[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Hierarchical resources policy and request file
Thanks Anne ! --- Anne Anderson <Anne.Anderson@sun.com> wrote: > Now you are talking about a specific implementation > of XACML, and not > about the language itself. You should join the > sunxacml-discuss@lists.sourceforge.net mailing list > and ask your > question there. > > Regards, > Anne > > dhirendra sharma wrote: > > > Hi Anne, > > > > Can you help me with the Context Handler part of > your > > solution. > > > > Do you mean something like the attached class and > > request and policy files ? > > > > (Note: I am using Sun's XACML 1.1 implementation) > > > > > > Please ignore comments and println in the code.I > am > > just getting accustomed myself with the flow. > > > > Thanks, > > Dhirendra Sharma > > > > > > > > --- Anne Anderson <Anne.Anderson@sun.com> wrote: > > > > > >>Dhirendra, > >> > >>This would be more elegant if we had defined a > >>"resource-descendant-or-self" AttributeId, or > better > >>yet if we had > >>defined generic functions: "<type>-ancestor", > >>"<type>-descendant", > >>"<type>-parent", ... that took any hierarchical > >>AttributeId as their > >>parameter and returned the bag of satisfying > values. > >> You could always > >>define such extensions yourself. > >> > >>Using Section 4.1 of the Hierarchical Resource > >>Profile > >> > > > > > (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf) > > > >>the following should work: > >> > >>Let the Resource Attribute > >>"urn:oasis:names:tc:xacml:1.0:resource-id" in > >>the Request indicate the company to be read. Let > >>the Subject have a > >>"urn:namespace:subject-company" Attribute that > >>indicates that subject's > >>"company" Attribute (the top-level company to > which > >>the subject > >>belongs). Assume the DataType of both Attributes > is > >>"xs:anyURI". > >> > >>The Context Handler must be written to have > >>awareness of the company > >>hierarchy. In this case (here is the inelegant > >>part), the hierarchy is > >>going to be "upside-down", which works because > >>multiple "parents" are > >>allowed: > >> > >>1) if asked for AttributeId > >>"urn:oasis:names:tc:xacml:2.0:resource-parent", > the > >>Context Handler > >>needs to return a bag containing the company-id's > of > >>all companies that > >>are direct subsidiaries of the requested resource > >> > >>2) if asked for > >>"urn:oasis:names:tc:xacml:2.0:resource-ancestor", > >>the > >>Context Handler needs to return a bag containing > the > >>company-id's of all > >>companies that are direct or indirect subsidiaries > >>of the requested > >>resource. > >> > >>3) if asked for > >> > > > > > "urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self", > > > >>the Context > >>Handler needs to return a bag containing the > >>company-id's of all > >>companies that are direct or indirect subsidiaries > >>of the requested > >>resource as well as the resource-id in the > Request. > >> > >>To specify 1) in a Rule, > >> > >><Rule RuleId="..." Effect="Permit"> > >> <Condition> > >> <Apply > >> > > > > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > > > >> <SubjectAttributeDesignator > >>AttributeId="urn:namespace:subject-company" > >>DataType="xs:anyURI" /> > >> <ResourceAttributeDesignator > >> > > > > > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > > > >>DataType="xs:anyURI" /> > >> </Apply> > >> </Condition> > >></Rule> > >> > >>To specify 2) in a Rule, > >> > >><Rule RuleId="..." Effect="Permit"> > >><Condition> > >> > > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > > > >> <SubjectAttributeDesignator > >>AttributeId="urn:namespace:subject-company" > >>DataType="xs:anyURI" /> > >> <ResourceAttributeDesignator > >> > > > > > AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" > > > >>DataType="xs:anyURI" /> > >> </Apply> > >></Condition> > >> > >>Regards, > >>Anne Anderson > >> > >>dhirendra sharma wrote: > >> > >> > >>>Hi, > >>> > >>> We need to specify the policy for the below : > >>> 1). A user should be able to "read" a compnay > >>>(Example: ABC Inc) provided > >>> he has - "ABC-Read" role and should have "ABC > >> > >>Inc" > >> > >>>as the company attribute value in his profile > >>> > >>> 2). A user should be able to "read" a company > >>>(Example: ABC ) and any its of subsidiaries > >> > >>provided > >> > >>> he has - "ABC-Read" role and should have "ABC > >> > >>Inc" > >> > >>>or any of its subsidiaries as the > >>> company attribute value in his profile > >>> > >>> The request could be made giving company id > which > >>>could fall anywhere in the subsidiary hierarchy > >> > >>and we > >> > >>>need to get a response > >>>whether user is authorized or not. > >>> > >>> Can someone suggest - policy file and request > >> > >>XML > >> > === message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]