[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Hierarchical resources policy and request file
Dhirendra, This would be more elegant if we had defined a "resource-descendant-or-self" AttributeId, or better yet if we had defined generic functions: "<type>-ancestor", "<type>-descendant", "<type>-parent", ... that took any hierarchical AttributeId as their parameter and returned the bag of satisfying values. You could always define such extensions yourself. Using Section 4.1 of the Hierarchical Resource Profile (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf) the following should work: Let the Resource Attribute "urn:oasis:names:tc:xacml:1.0:resource-id" in the Request indicate the company to be read. Let the Subject have a "urn:namespace:subject-company" Attribute that indicates that subject's "company" Attribute (the top-level company to which the subject belongs). Assume the DataType of both Attributes is "xs:anyURI". The Context Handler must be written to have awareness of the company hierarchy. In this case (here is the inelegant part), the hierarchy is going to be "upside-down", which works because multiple "parents" are allowed: 1) if asked for AttributeId "urn:oasis:names:tc:xacml:2.0:resource-parent", the Context Handler needs to return a bag containing the company-id's of all companies that are direct subsidiaries of the requested resource 2) if asked for "urn:oasis:names:tc:xacml:2.0:resource-ancestor", the Context Handler needs to return a bag containing the company-id's of all companies that are direct or indirect subsidiaries of the requested resource. 3) if asked for "urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self", the Context Handler needs to return a bag containing the company-id's of all companies that are direct or indirect subsidiaries of the requested resource as well as the resource-id in the Request. To specify 1) in a Rule, <Rule RuleId="..." Effect="Permit"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> <SubjectAttributeDesignator AttributeId="urn:namespace:subject-company" DataType="xs:anyURI" /> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="xs:anyURI" /> </Apply> </Condition> </Rule> To specify 2) in a Rule, <Rule RuleId="..." Effect="Permit"> <Condition> FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> <SubjectAttributeDesignator AttributeId="urn:namespace:subject-company" DataType="xs:anyURI" /> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="xs:anyURI" /> </Apply> </Condition> Regards, Anne Anderson dhirendra sharma wrote: > Hi, > > We need to specify the policy for the below : > 1). A user should be able to "read" a compnay > (Example: ABC Inc) provided > he has - "ABC-Read" role and should have "ABC Inc" > as the company attribute value in his profile > > 2). A user should be able to "read" a company > (Example: ABC ) and any its of subsidiaries provided > he has - "ABC-Read" role and should have "ABC Inc" > or any of its subsidiaries as the > company attribute value in his profile > > The request could be made giving company id which > could fall anywhere in the subsidiary hierarchy and we > need to get a response > whether user is authorized or not. > > Can someone suggest - policy file and request XML > for this ? > > > > > Thanks, > Dhirendra Sharma > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on using the > XACML OASIS Standard. To minimize spam in the archives, you > must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]subscribe@lists.oasis-open.org > List archives: http://lists.oasis-open.org/archives/xacml-users/ > Committee homepage: http://www.oasis-open.org/committees/xacml/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]