OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-users] Modelling task partitions in XACML


Here is a simple rule that does not preserve the notion of "partition".
Similar rules would be required for "sign1" and the tasks (if you must
cover the case of tasks being accomplished after signing).

This hard-codes the partition information into the XACML policy; it
would be best if you could generate the policy from the workflow
description.

If your environment can provide workflow-history (actions already
completed) as well as user-history (actions performed by current user),
you could write rules for workflow sequencing as well as
separation-of-duty.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Policy [
<!ENTITY string "http://www.w3.org/2001/XMLSchema#string";>
<!ENTITY string-equal
"urn:oasis:names:tc:xacml:1.0:function:string-equal">
<!ENTITY action-id "urn:oasis:names:tc:xacml:1.0:action:action-id">
<!ENTITY string-bag "urn:oasis:names:tc:xacml:1.0:function:string-bag">
<!ENTITY any-of-any "urn:oasis:names:tc:xacml:1.0:function:any-of-any">
]>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
	Version="0.1"
	PolicyId="workflow"
	
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorith
m:first-applicable">
  <Target/>
  <Rule RuleId="rule1" Effect="Deny">
    <Target>
      <Actions>
	<Action>
	  <ActionMatch MatchId="&string-equal;">
	    <AttributeValue DataType="">sign2</AttributeValue>
	    <ActionAttributeDesignator 
		DataType="&string;"
		AttributeId="&action-id;"/>
	  </ActionMatch>
	</Action>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="&any-of-any;">
	<Function FunctionId="&string-equal;"/>
	<EnvironmentAttributeDesignator
	    DataType="&string;"
	    AttributeId="user-history"/>
	<Apply FunctionId="&string-bag;">
	  <AttributeValue DataType="&string;">t1</AttributeValue>
	  <AttributeValue DataType="&string;">t2</AttributeValue>
	  <AttributeValue DataType="&string;">t3</AttributeValue>
	  <AttributeValue DataType="&string;">t4</AttributeValue>
	  <AttributeValue DataType="&string;">t5</AttributeValue>
	  <AttributeValue DataType="&string;">sign1</AttributeValue>
	</Apply>
      </Apply>
    </Condition>
  </Rule>
</Policy> 

--Paul

> -----Original Message-----
> From: Roland Illig [mailto:roland.illig@gmx.de] 
> Sent: Monday, March 02, 2009 08:26
> To: xacml-users@lists.oasis-open.org
> Subject: [xacml-users] Modelling task partitions in XACML
> 
> Hi,
> 
> I want to use XACML to implement access control in a workflow 
> system. A workflow is separated into several tasks. Some of 
> these tasks will be split into partitions, and now the fun 
> begins: If a user has executed a task from one of the 
> partitions, he must not execute any task from all the other 
> partitions. For example:
> 
>     workflow = (t1, t2, t3, t4, t5, sign1, sign2)
> 
>     partitioning = {{t1, t2, t3, t4, t5}, {sign1}, {sign2}}
> 
> Assuming that there is an environment attribute called 
> "history" that returns all the tasks that the user has 
> already executed, can I implement this restriction using only 
> plain XACML 1.0 or 2.0?
> 
> Roland
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> 
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]