[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Hierarchical resources policy and request file
Now you are talking about a specific implementation of XACML, and not about the language itself. You should join the sunxacml-discuss@lists.sourceforge.net mailing list and ask your question there. Regards, Anne dhirendra sharma wrote: > Hi Anne, > > Can you help me with the Context Handler part of your > solution. > > Do you mean something like the attached class and > request and policy files ? > > (Note: I am using Sun's XACML 1.1 implementation) > > > Please ignore comments and println in the code.I am > just getting accustomed myself with the flow. > > Thanks, > Dhirendra Sharma > > > > --- Anne Anderson <Anne.Anderson@sun.com> wrote: > > >>Dhirendra, >> >>This would be more elegant if we had defined a >>"resource-descendant-or-self" AttributeId, or better >>yet if we had >>defined generic functions: "<type>-ancestor", >>"<type>-descendant", >>"<type>-parent", ... that took any hierarchical >>AttributeId as their >>parameter and returned the bag of satisfying values. >> You could always >>define such extensions yourself. >> >>Using Section 4.1 of the Hierarchical Resource >>Profile >> > > (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf) > >>the following should work: >> >>Let the Resource Attribute >>"urn:oasis:names:tc:xacml:1.0:resource-id" in >>the Request indicate the company to be read. Let >>the Subject have a >>"urn:namespace:subject-company" Attribute that >>indicates that subject's >>"company" Attribute (the top-level company to which >>the subject >>belongs). Assume the DataType of both Attributes is >>"xs:anyURI". >> >>The Context Handler must be written to have >>awareness of the company >>hierarchy. In this case (here is the inelegant >>part), the hierarchy is >>going to be "upside-down", which works because >>multiple "parents" are >>allowed: >> >>1) if asked for AttributeId >>"urn:oasis:names:tc:xacml:2.0:resource-parent", the >>Context Handler >>needs to return a bag containing the company-id's of >>all companies that >>are direct subsidiaries of the requested resource >> >>2) if asked for >>"urn:oasis:names:tc:xacml:2.0:resource-ancestor", >>the >>Context Handler needs to return a bag containing the >>company-id's of all >>companies that are direct or indirect subsidiaries >>of the requested >>resource. >> >>3) if asked for >> > > "urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self", > >>the Context >>Handler needs to return a bag containing the >>company-id's of all >>companies that are direct or indirect subsidiaries >>of the requested >>resource as well as the resource-id in the Request. >> >>To specify 1) in a Rule, >> >><Rule RuleId="..." Effect="Permit"> >> <Condition> >> <Apply >> > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > >> <SubjectAttributeDesignator >>AttributeId="urn:namespace:subject-company" >>DataType="xs:anyURI" /> >> <ResourceAttributeDesignator >> > > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > >>DataType="xs:anyURI" /> >> </Apply> >> </Condition> >></Rule> >> >>To specify 2) in a Rule, >> >><Rule RuleId="..." Effect="Permit"> >><Condition> >> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > >> <SubjectAttributeDesignator >>AttributeId="urn:namespace:subject-company" >>DataType="xs:anyURI" /> >> <ResourceAttributeDesignator >> > > AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" > >>DataType="xs:anyURI" /> >> </Apply> >></Condition> >> >>Regards, >>Anne Anderson >> >>dhirendra sharma wrote: >> >> >>>Hi, >>> >>> We need to specify the policy for the below : >>> 1). A user should be able to "read" a compnay >>>(Example: ABC Inc) provided >>> he has - "ABC-Read" role and should have "ABC >> >>Inc" >> >>>as the company attribute value in his profile >>> >>> 2). A user should be able to "read" a company >>>(Example: ABC ) and any its of subsidiaries >> >>provided >> >>> he has - "ABC-Read" role and should have "ABC >> >>Inc" >> >>>or any of its subsidiaries as the >>> company attribute value in his profile >>> >>> The request could be made giving company id which >>>could fall anywhere in the subsidiary hierarchy >> >>and we >> >>>need to get a response >>>whether user is authorized or not. >>> >>> Can someone suggest - policy file and request >> >>XML >> >>>for this ? >>> >>> >>> >>> >>>Thanks, >>>Dhirendra Sharma >>> >>> >>>__________________________________________________ >>>Do You Yahoo!? >>>Tired of spam? Yahoo! Mail has the best spam >> >>protection around >> >>>http://mail.yahoo.com >>> >>> >> > --------------------------------------------------------------------- > >>>This publicly archived list supports open >> >>discussion on using the >> >>>XACML OASIS Standard. To minimize spam in the >> >>archives, you >> >>>must subscribe before posting. >>> >>>[Un]Subscribe/change address: >> >>http://www.oasis-open.org/mlmanage/ >> >>>Alternately, using email: >> >>list-[un]subscribe@lists.oasis-open.org >> >>>List archives: >> >>http://lists.oasis-open.org/archives/xacml-users/ >> >>>Committee homepage: >> >>http://www.oasis-open.org/committees/xacml/ >> >>>List Guidelines: >> >>http://www.oasis-open.org/maillists/guidelines.php >> >>>Join OASIS: http://www.oasis-open.org/join/ >>> >> >>-- >>Anne H. Anderson Anne.Anderson@sun.com >>Sun Microsystems Labs 1-781-442-0928 >>Burlington, MA USA >> > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]