[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [schema] AttributeDesignators without XPATH
Since Anne's proposal and my old proposal (3rd June, unabbreviated format) look alike, I am also happy with the syntax of her proposal. That is a "flattened context structure" in my mind. I rather prefer that syntax because it is much simpler and manageable. The following links are my old proposal and examples. http://lists.oasis-open.org/archives/xacml/200206/msg00003.html http://lists.oasis-open.org/archives/xacml/200206/msg00002.html The following is an example of the context I used in my old proposal. <RequestContext> <ContextPrincipals> <Principal PrincipalType="RequestingUser"> <Attribute AttributeName="NameIdentifier" AttributeNamespace="//medico.com"> Julius Hibbert </Attribute> <Attribute AttributeName="Role" AttributeNamespace ="//medico.com"> Physician </Attribute> </Principal> </ContextPrincipals> <ContextResource> <Resource ResourceType="XML"> <Attribute AttributeName="ResourceURI"> //medico.com/med.xml </Attribute> <Attribute AttributeName="XPath"> record/patient/patientDoB </Attribute> <Attribute AttributeName="XMLSchema"> medico.com/records.xsd </Attribute> </Resource> </ContextResource> <ContextAction> <Action ActionType="XMLAction"> <Attribute AttributeName="read"/> </Action> </ContextAction> </RequestContext> Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 Anne Anderson <Anne.Anderson@Su To: XACML TC <xacml@lists.oasis-open.org> n.com> cc: Subject: [xacml] [schema] AttributeDesignators without XPATH 2002/07/24 03:03 Please respond to Anne.Anderson Attached is a concrete proposal for a possibly simpler AttributeDesignator syntax. It does not require XPATH, and is capable of supporting other query formats. It requires more work, but I want to see if people are interested in pursuing this approach. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 Title: AttributeDesignators without XPATH Author: Anne Anderson Version: 1.2, 02/07/23 (yy/mm/dd) Source: /home/aa74233/projects/xacml/SCCS/s.SimpleTargets.txt One possible way to simplify AttributeDesignator is to make it a set of attribute values that are to be matched against attribute values present in the Request. The semantics of an AttributeDesignator become: "return the requested value(s) where all specified xml attribute values match" This has the advantage (for at least some people) of not requiring support for XPATH. If the value you want to select is a sub-element of an Attribute in the Request, I have provided a way for you to specify the "path" to that sub-element. The default format for such a path is XPATH 1.0, but I provide a way to specify other formats. Below are possible schemas for the Request Subject and for the Policy SubjectAttributeDesignator that illustrate this approach. If it seems worth pursuing, I will produce schemas for Resource, Action, ResourceAttributeDesignator, and ActionAttributeDesignator as well. -Anne A. Request Context Subject element <xs:complexType name="SubjectType"> <xs:sequence> <xs:element name="Attribute" type="xacmlContext:AttributeType" minOccurs="0" maxOccurs="unbounded"/> <!-- an Attribute can be a ds:KeyInfo --> </xs:sequence> <xs:attribute name="SubjectCategory" type="xs:anyURI" default="identifier:AccessSubject"/> <xs:attribute name="SubjectIdFormat" type="xs:anyURI" default="xs:string"/> <xs:attribute name="SubjectIdQualifier" type="xs:string" use="optional"/> <xs:attribute name="SubjectId" type="xs:string" use="optional"/> </xs:complexType> B. SubjectAttributeDesignator <xs:complexType name="SubjectAttributeDesignatorType"> <xs:attribute name="SubjectCategory" type="xs:anyURI" default="identifier:AccessSubject"/> <xs:attribute name="SubjectIdFormat" type="xs:anyURI" default="xs:string"/> <xs:attribute name="SubjectIdQualifier" type="xs:string" use="optional"/> <xs:attribute name="SubjectId" type="xs:string" use="optional"/> <xs:attribute name="AttributeName type="xs:string" use="optional"/> <xs:attribute name="AttributeNamespace" type="xs:anyURI" use="optional"/> <!-- Namespace is required if Name is present --> <xs:attribute name="AttributeIssuer" type="xs:anyURI" use="optional"/> <xs:attribute name="AttributeIssueInstant" type="xs:dateTime" use="optional"/> <xs:attribute name="AttributePath" type="xs:any" use="optional"/> <!-- Used when DataElement is "AttributeValue" and you want a sub-element of the Attribute value --> <xs:attribute name="AttributePathFormat" type="xs:urn" default="xs:oasis:1.0:XPATH"/> <xs:attribute name="DataType" type="xs:urn" use="required"/> <xs:attribute name="DataElement" type="SubjectDataElementType" use="required"/> <!-- this attribute indicates the actual data you want to select --> </xs:complexType> <xs:simpleType name="SubjectDataElementType"> <xs:restriction base="xs:string"> <xs:enumeration value="SubjectCategory"/> <xs:enumeration value="SubjectIdFormat"/> <xs:enumeration value="SubjectIdQualifier"/> <xs:enumeration value="SubjectId"/> <xs:enumeration value="AttributeName"/> <xs:enumeration value="AttributeNamespace"/> <xs:enumeration value="AttributeIssuer"/> <xs:enumeration value="AttributeIssueInstant"/> <xs:enumeration value="AttributeValue"/> </xs:restriction> </xs:simpleType> A list of data elements is returned, consisting of all entries under Request/Subject for which all specified xml attributes match. C. Example: Request in English: A user with role "System Administrator" and date of birth "11/6/50" requests access to a resource from code that was downloaded from "file:/net/base/classes/app.jar". The code was signed by "cn=Corporate Auditor, o=Acme Corp, c=US" and by "cn=AppSigner, o=Acme Corp, c=us". <Request> <Subject SubjectCategory="urn:j2se:XACML:subjectcategories:CodeSource" SubjectIdFormat="url" SubjectId="file:/net/base/classes/app.jar"> <Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner" DataType="urn:x500:DistinguishedName"> "cn=AppSigner, o=Acme Corp, c=US" </Attribute> <Attribute AttributeId="urn:j2se:XACML:attributes:CodeSigner" Issuer="urn:acme:cn=CFO,o=Acme_Corp,c=US" DataType="urn:x500:DistinguishedName"> "cn=Corporate Auditor, o=Acme Corp, c=US" </Attribute> </Subject> <Subject> <Attribute AttributeId="urn:role" DataType="xs:string"> "System Administrator" </Attribute> <Attribute AttributeId="urn:dateOfBirth" DataType="xs:dateTime"> "11/6/50" </Attribute> </Subject> <Resource> .... <Action> .... </Request> Rule in English: Only a system administrator is allowed to access Resource X, and only from code signed by the Corporate Auditor. <Rule RuleId="urn:Acme:rules:Rule1" Effect="Permit"> <Target> <Subjects MatchId="function:alwaysTRUE"/> <Resources MatchId="function:string-equal"> <ResourceAttributeDesignator Format="xs:string" DataElement="ResourceId"/> <Attribute DataType="xs:string"> "X" </Attribute> </Resources> <Actions MatchId="function:alwaysTRUE"/> </Target> <Condition FunctionId="function:and"> <Function FunctionId="function:string-equals"> <SubjectAttributeDesignator Format="xs:string" DataElement="AttributeValue" AttributeName="urn:role"/> <Attribute DataType="xs:string"> "System Administrator" </Attribute> </Function> <Function FunctionId="function:string-equals"> <SubjectAttributeDesignator Format="urn:x500:DistinguishedName" DataElement="AttributeValue" AttributeName="urn:j2se:XACML:attributes:CodeSigner"/> <Attribute DataType="xs:string"> "cn=Corporate Auditor, o=Acme Corp, c=US" </Attribute> </Function> </Condition> <Rule>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC