[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Expression Policies that require user attributes in a geneneral way
P.S. If you can not find a way to express this with XACML build-in
functions, one approach is to define all the necessary simple attributes
in your context - in this case it may be "resource-page" with values
"sam", "mary" etc.. XACML is not generally able to drill through all the
complex data-types (like parsing parts of an URL in this case) - it
needs to be outsourced into a context provider.
Daniel;
-----Original Message-----
From: Daniel Engovatov
Sent: Wednesday, January 18, 2006 3:15 PM
To: Rupert Webb; xacml-users@lists.oasis-open.org
Subject: RE: [xacml-users] Expression Policies that require user
attributes in a geneneral way
You can do a condition
(String-equal [resource-id] (string-concatenate "www.example.com/"
[subject-id])
-----Original Message-----
From: Rupert Webb [mailto:rwebb@limebrokerage.com]
Sent: Wednesday, January 18, 2006 3:00 PM
To: xacml-users@lists.oasis-open.org
Subject: [xacml-users] Expression Policies that require user attributes
in a geneneral way
I am looking to create a policy that generates an access decision based
on user attributes, but in a general way.
For instance, take the simplest case where I want to allow read access
to the user: sam on the page: www.example.com/sam. I would also like
to do the same for mary (www.example.com/mary) and john
(www.example.com/john). I could, of course, write three policies for
all three, but that does not scale.
here is my start:
<Policy PolicyId="ExamplePolicy1"
RuleCombiningAlgId=...> <Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId=...regexp-string-match">
<ResourceAttributeDesignator AttributeId=...:resource-id"
DataType=...string"/>
<AttributeValue
DataType=...string">www.example.com/*
</AttributeValue>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyACtion/>
</Actions>
</Target>
<Rule RuleId="ReadRule" Effect="Permit">
..
I am having trouble constructing a Condition Function in a Rule base on
a variable attribute of a Subject.
Thanks,
Rupert
--
Rupert Webb
Software Engineer
LimeBrokerage
rwebb@limebrokerage.com
Work: 781-472-3756
Cell: 617-257-4447
----------------------------------------------------------
This mail sent through IMP: https://webmail.limegroup.com/
---------------------------------------------------------------------
This publicly archived list supports open discussion on using the
XACML OASIS Standard. To minimize spam in the archives, you
must subscribe before posting.
[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/xacml-users/
Committee homepage: http://www.oasis-open.org/committees/xacml/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/
---------------------------------------------------------------------
This publicly archived list supports open discussion on using the
XACML OASIS Standard. To minimize spam in the archives, you
must subscribe before posting.
[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/xacml-users/
Committee homepage: http://www.oasis-open.org/committees/xacml/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]