[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Modelling task partitions in XACML
Here is a simple rule that does not preserve the notion of "partition". Similar rules would be required for "sign1" and the tasks (if you must cover the case of tasks being accomplished after signing). This hard-codes the partition information into the XACML policy; it would be best if you could generate the policy from the workflow description. If your environment can provide workflow-history (actions already completed) as well as user-history (actions performed by current user), you could write rules for workflow sequencing as well as separation-of-duty. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Policy [ <!ENTITY string "http://www.w3.org/2001/XMLSchema#string"> <!ENTITY string-equal "urn:oasis:names:tc:xacml:1.0:function:string-equal"> <!ENTITY action-id "urn:oasis:names:tc:xacml:1.0:action:action-id"> <!ENTITY string-bag "urn:oasis:names:tc:xacml:1.0:function:string-bag"> <!ENTITY any-of-any "urn:oasis:names:tc:xacml:1.0:function:any-of-any"> ]> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" Version="0.1" PolicyId="workflow" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorith m:first-applicable"> <Target/> <Rule RuleId="rule1" Effect="Deny"> <Target> <Actions> <Action> <ActionMatch MatchId="&string-equal;"> <AttributeValue DataType="">sign2</AttributeValue> <ActionAttributeDesignator DataType="&string;" AttributeId="&action-id;"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="&any-of-any;"> <Function FunctionId="&string-equal;"/> <EnvironmentAttributeDesignator DataType="&string;" AttributeId="user-history"/> <Apply FunctionId="&string-bag;"> <AttributeValue DataType="&string;">t1</AttributeValue> <AttributeValue DataType="&string;">t2</AttributeValue> <AttributeValue DataType="&string;">t3</AttributeValue> <AttributeValue DataType="&string;">t4</AttributeValue> <AttributeValue DataType="&string;">t5</AttributeValue> <AttributeValue DataType="&string;">sign1</AttributeValue> </Apply> </Apply> </Condition> </Rule> </Policy> --Paul > -----Original Message----- > From: Roland Illig [mailto:roland.illig@gmx.de] > Sent: Monday, March 02, 2009 08:26 > To: xacml-users@lists.oasis-open.org > Subject: [xacml-users] Modelling task partitions in XACML > > Hi, > > I want to use XACML to implement access control in a workflow > system. A workflow is separated into several tasks. Some of > these tasks will be split into partitions, and now the fun > begins: If a user has executed a task from one of the > partitions, he must not execute any task from all the other > partitions. For example: > > workflow = (t1, t2, t3, t4, t5, sign1, sign2) > > partitioning = {{t1, t2, t3, t4, t5}, {sign1}, {sign2}} > > Assuming that there is an environment attribute called > "history" that returns all the tasks that the user has > already executed, can I implement this restriction using only > plain XACML 1.0 or 2.0? > > Roland > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]