Re: [xacml-users] Hierarchical resources policy and request file

[Anne Anderson <Anne.Anderson@sun.com>]

Look at http://sunxacml.sourceforge.net

Anne

dhirendra sharma wrote:
> Hi Anne,
>   How to subscribe to
> sunxacml-discuss@lists.sourceforge.net  list ?
> 
> Thanks,
> Dhirendra Sharma
> 
> 
> --- Anne Anderson <Anne.Anderson@sun.com> wrote:
> 
> 
>>Now you are talking about a specific implementation
>>of XACML, and not 
>>about the language itself.  You should join the 
>>sunxacml-discuss@lists.sourceforge.net mailing list
>>and ask your 
>>question there.
>>
>>Regards,
>>Anne
>>
>>dhirendra sharma wrote:
>>
>>
>>>Hi Anne,
>>>
>>>Can you help me with the Context Handler part of
>>
>>your
>>
>>>solution.
>>>
>>>Do you mean something like the attached class and
>>>request and policy files ?
>>>
>>>(Note: I am using Sun's XACML 1.1 implementation)
>>>
>>>
>>>Please ignore comments and println in the code.I
>>
>>am
>>
>>>just getting accustomed myself with the flow.
>>>
>>>Thanks,
>>>Dhirendra Sharma
>>>
>>>
>>>
>>>--- Anne Anderson <Anne.Anderson@sun.com> wrote:
>>>
>>>
>>>
>>>>Dhirendra,
>>>>
>>>>This would be more elegant if we had defined a 
>>>>"resource-descendant-or-self" AttributeId, or
>>
>>better
>>
>>>>yet if we had 
>>>>defined generic functions: "<type>-ancestor",
>>>>"<type>-descendant", 
>>>>"<type>-parent", ... that took any hierarchical
>>>>AttributeId as their 
>>>>parameter and returned the bag of satisfying
>>
>>values.
>>
>>>>You could always 
>>>>define such extensions yourself.
>>>>
>>>>Using Section 4.1 of the Hierarchical Resource
>>>>Profile 
>>>>
>>>
>>>
> (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf)
> 
>>>>the following should work:
>>>>
>>>>Let the Resource Attribute
>>>>"urn:oasis:names:tc:xacml:1.0:resource-id" in 
>>>>the Request indicate the company to be read.  Let
>>>>the Subject have a 
>>>>"urn:namespace:subject-company" Attribute that
>>>>indicates that subject's 
>>>>"company" Attribute (the top-level company to
>>
>>which
>>
>>>>the subject 
>>>>belongs).  Assume the DataType of both Attributes
>>
>>is
>>
>>>>"xs:anyURI".
>>>>
>>>>The Context Handler must be written to have
>>>>awareness of the company 
>>>>hierarchy.  In this case (here is the inelegant
>>>>part), the hierarchy is 
>>>>going to be "upside-down", which works because
>>>>multiple "parents" are 
>>>>allowed:
>>>>
>>>>1) if asked for AttributeId 
>>>>"urn:oasis:names:tc:xacml:2.0:resource-parent",
>>
>>the
>>
>>>>Context Handler 
>>>>needs to return a bag containing the company-id's
>>
>>of
>>
>>>>all companies that 
>>>>are direct subsidiaries of the requested resource
>>>>
>>>>2) if asked for
>>>>"urn:oasis:names:tc:xacml:2.0:resource-ancestor",
>>>>the 
>>>>Context Handler needs to return a bag containing
>>
>>the
>>
>>>>company-id's of all 
>>>>companies that are direct or indirect subsidiaries
>>>>of the requested 
>>>>resource.
>>>>
>>>>3) if asked for 
>>>>
>>>
>>>
> "urn:oasis:names:tc:xacml:2.0:resource-ancestor-or-self",
> 
>>>>the Context 
>>>>Handler needs to return a bag containing the
>>>>company-id's of all 
>>>>companies that are direct or indirect subsidiaries
>>>>of the requested 
>>>>resource as well as the resource-id in the
>>
>>Request.
>>
>>>>To specify 1) in a Rule,
>>>>
>>>><Rule RuleId="..." Effect="Permit">
>>>>  <Condition>
>>>>    <Apply
>>>>
>>>
>>>
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
> 
>>>>        <SubjectAttributeDesignator
>>>>AttributeId="urn:namespace:subject-company"
>>>>DataType="xs:anyURI" />
>>>>        <ResourceAttributeDesignator 
>>>>
>>>
>>>
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> 
>>>>DataType="xs:anyURI" />
>>>>    </Apply>
>>>>  </Condition>
>>>></Rule>
>>>>
>>>>To specify 2) in a Rule,
>>>>
>>>><Rule RuleId="..." Effect="Permit">
>>>><Condition>
>>>>
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
> 
>>>>        <SubjectAttributeDesignator
>>>>AttributeId="urn:namespace:subject-company"
>>>>DataType="xs:anyURI" />
>>>>        <ResourceAttributeDesignator 
>>>>
>>>
>>>
> AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self"
> 
>>>>DataType="xs:anyURI" />
>>>>  </Apply>
>>>></Condition>
>>>>
>>>>Regards,
>>>>Anne Anderson
>>>>
>>>>dhirendra sharma wrote:
>>>>
>>>>
>>>>
>>>>>Hi,
>>>>>
>>>>> We need to specify the policy for the below :
>>>>>	1). A user should be able to "read"  a compnay 
>>>>>(Example: ABC Inc) provided
>>>>>		 he has - "ABC-Read" role and should have "ABC
>>>>
>>>>Inc"
>>>>
>>>>
>>>>>as the company attribute value in his profile
>>>>>	
>>>>>	2). A user should be able to "read" a company
>>>>>(Example: ABC ) and any its of subsidiaries
>>>>
>>>>provided
>>>>
>>>>
>>>>>		 he has - "ABC-Read" role and should have "ABC
>>>>
>>>>Inc"
>>>>
>>>>
>>>>>or any of its subsidiaries as the 
>>>>>		company attribute value in his profile
>>>>>	
>>>>>	The request could be made giving company id
>>
>>which
>>
>>>>>could fall anywhere in the subsidiary hierarchy
>>>>
>>>>and we
>>>>
>>>>
>>>>>need to get a response 
>>>>>whether user is authorized or not.
>>>>>
>>>>>	Can someone suggest - policy file  and request
>>>>
>>>>XML
>>>>
>>
> === message truncated ===
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the 
> XACML OASIS Standard. To minimize spam in the archives, you 
> must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA