 sample policies). More simply, you could have a policy for each experiment record, and then specify in each policy who the creator is, but I assume you're looking for a single general policy rather than many resource- specific ones.. Hope this helps. FYI, I've sent this only to the xacml-users lists. Please take follow-ups there. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]