[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Hierarchical resources policy and request file
Hi Seth, I am using Sun's XACML 1.2 implementation. I am coding the Context Handler, policy and request files per Anne Anderson's suggestion below. Can you please review the attached three files: 1).ResourceAttributeFinderModule.java 2).company_policy.xml 3).company_request.xml It is not working for me.Keeps throing exception on condition element.I tried it in various ways but still doesn't work. Thanks, Dhirendra Sharma --- Anne Anderson <Anne.Anderson@sun.com> wrote: > Dhirendra, > > This would be more elegant if we had defined a > "resource-descendant-or-self" AttributeId, or better > yet if we had > defined generic functions: "<type>-ancestor", > "<type>-descendant", > "<type>-parent", ... that took any hierarchical > AttributeId as their > parameter and returned the bag of satisfying values. > You could always > define such extensions yourself. > > Using Section 4.1 of the Hierarchical Resource > Profile > (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf) > > the following should work: > > Let the Resource Attribute > "urn:oasis:names:tc:xacml:1.0:resource-id" in > the Request indicate the company to be read. Let > the Subject have a > "urn:namespace:subject-company" Attribute that > indicates that subject's > "company" Attribute (the top-level company to which > the subject > belongs). Assume the DataType of both Attributes is > "xs:anyURI". > > The Context Handler must be written to have > awareness of the company > hierarchy. In this case (here is the inelegant > part), the hierarchy is > going to be "upside-down", which works because > multiple "parents" are > allowed: > > 1) if asked for AttributeId > "urn:oasis:names:tc:xacml:2.0:resource-parent", the > Context Handler > needs to return a bag containing the company-id's of > all companies that > are direct subsidiaries of the requested resource > > 2) if asked for > "urn:oasis:names:tc:xacml:2.0:resource-ancestor", > the > Context Handler needs to return a bag containing the > company-id's of all > companies that are direct or indirect subsidiaries > of the requested > resource. > > 3) if asked for > "urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self", > the Context > Handler needs to return a bag containing the > company-id's of all > companies that are direct or indirect subsidiaries > of the requested > resource as well as the resource-id in the Request. > > To specify 1) in a Rule, > > <Rule RuleId="..." Effect="Permit"> > <Condition> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > <SubjectAttributeDesignator > AttributeId="urn:namespace:subject-company" > DataType="xs:anyURI" /> > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="xs:anyURI" /> > </Apply> > </Condition> > </Rule> > > To specify 2) in a Rule, > > <Rule RuleId="..." Effect="Permit"> > <Condition> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > <SubjectAttributeDesignator > AttributeId="urn:namespace:subject-company" > DataType="xs:anyURI" /> > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" > DataType="xs:anyURI" /> > </Apply> > </Condition> > > Regards, > Anne Anderson > > dhirendra sharma wrote: > > > Hi, > > > > We need to specify the policy for the below : > > 1). A user should be able to "read" a compnay > > (Example: ABC Inc) provided > > he has - "ABC-Read" role and should have "ABC > Inc" > > as the company attribute value in his profile > > > > 2). A user should be able to "read" a company > > (Example: ABC ) and any its of subsidiaries > provided > > he has - "ABC-Read" role and should have "ABC > Inc" > > or any of its subsidiaries as the > > company attribute value in his profile > > > > The request could be made giving company id which > > could fall anywhere in the subsidiary hierarchy > and we > > need to get a response > > whether user is authorized or not. > > > > Can someone suggest - policy file and request > XML > > for this ? > > > > > > > > > > Thanks, > > Dhirendra Sharma > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > > > --------------------------------------------------------------------- > > This publicly archived list supports open > discussion on using the > > XACML OASIS Standard. To minimize spam in the > archives, you > > must subscribe before posting. > > > > [Un]Subscribe/change address: > http://www.oasis-open.org/mlmanage/ > > Alternately, using email: > list-[un]subscribe@lists.oasis-open.org > > List archives: > http://lists.oasis-open.org/archives/xacml-users/ > > Committee homepage: > http://www.oasis-open.org/committees/xacml/ > > List Guidelines: > http://www.oasis-open.org/maillists/guidelines.php > > Join OASIS: http://www.oasis-open.org/join/ > > > > -- > Anne H. Anderson Anne.Anderson@sun.com > Sun Microsystems Labs 1-781-442-0928 > Burlington, MA USA > > --------------------------------------------------------------------- > This publicly archived list supports open discussion > on using the > XACML OASIS Standard. To minimize spam in the > archives, you > must subscribe before posting. > > [Un]Subscribe/change address: > http://www.oasis-open.org/mlmanage/ > Alternately, using email: > list-[un]subscribe@lists.oasis-open.org > List archives: > http://lists.oasis-open.org/archives/xacml-users/ > Committee homepage: > http://www.oasis-open.org/committees/xacml/ > List Guidelines: > http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]