[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Expression Policies that require user attributes in a geneneral way
P.S. If you can not find a way to express this with XACML build-in functions, one approach is to define all the necessary simple attributes in your context - in this case it may be "resource-page" with values "sam", "mary" etc.. XACML is not generally able to drill through all the complex data-types (like parsing parts of an URL in this case) - it needs to be outsourced into a context provider. Daniel; -----Original Message----- From: Daniel Engovatov Sent: Wednesday, January 18, 2006 3:15 PM To: Rupert Webb; xacml-users@lists.oasis-open.org Subject: RE: [xacml-users] Expression Policies that require user attributes in a geneneral way You can do a condition (String-equal [resource-id] (string-concatenate "www.example.com/" [subject-id]) -----Original Message----- From: Rupert Webb [mailto:rwebb@limebrokerage.com] Sent: Wednesday, January 18, 2006 3:00 PM To: xacml-users@lists.oasis-open.org Subject: [xacml-users] Expression Policies that require user attributes in a geneneral way I am looking to create a policy that generates an access decision based on user attributes, but in a general way. For instance, take the simplest case where I want to allow read access to the user: sam on the page: www.example.com/sam. I would also like to do the same for mary (www.example.com/mary) and john (www.example.com/john). I could, of course, write three policies for all three, but that does not scale. here is my start: <Policy PolicyId="ExamplePolicy1" RuleCombiningAlgId=...> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId=...regexp-string-match"> <ResourceAttributeDesignator AttributeId=...:resource-id" DataType=...string"/> <AttributeValue DataType=...string">www.example.com/* </AttributeValue> </ResourceMatch> </Resource> </Resources> <Actions> <AnyACtion/> </Actions> </Target> <Rule RuleId="ReadRule" Effect="Permit"> .. I am having trouble constructing a Condition Function in a Rule base on a variable attribute of a Subject. Thanks, Rupert -- Rupert Webb Software Engineer LimeBrokerage rwebb@limebrokerage.com Work: 781-472-3756 Cell: 617-257-4447 ---------------------------------------------------------- This mail sent through IMP: https://webmail.limegroup.com/ --------------------------------------------------------------------- This publicly archived list supports open discussion on using the XACML OASIS Standard. To minimize spam in the archives, you must subscribe before posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ Alternately, using email: list-[un]subscribe@lists.oasis-open.org List archives: http://lists.oasis-open.org/archives/xacml-users/ Committee homepage: http://www.oasis-open.org/committees/xacml/ List Guidelines: http://www.oasis-open.org/maillists/guidelines.php Join OASIS: http://www.oasis-open.org/join/ --------------------------------------------------------------------- This publicly archived list supports open discussion on using the XACML OASIS Standard. To minimize spam in the archives, you must subscribe before posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ Alternately, using email: list-[un]subscribe@lists.oasis-open.org List archives: http://lists.oasis-open.org/archives/xacml-users/ Committee homepage: http://www.oasis-open.org/committees/xacml/ List Guidelines: http://www.oasis-open.org/maillists/guidelines.php Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]