RE: [xacml-users] Help on ResourceConent!

["Balaji Kannadassan" <balajika@nortel.com>]

Hi Roland!

    Thanks for making things clear to me. BTW saw this entry in the
oasis-xacmlv1.0.pdf would like to know what they exactly mean.

Q) 

The following example illustrates a request context to which the example
rules may be applicable. It represents a request by the physician Julius
Hibbert to read the patient date of birth in the record of Bartholomew
Simpson. 

XML Request:
------------
....
<ResourceContent>
 <md:record
 xmlns:md="//http:www.medico.com/schemas/record.xsd">
 <md:patient>
 <md:patientDoB>1992-03-21</md:patientDoB>
 </md:patient>
<!-- other fields -->
 </md:record>
<ResourceContent>

We have to search for the DoB of the patient rt ?. Its enough if we have
specified the xsd hyperlink. Any idea on why they have specified a new
patient record with DoB entry ?.

Thanks a lot for your help.
Balaji Kamal Kannadassan

-----Original Message-----
From: Roland Illig [mailto:roland.illig@gmx.de] 
Sent: Thursday, October 30, 2008 4:40 PM
To: Kannadassan, Balaji (AMR:8826)
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Help on ResourceConent!

Balaji Kannadassan schrieb:
> 1. The <*AttributeDesignator> can be used for getting a named 
> attribute, which looks like:
> 
> <Request>
>  <Subject>
>   <Attribute AttributeId="subject-id">
>    <AttributeValue>roland</AttributeValue>
>   </Attribute>
>  </Subject>
> </Request>
> 
> [Balaji] Here we are getting a request to pick a record with subjec-id

> as roland.

That's correct.

> In the policy, you use the following code to retrieve the attribute
> values:
> 
> <SubjectMatch MatchId="string-equal">
>  <AttributeValue>roland</AttributeValue>
>  <SubjectAttributeDesignator AttributeId="subject-id"/> 
> </SubjectMatch>
> 
> [Balaji] We are matching the same with "roland" so those whose name 
> matches roland this policy would be applicable rt ?. Please do correct

> me if I am wrong on the same.

That's also correct.

> 2. The <AttributeSelector> can be used for getting arbitrary XML data 
> from the request, which can be encoded like this:
> 
> <Request xmlns:h="http://example.org/html4.xsd";>
>  <Resource>
>   <ResourceContent>
>    <h:html>
>     <h:head>
>      <h:title>Hello, World</h:title>
>     </h:head>
>    </h:html>
>   </ResourceContent>
>   <Attribute AttributeId="resource-id">
>    <AttributeValue>http://example.org/hello.html</AttributeValue>
>   </Attribute>
>  </Resource>
> </Request>
> 
> [Balaji] We are making h to point to a XML schema definition and 
> define record h with the contents rt ?. So whats does url with 
> hello.html has to play here ?

I included it to show that the <ResourceContent> is that of a specific
document. It doesn't have any other specific purpose.

> <ResourceMatch MatchId="regexp-string-match"> 
> <AttributeValue>.*[Hh]ell.*</AttributeValue>
>  <AttributeSelector
> RequestContextPath="//Request/Resource/ResourceMatch/h:html/h:head/h:t
> it
> le/text()"/>
> </ResourceMatch>
> 
> [Balaji] In here are we saying that those with the title value 
> containing .*[Hh]ell.* this policy will be applicable ?.

Yes, exactly.

Roland