Re: [xacml-users] Info on the Hl7 Permissions

[Ludwig Seitz <ludwig@axiomatics.com>]

massimiliano.masi@gmail.com wrote:
> Hi All,
> 
> I have a question regarding the value of the Hl7 Permission defined by the
> XSPA-XACML profile.
> 
> <saml2:Attribute
>    FriendlyName="Hl7 Permissions"
>    Name="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission"
>    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>   <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema";
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>     xsi:type="xs:string">
>       urn:oasis:names:tc:xspa:1.0:subject:hl7:PRD-004
>   </saml2:AttributeValue>
> 
> In the documents contains sample SAML assertions found in the OASIS
> website, the value of
> this attribute is set as shown in the above fragment, but there are no
> normative information
> on how to encode the Hl7 Permission.
> 
> My doubt is the following: prefixing the permission using
> urn:oasis:names:tc:xspa:1.0:subject:hl7
> doesn't have a semantic of the exact value (the permission).
> 
> Wouldn't be better to specify exactly what is this value? e.g. by
> adding urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-004?
> Or even to avoid to prefix with anything, since the attribute name is
> already specifying the value?
>

I think you might be misunderstanding the spec. 
"urn:oasis:names:tc:xspa:1.0:subject:hl7:permission" is not a prefix, 
but the identifier of the attribute (the spec is not very clear on 
this). The actual permission value would be the attribute value.

My best guess is that an XACML example for the HL7 permission "PRD-012" 
would look like this:

<Attribute AttributeId="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission">
<AttributeValue DataType="string">PRD-012</AttributeValue>
</Attribute>

Regards,

Ludwig Seitz


-- 
Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Electrum 223
Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
Mail: ludwig@axiomatics.com   |