OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Fwd: XACML Privacy Profile

Hi James,

I was going to reply to your first email by simply recommending adding the resource:purpose attribute w value of "application processing" which should satisfy the Rule Condition to generate a Permit.

However, from your second email it sounds like you are under the impression that this is a problem:
"As such the resource:purpose should not be specified in the request context since it is not something the requester should be able to define. Is this understanding correct?"
The XACML architecture should explain why this is not a correct understanding. In particular, section 3, Data Flow Model, which says:
"581  2. The access requester sends a request for access to the PEP.
582   3. The PEP sends the request for access to the context handler in its native request format,
583 optionally including attributes of the subjects, resource, action and environment.
584   4. The context handler constructs an XACML request context and sends it to the PDP."
The point is that the access requester is not expected to provide all these attributes. In this case, one scenario might be that the purpose attribute is stored with the resource, in which case the PEP or a PIP could get it from the resource to put in the RequestContext.


James Mackie wrote:
20090714162037.z2x8ue9hdwgssswk@email.isi.qut.edu.au" type="cite">I'll provide a bit more background regarding my previous post.

I are trying to use the Privacy Policy Profile of XACML 2.0.

I understand that the attribute resource:purpose specifies usage purposes that have been constented to by the data subject.
As such they should be specified in a policy. The tag action:purpose describes what a requester wants to do, and therefore should be specified within the XACML request context.
The condition included in section 3.1 of the Privacy Policy Profile should match the request:purpose with the action:purpose and permit only if they match. As such the resource:purpose should not be specified in the request context since it is not something the requester should be able to define. Is this understanding correct? Where and how should the resource:purpose tag be used?

Thanks for your time.

James Mackie

Quoting James Mackie <j.mackie@isi.qut.edu.au>:

Hi All,

I am a developer working for a research institute and I am
experimenting with using XACML and MySQL databases.

I am trying to impliment the Privacy Profile, and I am using the JBoss
XACML library, which in turn uses the Sun XACML library for its
decision engine.

The question I have is very simple. I have tried to follow as closely
to the standard as possible but still cannot seem to get it to work. I
have attached the policy I have created as well as the associated
Request and Response. Could you please take a quick look and tell me
if I am doing something wrong?

Thank you very, very much for your time.

James Mackie

To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]