[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Hierarchical resources policy and request file
Dhirendra,
This would be more elegant if we had defined a
"resource-descendant-or-self" AttributeId, or better yet if we had
defined generic functions: "<type>-ancestor", "<type>-descendant",
"<type>-parent", ... that took any hierarchical AttributeId as their
parameter and returned the bag of satisfying values. You could always
define such extensions yourself.
Using Section 4.1 of the Hierarchical Resource Profile
(http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf)
the following should work:
Let the Resource Attribute "urn:oasis:names:tc:xacml:1.0:resource-id" in
the Request indicate the company to be read. Let the Subject have a
"urn:namespace:subject-company" Attribute that indicates that subject's
"company" Attribute (the top-level company to which the subject
belongs). Assume the DataType of both Attributes is "xs:anyURI".
The Context Handler must be written to have awareness of the company
hierarchy. In this case (here is the inelegant part), the hierarchy is
going to be "upside-down", which works because multiple "parents" are
allowed:
1) if asked for AttributeId
"urn:oasis:names:tc:xacml:2.0:resource-parent", the Context Handler
needs to return a bag containing the company-id's of all companies that
are direct subsidiaries of the requested resource
2) if asked for "urn:oasis:names:tc:xacml:2.0:resource-ancestor", the
Context Handler needs to return a bag containing the company-id's of all
companies that are direct or indirect subsidiaries of the requested
resource.
3) if asked for
"urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self", the Context
Handler needs to return a bag containing the company-id's of all
companies that are direct or indirect subsidiaries of the requested
resource as well as the resource-id in the Request.
To specify 1) in a Rule,
<Rule RuleId="..." Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<SubjectAttributeDesignator
AttributeId="urn:namespace:subject-company" DataType="xs:anyURI" />
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="xs:anyURI" />
</Apply>
</Condition>
</Rule>
To specify 2) in a Rule,
<Rule RuleId="..." Effect="Permit">
<Condition>
FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<SubjectAttributeDesignator
AttributeId="urn:namespace:subject-company" DataType="xs:anyURI" />
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self"
DataType="xs:anyURI" />
</Apply>
</Condition>
Regards,
Anne Anderson
dhirendra sharma wrote:
> Hi,
>
> We need to specify the policy for the below :
> 1). A user should be able to "read" a compnay
> (Example: ABC Inc) provided
> he has - "ABC-Read" role and should have "ABC Inc"
> as the company attribute value in his profile
>
> 2). A user should be able to "read" a company
> (Example: ABC ) and any its of subsidiaries provided
> he has - "ABC-Read" role and should have "ABC Inc"
> or any of its subsidiaries as the
> company attribute value in his profile
>
> The request could be made giving company id which
> could fall anywhere in the subsidiary hierarchy and we
> need to get a response
> whether user is authorized or not.
>
> Can someone suggest - policy file and request XML
> for this ?
>
>
>
>
> Thanks,
> Dhirendra Sharma
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the
> XACML OASIS Standard. To minimize spam in the archives, you
> must subscribe before posting.
>
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/
>
--
Anne H. Anderson Anne.Anderson@sun.com
Sun Microsystems Labs 1-781-442-0928
Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]