[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] How do I require subject not to be a member of a give ngroup?
One error: for a sequence of strings, function string-length will return its
length - an integer.
Also - there is no need for a separate sequence-string data type.
I think this is a bit of confusion here: As <AtributeDesignator> specifying
xs:string type, may
return sequence of strings, as well as one string - our functions ALWAYS
should be ready to receive
a sequence - it is not a separate data type. When there is only one value
(in most cases) needed - it is
a sequnce of size 1.
In my proposal it may be
<attributevalue type="xs:string">
<value>Jones</value>
<value>Smith</value>
</attributevalue>
To specify Jones and Smith as convicted felons to use in (integer-equal 0
(string-length (intersection (attributedesignator name="name") ["Jones",
"Smith"]). - to specify if any name matches anything in the list
It will be
<attributevalue type="xs:string">
<value>Engovatov</value>
</attributevalue>
To specify only one, to use in string-equal function (equal name
"Engovatov")
If there is only one convicted felon, it will have one value. This is to
make it compatible with
Designators and Selectors - you do not want to specify two differnet rules
for the case when they
return several values, or one value - I do not think it is possible.
BTW - for those concerned that it is not user friendly to have all those
X-length functions - nothing prohibits the management system to ma XACML
language into something more user friendly - for example use length()
function, that
would map into one of type-length ones in the schema - as long as it is
always done
consistently.
-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
Sent: Wednesday, August 21, 2002 12:27 PM
To: XACML TC
Subject: [xacml] How do I require subject not to be a member of a given
group?
Daniel: This may be a use case for your issue with specifying a
sequence in an AttributeValue. Could you let me know if this is
the correct way to do it?
Rule in English: Any subject who is not a member of the
"convicted-felons" group may perform any action on any resource.
Rule in XACML:
<Rule
RuleId="identifier:conformance-test:IIC008:rule"
Effect="Permit">
<Description>
Any subject who is not a member of the
convicted-felons group may perform any action on any
resource.
</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Condition FunctionId="function:integer-equal">
<Apply FunctionId="function:integer-length">
<Apply FunctionId="function:string-intersection">
<SubjectAttributeDesignator
AttributeId="identifier:conformance-test:group"
DataType="xacml:sequence-string"/>
<AttributeValue
DataType="xacml:sequence-string">
<AttributeValue
DataType="xs:string">convicted-felon</AttributeValue>
</AttributeValue>
</Apply>
</Apply>
<AttributeValue
DataType="xs:integer">0</AttributeValue>
</Condition>
</Rule>
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC