[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] How to implement hierarchies in our model
-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Tuesday, November 27, 2001 4:42 PM
To: 'XACML'
Subject: [xacml] How to implement hierarchies in our modelColleagues - Below you will find some XML instances for policy and assertions, and XML schema for attribute to express a hierarchical policy in our model and candidate XACML schema. You should not look too carefully. I feel certain that there are better ways of representing the information. Nevertheless, I hope you will agree that model is capable of representing policy over hierarchically-ordered attributes. All the best. Tim.
1. XACML policy
This XACML instance expresses the Bell-Lapadula "read down" policy.<?xml version="1.0" encoding="UTF-8"?>
<applicablePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<policy>
<applicability>
<resourceClassification>http://www.someOrganization/classifiedDocument</resourceClassification>
<resourceAction>read</resourceAction>
</applicability>
<rule>
<preCondition>
<predicate>
<greaterOrEqual>
<referencedData>
<roleAttribute>http://www.someOrganization/</roleAttribute>
</referencedData>
<secondOperand>
<referencedData>
<resourceClassification>http://www.pep.org ? type=http://www.someIdentifier.org/</resourceClassification></referencedData>
</secondOperand>
</greaterOrEqual>
</predicate>
</preCondition>
</rule>
</policy>
</applicablePolicy2. Authentication assertion
This SAML authentication assertion indicates that the person whose password hashes to h5*@fo8/k is Jo Schmo. The assertion ID is cdefg.<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/><saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="cdefg" Issuer="seomOrganization" IssueInstant="13:45. 01 Nov 2001">
<saml:AuthenticationStatement>
<saml:Subject>
<saml:NameIdentifier SecurityDomain="someOrganization" Name="Jo Schmo"></saml:NameIdentifier>
</saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>http://www.oasis-open.org/confirmationRegistry</saml:ConfirmationMethod><SubjectConfirmationData>h5*@fo8/k</SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:AuthenticationStatement>
</saml:Assertion>3. Attribute assertion
This SAML attribute assertion indicates that the individual authenticated by assertion cdefg has a TOP SECRET clearance.<!-- A saml attribute assertion indicating that the principal who can be authenticated by saml authentication assertion "cdefgt" has a TOP SECRET clearance -->
<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/><saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="bcdef" Issuer="" IssueInstant="12:00,11 Nov 2001">
<saml:AssertionSpecifier>
<saml:AssertionID>cdefg</saml:AssertionID>
</saml:AssertionSpecifier>
<saml:Attribute>
<saml:AttributeValue>http://www.someIdentifier.org/3</saml:AttributeValue>
</saml:Attribute>
</saml:Assertion>4. Resource assertion
This SAML resource assertion is an assertion by the PEP that the resource for which access is requested has a SECRET label.<!-- A saml resource attribute assertion, issued by the PEP indicating that the resource has a SECRET label -->
<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/><saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="abcde" Issuer="http://www.pep.org" IssueInstant="13:00;27 Nov 2001">
<saml:Attribute>
<saml:AttributeValue>http://www.someIdentifier.org/2</saml:AttributeValue>
</saml:Attribute>
</saml:Assertion>5. Attribute schema
This schema indicates that clearance and label attributes are positive integers.<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"><targetNameSpace="http;//www.someIdentifier.org"/>
<xs:element>
<xs:attribute name="clearance" xsi:type="xs:positiveInteger"/>
</xs:element><xs:element>
<xs:attribute name="label" xsi:type="xs:positiveInteger"/>
</xs:element>
</xs:schema>
-----------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC