OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: URN changes for DLP-NAC

Hello,

Please ignore the incorrect numbering.  Based on Hal’s discussion today about the DLP-NAC profile, I changed the urn’s to be consistent with the list of identifiers in the core.  Please let me know if this is better, and we’ll incorporate it into WD-08 (still looking for help generating sample policies for section 4.2).  Thanks

 

 

1.    Recipient-Subject-ID

This identifier indicates the entity that will receive the results of the request, which may include user identifiers, machine identifiers, and/or application identifiers.

Subject-ID classification values shall be designated with the following attribute identifier:

urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject:recipient-subject-id

The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string

1.1.1 Recipient-Subject-ID-Qualifier

This identifier indicates the security domain of the recipient subject. It identifies the administrator and policy that manages the name-space in which the recipient-subject id is administered.

Subject-ID-Qualifier classification values shall be designated with the following attribute identifier:

urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject:recipient-subject-id-qualifier

The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string

1.1.2 Requesting-Machine

This identifier indicates the address of the machine from which the access request originated.  Requesting-machine classification values shall be designated with the following attribute identifier.

urn:oasis:names:tc:xacml:1.0:subject:requesting-machine

The following DataTypes can be used with this attribute:  urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value.  For Media Access Control (MAC) addresses, use http://www.w3.org/2001/XMLSchema#string.

1.1.3 Recipient-Machine

This identifier indicates the address of the machine(s) to which the access will be granted.  Recipient-machine classification values shall be designated with the following attribute identifier.

urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine:recipient-machine

The following DataTypes can be used with this attribute:  urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value.  The attribute value may include full paths including volume names, where applicable.  For Media Access Control (MAC) addresses, use http://www.w3.org/2001/XMLSchema#string. The attribute may take multiple values.

1.1.4 Recipient-removable-media

This identifier indicates whether or not the destination of the action is a removable media device.  Recipient-removable-media classification values shall be designated with the following attribute identifier.

urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine:recipient-removable-media

The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean

1.2 Codebase Attributes

2.4.1 Authorized-Application

This identifier indicates whether or not the requesting application is approved for the actions requested.

urn:oasis:names:tc:xacml:3.0:subject-category:codebase:authorized-application

The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]