[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] does XACML v2 allow multiple values' attribute
I've checked your example with XACMLight and it didn't through the error, but Decision was "NotApplicable". Is it what you've expected for the given request?
If not, I can investigate it further. I had to change the following errors in your request and in policies to make them compliant with OASIS XSD:
1. Added namespaces to both policies and to request
2. Added a required <Environment/> element to Request
I've also created a config file for XACMLight and converted the Request to a SOAP message (both are attached).
Response:
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://sc
hemas.xmlsoap.org/soap/envelope/"><soapenv:Body><urn:Response xmlns:urn="urn:oas
is:names:tc:xacml:2.0:context:schema:os"><urn:Result ResourceId="AccountInformat
ion"><urn:Decision>NotApplicable</urn:Decision><urn:Status><urn:StatusCode Value
="urn:oasis:names:tc:xacml:1.0:status:ok"/></urn:Status></urn:Result></urn:Respo
nse></soapenv:Body></soapenv:Envelope>
--- On Fri, 1/9/09, hao chen <d95776@yahoo.com> wrote
> From: hao chen <d95776@yahoo.com>
> Subject: Re: [xacml-users] does XACML v2 allow multiple values' attribute
> To: xacml-users@lists.oasis-open.org, oleg@gryb.info
> Date: Friday, January 9, 2009, 4:37 PM
> Sorry, I sent you a wrong version of request. The attached
> should be the multi values attr.
>
> Best Regard
> hao
>
> --- On Fri, 1/9/09, Oleg Gryb <oleg_gryb@yahoo.com>
> wrote:
>
> > From: Oleg Gryb <oleg_gryb@yahoo.com>
> > Subject: Re: [xacml-users] does XACML v2 allow
> multiple values' attribute
> > To: xacml-users@lists.oasis-open.org, "hao
> chen" <d95776@yahoo.com>
> > Date: Friday, January 9, 2009, 3:31 PM
> > OK, thanks, I'll try it later today and let you
> know
> > about the results.
> >
> >
> > --- On Fri, 1/9/09, hao chen <d95776@yahoo.com>
> > wrote:
> >
> > > From: hao chen <d95776@yahoo.com>
> > > Subject: Re: [xacml-users] does XACML v2 allow
> > multiple values' attribute
> > > To: xacml-users@lists.oasis-open.org,
> oleg@gryb.info
> > > Date: Friday, January 9, 2009, 4:28 PM
> > > The attached are the policies and request I am
> using:
> > >
> > >
> > > Best Regard
> > >
> > >
> > > --- On Fri, 1/9/09, Oleg Gryb
> > <oleg_gryb@yahoo.com>
> > > wrote:
> > >
> > > > From: Oleg Gryb <oleg_gryb@yahoo.com>
> > > > Subject: Re: [xacml-users] does XACML v2
> allow
> > > multiple values' attribute
> > > > To: xacml-users@lists.oasis-open.org,
> > d95776@yahoo.com
> > > > Date: Friday, January 9, 2009, 2:48 PM
> > > > ... if you send your Policy to me, I can try
> it
> > with
> > > > XACMLight. Request seems to be correct from
> XSD
> > point
> > > of
> > > > view.
> > > >
> > > >
> > > > --- On Fri, 1/9/09, hao chen
> > <d95776@yahoo.com>
> > > > wrote:
> > > >
> > > > > From: hao chen <d95776@yahoo.com>
> > > > > Subject: [xacml-users] does XACML v2
> allow
> > > multiple
> > > > values' attribute
> > > > > To: xacml-users@lists.oasis-open.org
> > > > > Date: Friday, January 9, 2009, 3:38 PM
> > > > > Hi,
> > > > >
> > > > > I use sun xacml implementation. When I
> use
> > > multiple
> > > > > values' attribute, I got the
> following
> > error:
> > > > > Exception in thread "main"
> > > > > com.sun.xacml.ParsingException: Too
> many
> > values
> > > in
> > > > Attribute
> > > > >
> > > > > The request is as
> > > > > <Request>
> > > > > <Subject
> > > > >
> > > >
> > >
> >
> SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
> > > > > <Attribute
> > > > >
> > > >
> > >
> >
> AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
> > > > >
> > > >
> > >
> >
> DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
> > > > >
> > > > >
> > > >
> > >
> >
> <AttributeValue>account:manager:role</AttributeValue>
> > > > >
> > > > >
> > > >
> > >
> >
> <AttributeValue>card:member:department:manager:role</AttributeValue>
> > > > > </Attribute>
> > > > > </Subject>
> > > > > <Resource>
> > > > > <Attribute
> > > > >
> > > >
> > >
> >
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> > > > >
> > > >
> > >
> >
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> > > > >
> > > > >
> > > >
> > >
> >
> <AttributeValue>AccountInformation</AttributeValue>
> > > > > </Attribute>
> > > > > </Resource>
> > > > > <Action>
> > > > > <Attribute
> > > > >
> > > >
> > >
> >
> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
> > > > >
> > > >
> > >
> >
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> > > > >
> > > >
> > <AttributeValue>access</AttributeValue>
> > > > > </Attribute>
> > > > > </Action>
> > > > > </Request>
> > > > >
> > > > > The sun's java doc says only one
> value
> > is
> > > allowed
> > > > for a
> > > > > attribute.
> > > > >
> > > > > hao
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail:
> > > > >
> xacml-users-unsubscribe@lists.oasis-open.org
> > > > > For additional commands, e-mail:
> > > > > xacml-users-help@lists.oasis-open.org
> > >
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> > > xacml-users-unsubscribe@lists.oasis-open.org
> > > For additional commands, e-mail:
> > > xacml-users-help@lists.oasis-open.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org
<Config xmlns="http://gryb.info/schemas/xacml/common"; >
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
access_control-xacml-2.0-policy-schema-os.xsd"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"
PolicySetId="RPS:account:manager:role">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI";>account:manager:role</AttributeValue>
<SubjectAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#anyURI"; AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<PolicySetIdReference>PPS:account:manager:role</PolicySetIdReference>
</PolicySet>
<Repo>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
access_control-xacml-2.0-policy-schema-os.xsd"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"
PolicySetId="PPS:account:manager:role" >
<Target/>
<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"
PolicyId="Permissions:for:account:manager:role">
<Target/>
<Rule Effect="Permit" RuleId="Permission:account:information:access">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
AccountInformation
</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:card:member:management:access">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>CardMemeberManagement</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:information:summary:access">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInformationSummary</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:information:status:access">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInformationStatus</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:card:member:information:access">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>CardMemberInformation</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:information:balance:view_modify">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationBalance</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:information:financial:charge:view_modify">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationFinancialCharge</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:information:external:status:view_modify">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationExternalStatus</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:information:internal:status:view_modify">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationInternalStatus</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:information:credit:limit:view">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationCreditLimit</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:information:credit:limit:modify">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>AccountInfomationCreditLimit</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>modify</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
</PolicySet>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
access_control-xacml-2.0-policy-schema-os.xsd"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"
PolicySetId="PPS:card:member:department:manager:role"
>
<Target/>
<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"
PolicyId="Permissions:for:card:member:department:manager:role">
<Target/>
<Rule Effect="Permit" RuleId="Permission:card:member:and:account:assignment:access">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
CardMemberAndAccountAssignment
</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>access</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="Permission:account:for:card:member:add">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>CardMemeberAccount</AttributeValue>
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>add</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
<PolicySetIdReference>PPS:account:manager:role</PolicySetIdReference>
</PolicySet>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
access_control-xacml-2.0-policy-schema-os.xsd"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"
PolicySetId="RPS:card:member:department:manager:role" >
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI";>card:member:department:manager:role</AttributeValue>
<SubjectAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#anyURI"; AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<PolicySetIdReference>PPS:card:member:department:manager:role</PolicySetIdReference>
</PolicySet>
</Repo>
</Config>
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<soap:Body>
<Request
xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
access_control-xacml-2.0-context-schema-os.xsd">
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
<AttributeValue>account:manager:role</AttributeValue>
<AttributeValue>card:member:department:manager:role</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string";>
<AttributeValue>AccountInformation</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string";>
<AttributeValue>access</AttributeValue>
</Attribute>
</Action>
<Environment/>
</Request>
</soap:Body>
</soap:Envelope>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]