[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Beginners question - how to send multiple role in onerequest
Hi Saurabh,
Oleg is correct - multiple values for Attributes are allowed and is often
used. You can include multiple roles exactly as your example.
Regards,
Craig
---------------------------------------------------------------
Craig Forster
Software Engineer
IBM Australia Development Labs
Argus == https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
Blog == http://blogs.tap.ibm.com/weblogs/craigforster/
---------------------------------------------------------------
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: saurabh suman <saurabh256@yahoo.com>, xacml-users@lists.oasis-open.org
Date: 06/05/2008 02:21
Subject: Re: [xacml-users] Beginners question - how to send multiple role in one request
I got an impression that multiple values are actually
allowed and this can be confirmed by XSD for request
(see below), so I think it's quite legal to have
multiple roles in one attribute.
In your policy your would need to use
AttributeDesignator with
urn:oasis:names:tc:xacml:1.0:function:string-is-in
function that would allow you to determine if a role
that permits access is in the list of the roles that
you sent in the request.
<xs:complexType name="AttributeType">
<xs:sequence>
<xs:element
ref="xacml-context:AttributeValue"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="AttributeId" type="xs:anyURI"
use="required"/>
<xs:attribute name="DataType" type="xs:anyURI"
use="required"/>
<xs:attribute name="Issuer" type="xs:string"
use="optional"/>
</xs:complexType>
--- saurabh suman <saurabh256@yahoo.com> wrote:
> Hi ,
> I have the following scenario but I am not able to
> figure out how I can create a xacml request and what
> will go to the policy
>
>
> I have a user with roles role1, role2, role3 and
> accessing a resource resource1, these roles are not
> part of RBAC, just treat it as atrributes of subject
> Number of roles can vary for different users
>
> Now my question how to send all the roles in a
> request
> Something like below:
> <Subject>
> <Attribute
>
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
>
>
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
>
>
<AttributeValue>saurabh256@yahoo.com</AttributeValue>
> </Attribute>
> <Attribute AttributeId="roles"
>
> DataType="http://www.w3.org/2001/XMLSchema#string";
> Issuer="admin@users.example.com">
> <AttributeValue>role1</AttributeValue>
> <AttributeValue>role2</AttributeValue>
> <AttributeValue>role3</AttributeValue>
> </Attribute>
> </Subject>
>
> I know that I CAN NOT provide multiple value for one
> attribute but I want to knowHOW TO ACHIEVE the same.
> I can do something like comma separated and in
> policy I can use regular expression but that will
> make the implementation very code specific.
>
> I want to send all the roles and so that at the
> policy side I can user any-of function.
>
> Please suggest.
>
> Regards
> Saurabh Suman
>
>
>
>
>
____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]