[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [schema] AttributeDesignators without XPATH
Since Anne's proposal and my old proposal (3rd June, unabbreviated format)
look alike, I am also happy with the syntax of her proposal. That is a
"flattened context structure" in my mind. I rather prefer that syntax
because it is much simpler and manageable. The following links are my old
proposal and examples.
http://lists.oasis-open.org/archives/xacml/200206/msg00003.html
http://lists.oasis-open.org/archives/xacml/200206/msg00002.html
The following is an example of the context I used in my old proposal.
<RequestContext>
<ContextPrincipals>
<Principal PrincipalType="RequestingUser">
<Attribute AttributeName="NameIdentifier"
AttributeNamespace="//medico.com">
Julius Hibbert
</Attribute>
<Attribute AttributeName="Role" AttributeNamespace
="//medico.com">
Physician
</Attribute>
</Principal>
</ContextPrincipals>
<ContextResource>
<Resource ResourceType="XML">
<Attribute AttributeName="ResourceURI">
//medico.com/med.xml
</Attribute>
<Attribute AttributeName="XPath">
record/patient/patientDoB
</Attribute>
<Attribute AttributeName="XMLSchema">
medico.com/records.xsd
</Attribute>
</Resource>
</ContextResource>
<ContextAction>
<Action ActionType="XMLAction">
<Attribute AttributeName="read"/>
</Action>
</ContextAction>
</RequestContext>
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Anne Anderson
<Anne.Anderson@Su To: XACML TC <xacml@lists.oasis-open.org>
n.com> cc:
Subject: [xacml] [schema] AttributeDesignators without XPATH
2002/07/24 03:03
Please respond to
Anne.Anderson
Attached is a concrete proposal for a possibly simpler
AttributeDesignator syntax. It does not require XPATH, and is
capable of supporting other query formats.
It requires more work, but I want to see if people are interested
in pursuing this approach.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
Title: AttributeDesignators without XPATH
Author: Anne Anderson
Version: 1.2, 02/07/23 (yy/mm/dd)
Source: /home/aa74233/projects/xacml/SCCS/s.SimpleTargets.txt
One possible way to simplify AttributeDesignator is to make it a
set of attribute values that are to be matched against attribute
values present in the Request.
The semantics of an AttributeDesignator become:
"return the requested value(s) where all specified xml
attribute values match"
This has the advantage (for at least some people) of not
requiring support for XPATH. If the value you want to select is
a sub-element of an Attribute in the Request, I have provided a
way for you to specify the "path" to that sub-element. The
default format for such a path is XPATH 1.0, but I provide a way
to specify other formats.
Below are possible schemas for the Request Subject and for the
Policy SubjectAttributeDesignator that illustrate this approach.
If it seems worth pursuing, I will produce schemas for Resource,
Action, ResourceAttributeDesignator, and
ActionAttributeDesignator as well.
-Anne
A. Request Context Subject element
<xs:complexType name="SubjectType">
<xs:sequence>
<xs:element name="Attribute"
type="xacmlContext:AttributeType"
minOccurs="0" maxOccurs="unbounded"/>
<!-- an Attribute can be a ds:KeyInfo -->
</xs:sequence>
<xs:attribute name="SubjectCategory" type="xs:anyURI"
default="identifier:AccessSubject"/>
<xs:attribute name="SubjectIdFormat" type="xs:anyURI"
default="xs:string"/>
<xs:attribute name="SubjectIdQualifier" type="xs:string"
use="optional"/>
<xs:attribute name="SubjectId" type="xs:string"
use="optional"/>
</xs:complexType>
B. SubjectAttributeDesignator
<xs:complexType name="SubjectAttributeDesignatorType">
<xs:attribute name="SubjectCategory"
type="xs:anyURI"
default="identifier:AccessSubject"/>
<xs:attribute name="SubjectIdFormat"
type="xs:anyURI" default="xs:string"/>
<xs:attribute name="SubjectIdQualifier"
type="xs:string" use="optional"/>
<xs:attribute name="SubjectId"
type="xs:string" use="optional"/>
<xs:attribute name="AttributeName
type="xs:string" use="optional"/>
<xs:attribute name="AttributeNamespace"
type="xs:anyURI" use="optional"/>
<!-- Namespace is required if Name is present -->
<xs:attribute name="AttributeIssuer"
type="xs:anyURI" use="optional"/>
<xs:attribute name="AttributeIssueInstant"
type="xs:dateTime" use="optional"/>
<xs:attribute name="AttributePath"
type="xs:any" use="optional"/>
<!-- Used when DataElement is "AttributeValue"
and you
want a sub-element of the Attribute value -->
<xs:attribute name="AttributePathFormat"
type="xs:urn" default="xs:oasis:1.0:XPATH"/>
<xs:attribute name="DataType"
type="xs:urn" use="required"/>
<xs:attribute name="DataElement"
type="SubjectDataElementType"
use="required"/>
<!-- this attribute indicates the actual data you want to select -->
</xs:complexType>
<xs:simpleType name="SubjectDataElementType">
<xs:restriction base="xs:string">
<xs:enumeration value="SubjectCategory"/>
<xs:enumeration value="SubjectIdFormat"/>
<xs:enumeration value="SubjectIdQualifier"/>
<xs:enumeration value="SubjectId"/>
<xs:enumeration value="AttributeName"/>
<xs:enumeration value="AttributeNamespace"/>
<xs:enumeration value="AttributeIssuer"/>
<xs:enumeration value="AttributeIssueInstant"/>
<xs:enumeration value="AttributeValue"/>
</xs:restriction>
</xs:simpleType>
A list of data elements is returned, consisting of all entries
under Request/Subject for which all specified xml attributes
match.
C. Example:
Request in English:
A user with role "System Administrator" and date of birth
"11/6/50" requests access to a resource from code that was
downloaded from "file:/net/base/classes/app.jar". The code was
signed by "cn=Corporate Auditor, o=Acme Corp, c=US" and by
"cn=AppSigner, o=Acme Corp, c=us".
<Request>
<Subject SubjectCategory="urn:j2se:XACML:subjectcategories:CodeSource"
SubjectIdFormat="url"
SubjectId="file:/net/base/classes/app.jar">
<Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner"
DataType="urn:x500:DistinguishedName">
"cn=AppSigner, o=Acme Corp, c=US"
</Attribute>
<Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner"
Issuer="urn:acme:cn=CFO,o=Acme_Corp,c=US"
DataType="urn:x500:DistinguishedName">
"cn=Corporate Auditor, o=Acme Corp, c=US"
</Attribute>
</Subject>
<Subject>
<Attribute AttributeId="urn:role"
DataType="xs:string">
"System Administrator"
</Attribute>
<Attribute AttributeId="urn:dateOfBirth"
DataType="xs:dateTime">
"11/6/50"
</Attribute>
</Subject>
<Resource>
....
<Action>
....
</Request>
Rule in English:
Only a system administrator is allowed to access Resource X,
and only from code signed by the Corporate Auditor.
<Rule RuleId="urn:Acme:rules:Rule1" Effect="Permit">
<Target>
<Subjects MatchId="function:alwaysTRUE"/>
<Resources MatchId="function:string-equal">
<ResourceAttributeDesignator Format="xs:string"
DataElement="ResourceId"/>
<Attribute DataType="xs:string">
"X"
</Attribute>
</Resources>
<Actions MatchId="function:alwaysTRUE"/>
</Target>
<Condition FunctionId="function:and">
<Function FunctionId="function:string-equals">
<SubjectAttributeDesignator Format="xs:string"
DataElement="AttributeValue"
AttributeName="urn:role"/>
<Attribute DataType="xs:string">
"System Administrator"
</Attribute>
</Function>
<Function FunctionId="function:string-equals">
<SubjectAttributeDesignator Format="urn:x500:DistinguishedName"
DataElement="AttributeValue"
AttributeName="urn:j2se:XACML:attributes:CodeSigner"/>
<Attribute DataType="xs:string">
"cn=Corporate Auditor, o=Acme Corp, c=US"
</Attribute>
</Function>
</Condition>
<Rule>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC