[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] What are we arguing about?
Colleagues - The proper way to apply the current proposed language schema to Michiharu's use case is shown below. It really isn't very different from what Michiharu has proposed.
<?xml version="1.0" encoding="UTF-8"?>
<policy name="corporate confidentiality policy" issuer="xyz.com">
<and>
<policy name="permit internal users to read purchase orders" issuer="xyz.com">
<target resourceClassification="purchaseOrder" propagationAlgorithm="someURI">
<!--The propagation algorithm defines the transformation from the resource identifier
obtained from the saml authorization request and the resource classification identified in the target element. In this case, the indicated algorithm truncates the path
expression-->
<actions>read</actions>
</target>
<rule><preCondition>
<equality>
<referencedData location="saml/Attribute/AtributeName/Role"/>
<hardCoded value="internalUser"/>
</equality>
</preCondition></rule>
</policy>
<policy name="prevent external users from reading secret elements" issuer="xyz.com">
<target resourceClassification="secret" propagationAlgorithm="someURI">
<actions>read</actions>
</target>
<rule><preCondition>
<not><equality>
<referencedData location="saml/Attribute/AtributeName/Role"/>
<hardCoded value="externalUser"/>
</equality></not>
</preCondition></rule>
</policy>
</and>
</policy>
NB This instance assumes that we eventually agree some changes to the schema for the sake of efficiency. But it is faithful to the principles.
All the best. Tim.
-----------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC