[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Beginners question - how to send multiple role in onerequest
Hi Saurabh, Oleg is correct - multiple values for Attributes are allowed and is often used. You can include multiple roles exactly as your example. Regards, Craig --------------------------------------------------------------- Craig Forster Software Engineer IBM Australia Development Labs Argus == https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home Blog == http://blogs.tap.ibm.com/weblogs/craigforster/ --------------------------------------------------------------- From: Oleg Gryb <oleg_gryb@yahoo.com> To: saurabh suman <saurabh256@yahoo.com>, xacml-users@lists.oasis-open.org Date: 06/05/2008 02:21 Subject: Re: [xacml-users] Beginners question - how to send multiple role in one request I got an impression that multiple values are actually allowed and this can be confirmed by XSD for request (see below), so I think it's quite legal to have multiple roles in one attribute. In your policy your would need to use AttributeDesignator with urn:oasis:names:tc:xacml:1.0:function:string-is-in function that would allow you to determine if a role that permits access is in the list of the roles that you sent in the request. <xs:complexType name="AttributeType"> <xs:sequence> <xs:element ref="xacml-context:AttributeValue" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:string" use="optional"/> </xs:complexType> --- saurabh suman <saurabh256@yahoo.com> wrote: > Hi , > I have the following scenario but I am not able to > figure out how I can create a xacml request and what > will go to the policy > > > I have a user with roles role1, role2, role3 and > accessing a resource resource1, these roles are not > part of RBAC, just treat it as atrributes of subject > Number of roles can vary for different users > > Now my question how to send all the roles in a > request > Something like below: > <Subject> > <Attribute > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > > DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> > > <AttributeValue>saurabh256@yahoo.com</AttributeValue> > </Attribute> > <Attribute AttributeId="roles" > > DataType="http://www.w3.org/2001/XMLSchema#string" > Issuer="admin@users.example.com"> > <AttributeValue>role1</AttributeValue> > <AttributeValue>role2</AttributeValue> > <AttributeValue>role3</AttributeValue> > </Attribute> > </Subject> > > I know that I CAN NOT provide multiple value for one > attribute but I want to knowHOW TO ACHIEVE the same. > I can do something like comma separated and in > policy I can use regular expression but that will > make the implementation very code specific. > > I want to send all the roles and so that at the > policy side I can user any-of function. > > Please suggest. > > Regards > Saurabh Suman > > > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]