OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] XML Access Control Policy Example

This is the XML Access Control Policy Example based on the XACML
RequestContext proposal. I follow the style that Anne used:

- Access request description in English
- XACML Context specification of the above
- Sample J2SE policy in English
- XACML policy specification of the above
             (not exact one, simplified description is enough)
- How XACML policy specification refers to each attribute in XACML Context
- Desirable final decision
- ...


EXAMPLE ACCESS REQUEST DESCRIPTION IN ENGLISH

Read access has been requested for the element of
    "record/patient/patientDoB"
of the XML instance
    "//medico.com/med.xml"
which schema is defined as
    "medico.com/records.xsd"

The user executing the thread from which the access request was
generated was authenticated as
  o  NameIdentifier is "Julius Hibbert", NameQualifier is "//medico.com"
  o  Role is "Physician", AttributeQualifier is "//medico.com"


PROPOSED XACML CONTEXT SPECIFICATION OF THE ABOVE

- Unabbreviated Syntax (target XML is referred by "ResourceURI")

<xacml:RequestContext>
  <xacml:ContextPrincipals>
    <xacml:Principal PrincipalType="RequestingUser">
      <xacml:Attribute AttributeName="NameIdentifier"
                       AttributeNamespace="//medico.com">
        Julius Hibbert
      </xacml:Attribute>
      <xacml:Attribute AttributeName="Role" AttributeNamespace
="//medico.com">
        Physician
      </xacml:Attribute>
    </xacml:Principal>
  </xacml:ContextPrincipals>

  <xacml:ContextResource>
    <xacml:Resource ResourceType="XML">
      <xacml:Attribute AttributeName="ResourceURI">
        //medico.com/med.xml
      </xacml:Attribute>
      <xacml:Attribute AttributeName="XPath">
        record/patient/patientDoB
      </xacml:Attribute>
      <xacml:Attribute AttributeName="XMLSchema">
        medico.com/records.xsd
      </xacml:Attribute>
    </xacml:Resource>
  </xacml:ContextResource>

  <xacml:ContextAction>
    <xacml:Action ActionType="XMLAction">
      <xacml:Attribute AttributeName="read"/>
    </xacml:Action>
  </xacml:ContextAction>
</xacml:RequestContext>


- Abbreviated Syntax (target XML is referred by "ResourceURI")

<xacml:RequestContext>
  <xacml:ContextPrincipals>
    <x:RequestingUser>
      <x:NameIdentifier AttributeNamespace="//medico.com">
                                 Julius Hibbert</x:NameIdentifier>
      <x:Role AttributeNamespace="//medico.com">Physician</x:Role>
    </x:RequestingUser>
  </xacml:ContextPrincipals>

  <xacml:ContextResource>
    <x:XML>
      <x:ResourceURI>//medico.com/med.xml</x:ResourceURI>
      <x:XPath>record/patient/patientDoB</x:XPath>
      <x:XMLSchema>medico.com/records.xsd</x:XMLSchema>
    </x:XML>
  </xacml:ContextResource>

  <xacml:ContextAction>
    <x:XMLAction>
      <x:read/>
    </x:XMLAction>
  </xacml:ContextAction>
</xacml:RequestContext>


SAMPLE POLICY IN ENGLISH

Grant read access to resource "//medico.com/med.xml"
"record/patient/patienDoB" "medico.com/records.xsd" if the requesting
user's role is a Physician.


XACML POLICY SPECIFICATION OF THE ABOVE

The following rule is included in an xacml:policyStatement where the
ruleCombiningAlgId allows access if any rule allows
access.

- Unabbreviated Syntax

<xacml:rule ruleId="rule1" effect="Permit">
  <xacml:target>
    <xacml:subjects>
      <xacml:subjectEq AttributeSelector="Principal[@PrincipalType
='RequestingUser']/Attribute[@AttributeName = 'Role']">
        Physician
      </xacml:subject>
    </xacml:subjects>

    <xacml:resources>
      <xacml:resourceEq AttributeSelector="Resource[@ResourceType
='XML']/Attribute[@AttributeName = 'ResourceURI']">
        //medico.com/med.xml
      </xacml:resourceEq>
      <xacml:resourceEq AttributeSelector="Resource[@ResourceType
='XML']/Attribute[@AttributeName = 'XPath']">
        /record/patient/patientDoB
      </xacml:resourceEq>
      <xacml:resourceEq AttributeSelector="Resource[@ResourceType
='XML']/Attribute[@AttributeName = 'XMLSchema']">
        medico.com/records.xsd
      </xacml:resourceEq>
    </xacml:resources>

    <xacml:actions>
      <xacml:actionEq AttributeSelector="Action[@ActionType
='XMLAction']/Attribute/@AttributeName">
        read
      <xacml:actionEq>
    </xacml:actions>
  </xacml:target>
</xacml:rule>


- Abbreviated Syntax

<xacml:rule ruleId="rule1" effect="Permit">
  <xacml:target>
    <xacml:subjects>
      <xacml:subjectEq AttributeSelector
="/x:RequestingUser/x:Role">Physician</xacml:subjectEq>
    </xacml:subjects>
    <xacml:resources>
      <xacml:resourceEq AttributeSelector
="/x:XML/x:ResourceURI">//medico.com/med.xml</xacml:resourceEq>
      <xacml:resourceEq AttributeSelector
="/x:XML/x:XPath">/record/patient/patientDoB</xacml:resourceEq>
      <xacml:resourceEq AttributeSelector
="/x:XML/x:XMLSchema">medico.com/records.xsd</xacml:resourceEq>
    </xacml:resources>
    <xacml:actions>
      <xacml:actionEq AttributeSelector="/x:XMLAction/local-name
()">read<xacml:actionEq>
    </xacml:actions>
  </xacml:target>
</xacml:rule>



HOW XACML POLICY SPECIFICATION REFERS TO EACH ATTRIBUTE IN XACML CONTEXT

- The unabbreviated policy refers to the unabbreviated XACML Context. The
abbreviated policy refers to the abbreviated XACML Context.

- In the example above, I have used full XPATH expressions starting from
RequestContext to refer to attributes in the request context. Under the
rule/target/subjects section of a rule, I assumed that the root is
RequestContext/ContextPrincipals. I assumed similarly for the resource and
the action section of a rule.

- A set of entries in the subject and the resource element is connected by
AND. For example, the target resource should be that the resource URI is
"//medico.com/med.xml", the XPath matches "/record/patient/patientDoB", and
the XML Schema is "medico.com/records.xsd".

- The target resource is referred in two ways: a detached resource and an
embedded resource. For the former, the target XML instance is referred
using URI. In the latter, the target XML body is embedded in XACML Context.
System deals with the target XML instance as if it starts just from the
child element of the resource element with resourceBody attribute.

Unabbreviated Syntax (target XML is embedded in "ResourceBody")

  <xacml:ContextResource>
    <xacml:Resource ResourceType="XML">
      <xacml:Attribute AttributeName="ResourceBody">
        <y:record xmlns="medico.com/records.xsd" ...>
          <y:patient>
            <y:patientName>
            <y:patientDoB>
            ...
        </y:record>
      </xacml:Attribute>
    </xacml:Resource>
  </xacml:ContextResource>

When the target XML instance is referred from the policy, the root element
of the target XML should be located just below the <Attribute> element.


DESIRABLE FINAL DECISION

Since this example is based on the proposal "XACML Context proposal based
on more flatten structure", the flatten XACML Context structure is
desirable final decision.

Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC