OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Expression Policies that require user attributes in a geneneral way


I am looking to create a policy that generates an access decision based
on user attributes, but in a general way.

For instance, take the simplest case where I want to allow read access
to the user: sam on the page: www.example.com/sam.  I would also like
to do the same for mary (www.example.com/mary) and john
(www.example.com/john).  I could, of course, write three policies for
all three, but that does not scale.

here is my start:
<Policy PolicyId="ExamplePolicy1"
        RuleCombiningAlgId=...>  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Resources>
      <Resource>
        <ResourceMatch MatchId=...regexp-string-match”>
          <ResourceAttributeDesignator AttributeId=...:resource-id”
                                       DataType=...string”/>
          <AttributeValue
            DataType=...string”>www.example.com/*
          </AttributeValue>
        </ResourceMatch>
      </Resource>
    </Resources>
    <Actions>
      <AnyACtion/>
    </Actions>
  </Target>
  <Rule RuleId="ReadRule" Effect="Permit">
..

I am having trouble constructing a Condition Function in a Rule base on
a variable attribute of a Subject.

Thanks,

Rupert



-- 
Rupert Webb
Software Engineer
LimeBrokerage

rwebb@limebrokerage.com
Work: 781-472-3756
Cell: 617-257-4447

----------------------------------------------------------
This mail sent through IMP: https://webmail.limegroup.com/


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]