OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dipal-discuss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dipal-discuss] Re: Request for example Assertions

Hi Paul,

The policy below contains most of what you are asking for; I have not
run the syntax through an XML parser, so I may have made some errors,
but the general idea should be clear.

It assumes that the policy engine's Context Handler knows how to
associate attributes from the firm's identity store with various XACML
AttributeIds.  Alternatively, we could define an XML schema into which
those values are mapped, and then instead of xacml:AttributeDesignator
we could use xacml:AttributeSelector with XPath expressions pointing to
the identity store variables on which constraints are being placed.

I did not enter Assertions for type of trade or equity being traded
because there are no conditions associated with those.  It would be easy
to add Assertions similar to those shown however to say things like
"type of trade must be X" or "equity being traded must be A, B, or C", etc.

Regards,
Anne

Paul OConnor wrote On 01/18/06 23:38,:
> I wonder how access control assertions and policy can be expressed and
> so I would propose the following very common use case in financial
> services applications:
> 
>  
> 
> An equities trading service enforces access control policy which
> leverages subject attributes from the firms identity store:
> 
>  
> 
> User role (trader, manager, etc.)
> 
> Trade limit (max trade without additional approval)
> 
> Trading hours (can trade after hours?)
> 
> Trade location (can trade from home or office only)
> 
>  
> 
> Along with context variables:
> 
>  
> 
> Amount of trade
> 
> Type of trade
> 
> Equity being traded
> 
> Additional approval flag
> 
>  
> 
> These attributes must be asserted by the client making the request,
> e.g., a trade portal. The policy enforcement infrastructure would then
> calculate a policy decision before the service was ever invoked.

<!ENTITY xf "urn:oasis:names:tc:xacml:1.0:function:"/>
<!ENTITY xdt "http://www.w3.org/2001/XMLSchema#"/>
<!ENTITY role-attr "urn:oasis:names:tc:xacml:2.0:subject:role"/>
<!ENTITY current-time
"urn:oasis:names:tc:xacml:1.0:environment:current-time"/>

<wsp:Policy
  xmlns="...WS-Policy..."
  xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os">

  <wsp:All>
    <!-- roles must include "some:namespace:roles:trader" -->
    <xacml:Apply FunctionId="&xf;anyURI-is-in">
       <xacml:AttributeValue
DataType="&xf;anyURI">some:namespace:roles:trader</xacml:AttributeValue>
       <xacml:SubjectAttributeDesignator
     AttributeId="&role-attr;" DataType="&xdt;anyURI"/>
    </xacml:Apply>

   <!-- requested trade-amount must be <= 5000 -->
   <xacml:Apply FunctionId="&xf;integer-less-than-or-equal">
       <xacml:AttributeValue
          DataType="&xdt;integer">5000</xacml:AttributeValue>
       <xacml:Apply FunctionId="xacml:integer-one-and-only">
           <xacml:ActionAttributeDesignator
 AttributeId="some:namespace:attrs:trade-amount" DataType="xacml:integer"/>
       </xacml:Apply>
   </xacml:Apply>

   <!-- Current time must be between 9am and 5pm -->
   <xacml:Apply FunctionId="&xf;time-in-range">
       <xacml:Apply FunctionId="&xf:time-one-and-only">
           <xacml:EnvironmentAttributeDesignator
AttributeId="&current-time;" DataType="&xdt;time"/>
       </xacml:Apply>
       <xacml:AttributeValue
              DataType="&xdt;time">9H</xacml:AttributeValue>
       </xacml:AttributeValue>
       <xacml:AttributeValue
              DataType="&xdt;time">17H</xacml:AttributeValue>
       </xacml:AttributeValue>
   </xacml:Apply>

   <!-- Trade location must be "some:namespace:locations:home" or
..."office" -->
   <wsp:ExactlyOne>
      <xacml:Apply FunctionId="&xf:anyURI-is-in">
          <xacml:AttributeValue
DataType="&xdt;anyURI">some:namespace:locations:home</xacml:AttributeValue>
          <xacml:EnvironmentAttributeDesignator
AttributeId="some:namespace:location" DataType="&xdt;anyURI"/>
      </xacml:Apply>
      <xacml:Apply FunctionId="&xf:anyURI-is-in">
          <xacml:AttributeValue
DataType="&xdt;anyURI">some:namespace:locations:office</xacml:AttributeValue>
          <xacml:EnvironmentAttributeDesignator
AttributeId="some:namespace:location" DataType="&xdt;anyURI"/>
      </xacml:Apply>
    </wsp:ExactlyOne>

    <!-- Additional approval flag must be true -->
    <xacml:Apply FunctionId="&xf;boolean-is-in">
        <xacml:AttributeValue
DataType="&xdt;boolean">true</xacml:AttributeValue>
        <xacml:SubjectAttributeDesignator
AttributeId="some:namespace:additional:approval" DataType="&xdt;boolean"/>
    </xacml:Apply>

  </wsp:All>
</wsp:Policy>
>  
> 
>  
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]