OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Hierarchical resources policy and request file

Thanks Anne !

--- Anne Anderson <Anne.Anderson@sun.com> wrote:

> Now you are talking about a specific implementation
> of XACML, and not 
> about the language itself.  You should join the 
> sunxacml-discuss@lists.sourceforge.net mailing list
> and ask your 
> question there.
> 
> Regards,
> Anne
> 
> dhirendra sharma wrote:
> 
> > Hi Anne,
> > 
> > Can you help me with the Context Handler part of
> your
> > solution.
> > 
> > Do you mean something like the attached class and
> > request and policy files ?
> > 
> > (Note: I am using Sun's XACML 1.1 implementation)
> > 
> > 
> > Please ignore comments and println in the code.I
> am
> > just getting accustomed myself with the flow.
> > 
> > Thanks,
> > Dhirendra Sharma
> > 
> > 
> > 
> > --- Anne Anderson <Anne.Anderson@sun.com> wrote:
> > 
> > 
> >>Dhirendra,
> >>
> >>This would be more elegant if we had defined a 
> >>"resource-descendant-or-self" AttributeId, or
> better
> >>yet if we had 
> >>defined generic functions: "<type>-ancestor",
> >>"<type>-descendant", 
> >>"<type>-parent", ... that took any hierarchical
> >>AttributeId as their 
> >>parameter and returned the bag of satisfying
> values.
> >> You could always 
> >>define such extensions yourself.
> >>
> >>Using Section 4.1 of the Hierarchical Resource
> >>Profile 
> >>
> > 
> >
>
(http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf)
> > 
> >>the following should work:
> >>
> >>Let the Resource Attribute
> >>"urn:oasis:names:tc:xacml:1.0:resource-id" in 
> >>the Request indicate the company to be read.  Let
> >>the Subject have a 
> >>"urn:namespace:subject-company" Attribute that
> >>indicates that subject's 
> >>"company" Attribute (the top-level company to
> which
> >>the subject 
> >>belongs).  Assume the DataType of both Attributes
> is
> >>"xs:anyURI".
> >>
> >>The Context Handler must be written to have
> >>awareness of the company 
> >>hierarchy.  In this case (here is the inelegant
> >>part), the hierarchy is 
> >>going to be "upside-down", which works because
> >>multiple "parents" are 
> >>allowed:
> >>
> >>1) if asked for AttributeId 
> >>"urn:oasis:names:tc:xacml:2.0:resource-parent",
> the
> >>Context Handler 
> >>needs to return a bag containing the company-id's
> of
> >>all companies that 
> >>are direct subsidiaries of the requested resource
> >>
> >>2) if asked for
> >>"urn:oasis:names:tc:xacml:2.0:resource-ancestor",
> >>the 
> >>Context Handler needs to return a bag containing
> the
> >>company-id's of all 
> >>companies that are direct or indirect subsidiaries
> >>of the requested 
> >>resource.
> >>
> >>3) if asked for 
> >>
> > 
> >
>
"urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self",
> > 
> >>the Context 
> >>Handler needs to return a bag containing the
> >>company-id's of all 
> >>companies that are direct or indirect subsidiaries
> >>of the requested 
> >>resource as well as the resource-id in the
> Request.
> >>
> >>To specify 1) in a Rule,
> >>
> >><Rule RuleId="..." Effect="Permit">
> >>   <Condition>
> >>     <Apply
> >>
> > 
> >
>
FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
> > 
> >>         <SubjectAttributeDesignator
> >>AttributeId="urn:namespace:subject-company"
> >>DataType="xs:anyURI" />
> >>         <ResourceAttributeDesignator 
> >>
> > 
> >
>
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> > 
> >>DataType="xs:anyURI" />
> >>     </Apply>
> >>   </Condition>
> >></Rule>
> >>
> >>To specify 2) in a Rule,
> >>
> >><Rule RuleId="..." Effect="Permit">
> >><Condition>
> >>
> >
>
FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
> > 
> >>         <SubjectAttributeDesignator
> >>AttributeId="urn:namespace:subject-company"
> >>DataType="xs:anyURI" />
> >>         <ResourceAttributeDesignator 
> >>
> > 
> >
>
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self"
> > 
> >>DataType="xs:anyURI" />
> >>   </Apply>
> >></Condition>
> >>
> >>Regards,
> >>Anne Anderson
> >>
> >>dhirendra sharma wrote:
> >>
> >>
> >>>Hi,
> >>>
> >>>  We need to specify the policy for the below :
> >>>	1). A user should be able to "read"  a compnay 
> >>>(Example: ABC Inc) provided
> >>>		 he has - "ABC-Read" role and should have "ABC
> >>
> >>Inc"
> >>
> >>>as the company attribute value in his profile
> >>>	
> >>>	2). A user should be able to "read" a company
> >>>(Example: ABC ) and any its of subsidiaries
> >>
> >>provided
> >>
> >>>		 he has - "ABC-Read" role and should have "ABC
> >>
> >>Inc"
> >>
> >>>or any of its subsidiaries as the 
> >>>		company attribute value in his profile
> >>>	
> >>>	The request could be made giving company id
> which
> >>>could fall anywhere in the subsidiary hierarchy
> >>
> >>and we
> >>
> >>>need to get a response 
> >>>whether user is authorized or not.
> >>>
> >>>	Can someone suggest - policy file  and request
> >>
> >>XML
> >>
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]