[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: How to get attributes from other categories
To Steven, Mohammad, & TC: At yesterday's meeting, I mentioned that I thought it might be possible to implement the "relationship based access control" reqts using the current 3.0 spec, but also that I have not had time to fully analyze the reqts and the applicability of the soln. In any event, I will explain things as far as I have gotten looking at this capability. The first thing that brought this to my attention was when I was looking at examples using XPathCategory in the 3.0 spec. I was aware that this had something to do w AttributeSelectors, but I was surprised to find one in an AttributeDesignator (in Rule 1 in sec 4.2.4.1): The example is connected to the request in section 4.2.2, and, sure enough,1090 [f60] <AttributeDesignator 1091 [f61] MustBePresent="false" 1092 [f62] Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1093 [f63] AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" 1094 [f64] DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/> 1095 [f65] there is an Attribute there that will be resolved w this designator: There is nothing particularly remarkable about this particular example,963 [e43] <Attribute IncludeInResult="false" 964 [e44] AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" > 965 [e45] <AttributeValue 966 [e46] XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 967 [e47] DataType=" urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression" 968 [e48] >md:record/md:patient/md:patientDoB</AttributeValue> 969 [e49] </Attribute> however, it is fairly obvious that the xpathExpression value could apply to the <Content> of any <Attributes> element in the <Request>, simply by changing the value of XPathCategory to point to the Category w the desired value, such as category:action, or category:access-subject. Therefore we have a potential starting point for referencing attributes in some other category than the category that the associated Attribute element is in. i.e. in the above example the Attribute is in the category:resource collection, but its value can be in the <Content> element of either the category:resource collection OR any other <Content> element in some other category:xxx collection, simply by setting the Value of XPathCategory appropriately. There is an additional benefit that the xpath selection mechanism can also be associated w the metadata of the xpathExpression Attribute, which I don't think is the case w the plain vanilla AttributeSelector (but this is a secondary note, not the main point of this discussion). There are a couple of choices that I considered for making this mechanism more general:
So, I think the above should get the basic idea across. I had Thanks, --
Thanks, Rich
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]