OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Example: 35. Policy on revealing missing attributes


We agreed to close #35 so long as someone wrote up how an
existing XACML policy can be used for this.  This is a proof of
concept example.  Other representations are possible and probably
better.

Use model: the PDP-side component that builds the Response
Context (response-context-builder) has its own PDP.  This PDP is
configured with the policies used to determine which actions the
response-context-builder is allowed to perform.

For each action the response-context-builder attempts to perform
(such as add a missing attribute to the list), it issues an XACML
Request to the PDP that looks as follows:

  <Request>
    <Subject/>
    <Resource>
      <Attribute AttributeId="resource-id">
        <AttributeValue>urn:someorg:attr9</AttributeValue>
      </Attribute>
    </Resource>
    <Action>
      <Attribute AttributeId="action-id">
        <AttributeValue>urn:actions:add-missing-attr-to-response</AttributeValue>
      </Attribute>
    </Action>
  </Request>


This is an example of a policy that the
response-context-builder's PDP might be configured with:

<Policy PolicyId="25" PolicyCombiningAlg="deny-overrides">
  <Rule Effect="Permit">
    <Condition FunctionId="and">
      <Apply FunctionId="anyURI-equal">
        <ActionAttributeDesignator AttributeId="action-id"/>
        <AttributeValue>urn:actions:add-missing-attr-to-response</AttributeValue>
      </Apply>
      <Apply FunctionId="all-of-any">
        <Function FunctionId="anyURI-equal">
        <ResourceAttributeDesignator AttributeId="resource-id"/>
        <Apply FunctionId="anyURI-bag">
          <!-- list of all AttributeIds the component is allowed to
               return ->
          <AttributeValue>urn:someorg:attr1</AttributeValue>
          <AttributeValue>urn:someorg:attr5</AttributeValue>
          <AttributeValue>urn:someorg:attr6</AttributeValue>
          <AttributeValue>urn:someorg:attr7</AttributeValue>
          <AttributeValue>urn:someorg:attr8</AttributeValue>
      </Apply>
    </Condition>
  </Rule>
</Policy>

If the result is "Permit", then the component adds the attribute
to the return list.  Otherwise, the component omits the attribute
from the return list.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]