OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Beginners question - how to send multiple role in onerequest


Hi Saurabh,

Oleg is correct - multiple values for Attributes are allowed and is often
used.  You can include multiple roles exactly as your example.

Regards,
Craig

---------------------------------------------------------------
Craig Forster
Software Engineer
IBM Australia Development Labs
Argus == https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
Blog == http://blogs.tap.ibm.com/weblogs/craigforster/
---------------------------------------------------------------


                                                                       
  From:       Oleg Gryb <oleg_gryb@yahoo.com>                          
                                                                       
  To:         saurabh suman <saurabh256@yahoo.com>, xacml-users@lists.oasis-open.org
                                                                       
  Date:       06/05/2008 02:21                                         
                                                                       
  Subject:    Re: [xacml-users] Beginners question - how to send multiple role in one request
                                                                       





I got an impression that multiple values are actually
allowed and this can be confirmed by XSD for request
(see below), so I think it's quite legal to have
multiple roles in one attribute.

In your policy your would need to use
AttributeDesignator with
urn:oasis:names:tc:xacml:1.0:function:string-is-in
function that would allow you to determine if a role
that permits access is in the list of the roles that
you sent in the request.


<xs:complexType name="AttributeType">
                         <xs:sequence>
                                     <xs:element
ref="xacml-context:AttributeValue"
maxOccurs="unbounded"/>
                         </xs:sequence>
                         <xs:attribute name="AttributeId" type="xs:anyURI"
use="required"/>
                         <xs:attribute name="DataType" type="xs:anyURI"
use="required"/>
                         <xs:attribute name="Issuer" type="xs:string"
use="optional"/>
             </xs:complexType>



--- saurabh suman <saurabh256@yahoo.com> wrote:

> Hi ,
>  I have the following scenario but I am not able to
> figure out how I can create a xacml request and what
> will go to the policy
>
>
> I have a user with roles role1, role2, role3 and
> accessing a resource resource1, these roles are not
> part of RBAC, just treat it as atrributes of subject
> Number of roles can vary for different users
>
> Now my question how to send all the roles in a
> request
> Something like below:
> <Subject>
>     <Attribute
>
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
>
>
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
>
>
<AttributeValue>saurabh256@yahoo.com</AttributeValue>
>     </Attribute>
>     <Attribute AttributeId="roles"
>
> DataType="http://www.w3.org/2001/XMLSchema#string";
>                Issuer="admin@users.example.com">
>       <AttributeValue>role1</AttributeValue>
> <AttributeValue>role2</AttributeValue>
> <AttributeValue>role3</AttributeValue>
>     </Attribute>
>   </Subject>
>
> I know that I CAN NOT provide multiple value for one
> attribute but I want to knowHOW TO ACHIEVE the same.
> I can do something like comma separated and in
> policy I can use regular expression  but that will
> make the implementation very code specific.
>
> I want to send all the roles and so that at the
> policy side I can user any-of function.
>
> Please suggest.
>
> Regards
> Saurabh Suman
>
>
>
>
>
____________________________________________________________________________________

> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ




____________________________________________________________________________________

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]