OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] [schema] AttributeDesignators without XPATH

Attached is a concrete proposal for a possibly simpler
AttributeDesignator syntax.  It does not require XPATH, and is
capable of supporting other query formats.

It requires more work, but I want to see if people are interested
in pursuing this approach.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


Title:   AttributeDesignators without XPATH
Author:  Anne Anderson
Version: 1.2, 02/07/23 (yy/mm/dd)
Source:  /home/aa74233/projects/xacml/SCCS/s.SimpleTargets.txt

One possible way to simplify AttributeDesignator is to make it a
set of attribute values that are to be matched against attribute
values present in the Request.

The semantics of an AttributeDesignator become:

   "return the requested value(s) where all specified xml
    attribute values match"

This has the advantage (for at least some people) of not
requiring support for XPATH.  If the value you want to select is
a sub-element of an Attribute in the Request, I have provided a
way for you to specify the "path" to that sub-element.  The
default format for such a path is XPATH 1.0, but I provide a way
to specify other formats.

Below are possible schemas for the Request Subject and for the
Policy SubjectAttributeDesignator that illustrate this approach.
If it seems worth pursuing, I will produce schemas for Resource,
Action, ResourceAttributeDesignator, and
ActionAttributeDesignator as well.

-Anne

A. Request Context Subject element

   <xs:complexType name="SubjectType">
       <xs:sequence>
           <xs:element name="Attribute"
                     type="xacmlContext:AttributeType"
                     minOccurs="0" maxOccurs="unbounded"/>
           <!-- an Attribute can be a ds:KeyInfo -->
       </xs:sequence>
       <xs:attribute name="SubjectCategory" type="xs:anyURI"
                     default="identifier:AccessSubject"/>
       <xs:attribute name="SubjectIdFormat" type="xs:anyURI"
                     default="xs:string"/>
       <xs:attribute name="SubjectIdQualifier" type="xs:string"
                     use="optional"/>
       <xs:attribute name="SubjectId" type="xs:string"
                     use="optional"/>
   </xs:complexType>

B. SubjectAttributeDesignator

   <xs:complexType name="SubjectAttributeDesignatorType">
       <xs:attribute name="SubjectCategory"
                     type="xs:anyURI"
                     default="identifier:AccessSubject"/>
       <xs:attribute name="SubjectIdFormat"
                     type="xs:anyURI" default="xs:string"/>
       <xs:attribute name="SubjectIdQualifier"
                     type="xs:string" use="optional"/>
       <xs:attribute name="SubjectId"
                     type="xs:string" use="optional"/>
       <xs:attribute name="AttributeName
                     type="xs:string" use="optional"/>
       <xs:attribute name="AttributeNamespace"
                     type="xs:anyURI" use="optional"/>
       <!-- Namespace is required if Name is present -->
       <xs:attribute name="AttributeIssuer"
                     type="xs:anyURI" use="optional"/>
       <xs:attribute name="AttributeIssueInstant"
                     type="xs:dateTime" use="optional"/>
       <xs:attribute name="AttributePath"
                     type="xs:any" use="optional"/>
       <!-- Used when DataElement is "AttributeValue"
            and you want a sub-element of the Attribute value -->
       <xs:attribute name="AttributePathFormat"
                     type="xs:urn" default="xs:oasis:1.0:XPATH"/>
       <xs:attribute name="DataType"
                     type="xs:urn" use="required"/>
       <xs:attribute name="DataElement"
                     type="SubjectDataElementType"
                     use="required"/>
       <!-- this attribute indicates the actual data you want to select -->
   </xs:complexType>

   <xs:simpleType name="SubjectDataElementType">
       <xs:restriction base="xs:string">
           <xs:enumeration value="SubjectCategory"/>
           <xs:enumeration value="SubjectIdFormat"/>
           <xs:enumeration value="SubjectIdQualifier"/>
           <xs:enumeration value="SubjectId"/>
           <xs:enumeration value="AttributeName"/>
           <xs:enumeration value="AttributeNamespace"/>
           <xs:enumeration value="AttributeIssuer"/>
           <xs:enumeration value="AttributeIssueInstant"/>
           <xs:enumeration value="AttributeValue"/>
       </xs:restriction>
   </xs:simpleType>

   A list of data elements is returned, consisting of all entries
   under Request/Subject for which all specified xml attributes
   match.

C. Example:

Request in English:

  A user with role "System Administrator" and date of birth
  "11/6/50" requests access to a resource from code that was
  downloaded from "file:/net/base/classes/app.jar".  The code was
  signed by "cn=Corporate Auditor, o=Acme Corp, c=US" and by
  "cn=AppSigner, o=Acme Corp, c=us".

<Request>
    <Subject SubjectCategory="urn:j2se:XACML:subjectcategories:CodeSource"
             SubjectIdFormat="url"
             SubjectId="file:/net/base/classes/app.jar">
        <Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner"
             DataType="urn:x500:DistinguishedName">
             "cn=AppSigner, o=Acme Corp, c=US"
        </Attribute>
        <Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner"
             Issuer="urn:acme:cn=CFO,o=Acme_Corp,c=US"
             DataType="urn:x500:DistinguishedName">
             "cn=Corporate Auditor, o=Acme Corp, c=US"
        </Attribute>
    </Subject>
    <Subject>
        <Attribute AttributeId="urn:role"
                DataType="xs:string">
            "System Administrator"
        </Attribute>
        <Attribute AttributeId="urn:dateOfBirth"
                DataType="xs:dateTime">
            "11/6/50"
        </Attribute>
    </Subject>
    <Resource>
        ....
    <Action>
        ....
</Request>

Rule in English:
  Only a system administrator is allowed to access Resource X,
  and only from code signed by the Corporate Auditor.

<Rule RuleId="urn:Acme:rules:Rule1" Effect="Permit">
   <Target>
      <Subjects MatchId="function:alwaysTRUE"/>
      <Resources MatchId="function:string-equal">
          <ResourceAttributeDesignator Format="xs:string"
                 DataElement="ResourceId"/>
          <Attribute DataType="xs:string">
                 "X"
          </Attribute>
      </Resources>
      <Actions MatchId="function:alwaysTRUE"/>
   </Target>
   <Condition FunctionId="function:and">
      <Function FunctionId="function:string-equals">
          <SubjectAttributeDesignator Format="xs:string"
                 DataElement="AttributeValue"
                 AttributeName="urn:role"/>
          <Attribute DataType="xs:string">
                 "System Administrator"
          </Attribute>
      </Function>
      <Function FunctionId="function:string-equals">
          <SubjectAttributeDesignator Format="urn:x500:DistinguishedName"
              DataElement="AttributeValue"
                 AttributeName="urn:j2se:XACML:attributes:CodeSigner"/>
          <Attribute DataType="xs:string">
                 "cn=Corporate Auditor, o=Acme Corp, c=US"
          </Attribute>
      </Function>
   </Condition>
<Rule>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC