Hi all,
if you are interested in natively enforcing expressive spatial rights (i.e. in the mentioned case the location attribute is e.g. of datatype gml:Point)
see GeoXACML – a spatial extension to XACML (http://www.opengeospatial.org/standards/geoxacml).
Note that a new GeoXACML v3.0 version is on the way (For OGC members see here: https://portal.opengeospatial.org/modules/files/details.php?m=files&artifact_id=53228).
The new version will also support the new simple feature specifications (i.e. new geometry models und spatial function definitions) and will also be XACML v3.0 compatible.
Hope the provided links help...
Best regards
Jan
Von: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
Im Auftrag von David Brossard
Gesendet: Montag, 12. August 2013 15:21
An: rich levinson
Cc: Tolbert, John W; xacml@lists.oasis-open.org
Betreff: Re: [xacml] Resource-location
Hi John,
In the use cases I have seen, String is nearly always used since the values will be city names or states or possibly countries, not a location in the sense Rich describes.
Cheers,
David.
On Wed, Aug 7, 2013 at 9:03 PM, rich levinson <rich.levinson@oracle.com> wrote:
Hi John and David,
Fwiw, the original defn is in this email:
https://lists.oasis-open.org/archives/xacml/200208/msg00000.html
"BASE:resource:resource-location
(resource location obtained by removing simple-file-name and xpath attributes from resource-uri.
E.g. http://org/A00.xml#xpointer(/employee/name) has a resource-location of "http://org"; "
Another "passing" comment was made here:
https://lists.oasis-open.org/archives/xacml/200209/msg00009.html
"I believe some policies will refer to resource-id,
and some others might refer to resource-category,
or resource-location,
or some other hypothetical attribute of the resource. "
In general, imo, a "resource-id" probably should be a URI that simply
"identifies" the resource, and "resource-location" should probably
be the URL where the resource can be found. In practice, I think
URL is often "overloaded" to meet both the id and location properties
of a resource, however, since "locations" often change, it seems that
a longer term strategy would be to distinguish id and location a little
better, although I don't think this is the job of xacml, except, possibly
in the sense of advising best practices for policy defns.
Thanks,
Rich
On 8/7/2013 12:45 PM, Tolbert, John W wrote:
Hi David,
That’s an interesting use case you wrote below. Would you use string for the data-type in that case? I was thinking that the ipAddress, dnsName, and anyURI data types would work well for this attribute too.
Thanks for the info.
From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Wednesday, August 07, 2013 8:47 AM
To: Tolbert, John W
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] Resource-location
Hi John,
It sometimes makes sense to define where a resource is located. Imagine a purchase order (PO). A PO would have been issued in a given location e.g. Texas. You could then write a rule as follows:
a user can view a purchase order if and only if user.location==resource.location.
You can then use urn:oasis:names:tc:xacml:1.0:resource:resource-location to implement the resource location attribute. We have quite a few location-based access control use cases here at Axiomatics that are like that.
Cheers
David.
On Wed, Aug 7, 2013 at 5:35 PM, Tolbert, John W <john.w.tolbert@boeing.com> wrote:
Hello,
Questions for those who have created policies with resource attributes (from section 10.2.6 “Identifiers” in the core, p.97):
Has anyone used the following identifier, and if so, for what purpose?:
urn:oasis:names:tc:xacml:1.0:resource:resource-location
I am imagining a use case where one might want to direct/restrict certain user groups to specific network locations or environments. Examples may include production / pre-production / development, or different views of the same resource for different user groups.
--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics
--
Thanks, Rich
Rich Levinson | Internet Standards Security Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803
Oracle
is committed to developing practices and products that help protect the environment
--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics