[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: URN changes for DLP-NAC
Hello,
Please ignore the incorrect numbering. Based on Hal’s discussion today about the DLP-NAC profile, I changed the urn’s to be consistent
with the list of identifiers in the core. Please let me know if this is better, and we’ll incorporate it into WD-08 (still looking for help generating sample policies for section 4.2). Thanks 1.
Recipient-Subject-ID
This identifier indicates the entity that will receive the results of the request, which may include user identifiers, machine identifiers, and/or application identifiers. Subject-ID classification values shall be designated with the following attribute identifier: urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject:recipient-subject-id The DataType of this attribute is
http://www.w3.org/2001/XMLSchema#string.
1.1.1
Recipient-Subject-ID-Qualifier
This identifier indicates the security domain of the recipient subject. It identifies the administrator and
policy that manages the name-space in which the recipient-subject
id is administered. Subject-ID-Qualifier classification values shall be designated with the following attribute identifier: urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject:recipient-subject-id-qualifier The DataType of this attribute is
http://www.w3.org/2001/XMLSchema#string.
1.1.2
Requesting-Machine
This identifier indicates the address of the machine from which the access request originated. Requesting-machine classification values shall be designated with the following attribute identifier. urn:oasis:names:tc:xacml:1.0:subject:requesting-machine The following DataTypes can be used with this attribute: urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value. For Media Access Control (MAC) addresses,
use http://www.w3.org/2001/XMLSchema#string. 1.1.3
Recipient-Machine
This identifier indicates the address of the machine(s) to which the access will be granted. Recipient-machine classification values shall be designated with the following attribute identifier. urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine:recipient-machine The following DataTypes can be used with this attribute: urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value. The attribute value may include full
paths including volume names, where applicable. For Media Access Control (MAC) addresses, use
http://www.w3.org/2001/XMLSchema#string. The attribute may take multiple values. 1.1.4
Recipient-removable-media
This identifier indicates whether or not the destination of the action is a removable media device. Recipient-removable-media classification values shall be designated with the following attribute identifier. urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine:recipient-removable-media The DataType of this attribute is
http://www.w3.org/2001/XMLSchema#boolean.
1.2
Codebase Attributes
2.4.1 Authorized-Application
This identifier indicates whether or not the requesting application is approved for the actions requested. urn:oasis:names:tc:xacml:3.0:subject-category:codebase:authorized-application The DataType of this attribute is
http://www.w3.org/2001/XMLSchema#boolean.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]