[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Hierarchical resources policy and request file
Look at http://sunxacml.sourceforge.net Anne dhirendra sharma wrote: > Hi Anne, > How to subscribe to > sunxacml-discuss@lists.sourceforge.net list ? > > Thanks, > Dhirendra Sharma > > > --- Anne Anderson <Anne.Anderson@sun.com> wrote: > > >>Now you are talking about a specific implementation >>of XACML, and not >>about the language itself. You should join the >>sunxacml-discuss@lists.sourceforge.net mailing list >>and ask your >>question there. >> >>Regards, >>Anne >> >>dhirendra sharma wrote: >> >> >>>Hi Anne, >>> >>>Can you help me with the Context Handler part of >> >>your >> >>>solution. >>> >>>Do you mean something like the attached class and >>>request and policy files ? >>> >>>(Note: I am using Sun's XACML 1.1 implementation) >>> >>> >>>Please ignore comments and println in the code.I >> >>am >> >>>just getting accustomed myself with the flow. >>> >>>Thanks, >>>Dhirendra Sharma >>> >>> >>> >>>--- Anne Anderson <Anne.Anderson@sun.com> wrote: >>> >>> >>> >>>>Dhirendra, >>>> >>>>This would be more elegant if we had defined a >>>>"resource-descendant-or-self" AttributeId, or >> >>better >> >>>>yet if we had >>>>defined generic functions: "<type>-ancestor", >>>>"<type>-descendant", >>>>"<type>-parent", ... that took any hierarchical >>>>AttributeId as their >>>>parameter and returned the bag of satisfying >> >>values. >> >>>>You could always >>>>define such extensions yourself. >>>> >>>>Using Section 4.1 of the Hierarchical Resource >>>>Profile >>>> >>> >>> > (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf) > >>>>the following should work: >>>> >>>>Let the Resource Attribute >>>>"urn:oasis:names:tc:xacml:1.0:resource-id" in >>>>the Request indicate the company to be read. Let >>>>the Subject have a >>>>"urn:namespace:subject-company" Attribute that >>>>indicates that subject's >>>>"company" Attribute (the top-level company to >> >>which >> >>>>the subject >>>>belongs). Assume the DataType of both Attributes >> >>is >> >>>>"xs:anyURI". >>>> >>>>The Context Handler must be written to have >>>>awareness of the company >>>>hierarchy. In this case (here is the inelegant >>>>part), the hierarchy is >>>>going to be "upside-down", which works because >>>>multiple "parents" are >>>>allowed: >>>> >>>>1) if asked for AttributeId >>>>"urn:oasis:names:tc:xacml:2.0:resource-parent", >> >>the >> >>>>Context Handler >>>>needs to return a bag containing the company-id's >> >>of >> >>>>all companies that >>>>are direct subsidiaries of the requested resource >>>> >>>>2) if asked for >>>>"urn:oasis:names:tc:xacml:2.0:resource-ancestor", >>>>the >>>>Context Handler needs to return a bag containing >> >>the >> >>>>company-id's of all >>>>companies that are direct or indirect subsidiaries >>>>of the requested >>>>resource. >>>> >>>>3) if asked for >>>> >>> >>> > "urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self", > >>>>the Context >>>>Handler needs to return a bag containing the >>>>company-id's of all >>>>companies that are direct or indirect subsidiaries >>>>of the requested >>>>resource as well as the resource-id in the >> >>Request. >> >>>>To specify 1) in a Rule, >>>> >>>><Rule RuleId="..." Effect="Permit"> >>>> <Condition> >>>> <Apply >>>> >>> >>> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > >>>> <SubjectAttributeDesignator >>>>AttributeId="urn:namespace:subject-company" >>>>DataType="xs:anyURI" /> >>>> <ResourceAttributeDesignator >>>> >>> >>> > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > >>>>DataType="xs:anyURI" /> >>>> </Apply> >>>> </Condition> >>>></Rule> >>>> >>>>To specify 2) in a Rule, >>>> >>>><Rule RuleId="..." Effect="Permit"> >>>><Condition> >>>> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in"> > >>>> <SubjectAttributeDesignator >>>>AttributeId="urn:namespace:subject-company" >>>>DataType="xs:anyURI" /> >>>> <ResourceAttributeDesignator >>>> >>> >>> > AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" > >>>>DataType="xs:anyURI" /> >>>> </Apply> >>>></Condition> >>>> >>>>Regards, >>>>Anne Anderson >>>> >>>>dhirendra sharma wrote: >>>> >>>> >>>> >>>>>Hi, >>>>> >>>>> We need to specify the policy for the below : >>>>> 1). A user should be able to "read" a compnay >>>>>(Example: ABC Inc) provided >>>>> he has - "ABC-Read" role and should have "ABC >>>> >>>>Inc" >>>> >>>> >>>>>as the company attribute value in his profile >>>>> >>>>> 2). A user should be able to "read" a company >>>>>(Example: ABC ) and any its of subsidiaries >>>> >>>>provided >>>> >>>> >>>>> he has - "ABC-Read" role and should have "ABC >>>> >>>>Inc" >>>> >>>> >>>>>or any of its subsidiaries as the >>>>> company attribute value in his profile >>>>> >>>>> The request could be made giving company id >> >>which >> >>>>>could fall anywhere in the subsidiary hierarchy >>>> >>>>and we >>>> >>>> >>>>>need to get a response >>>>>whether user is authorized or not. >>>>> >>>>> Can someone suggest - policy file and request >>>> >>>>XML >>>> >> > === message truncated === > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on using the > XACML OASIS Standard. To minimize spam in the archives, you > must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]subscribe@lists.oasis-open.org > List archives: http://lists.oasis-open.org/archives/xacml-users/ > Committee homepage: http://www.oasis-open.org/committees/xacml/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]