Hi James,
I was going to reply to your first email by simply recommending adding
the resource:purpose attribute w value of "application processing"
which should satisfy the Rule Condition to generate a Permit.
However, from your second email it sounds like you are under the
impression that this is a problem:
"As such the resource:purpose should not be specified in
the request
context since it is not something the requester should be able to
define. Is this understanding correct?"
The XACML architecture should explain why this is not a correct
understanding. In particular, section 3, Data Flow Model, which says:
"581 2. The access requester sends a request for access to
the PEP.
582 3. The PEP sends the request for access to the context handler in
its native request format,
583 optionally including attributes of the subjects, resource, action
and environment.
584 4. The context handler constructs an XACML request context and
sends it to the PDP."
The point is that the access requester is not expected to provide all
these attributes. In this case, one scenario might be that the purpose
attribute is stored with the resource, in which case the PEP or a PIP
could get it from the resource to put in the RequestContext.
Thanks,
Rich
James Mackie wrote:
20090714162037.z2x8ue9hdwgssswk@email.isi.qut.edu.au"
type="cite">I'll provide a bit more background regarding my previous
post.
I are trying to use the Privacy Policy Profile of XACML 2.0.
I understand that the attribute resource:purpose specifies usage
purposes that have been constented to by the data subject.
As such they should be specified in a policy. The tag action:purpose
describes what a requester wants to do, and therefore should be
specified within the XACML request context.
The condition included in section 3.1 of the Privacy Policy Profile
should match the request:purpose with the action:purpose and permit
only if they match. As such the resource:purpose should not be
specified in the request context since it is not something the
requester should be able to define. Is this understanding correct?
Where and how should the resource:purpose tag be used?
Thanks for your time.
James Mackie
Quoting James Mackie <j.mackie@isi.qut.edu.au>:
Hi All,
I am a developer working for a research institute and I am
experimenting with using XACML and MySQL databases.
I am trying to impliment the Privacy Profile, and I am using the JBoss
XACML library, which in turn uses the Sun XACML library for its
decision engine.
The question I have is very simple. I have tried to follow as closely
to the standard as possible but still cannot seem to get it to work. I
have attached the policy I have created as well as the associated
Request and Response. Could you please take a quick look and tell me
if I am doing something wrong?
Thank you very, very much for your time.
Regards,
James Mackie
---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
|