OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] "Simple example" for the specification


This is in response to my Action Item to provide a "simple
example" for the specification.

Assume Medi Corporation (medico.com) has a policy that any user with an
e-mail name in the "medico.com" namespace is allowed to perform
any action on any resource.  In XACML, this policy is expressed as follows:

<?xml version=1.0" encoding="UTF-8"?>
<Policy
    PolicyId="urn:oasis:names:tc:xacml:1.0:example:PolicyStatement1"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"
    xmlns="urn:oasis:names:tc:xacml:0.1:context"
    xmlns:function="urn:oasis:names:tc:xacml:1.0:function"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
    xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-policy-01.xsd";>
  <Description>
    Any subject with an e-mail name in the medico.com domain
    can perform any action on any resource.
  </Description>
  <Target>
    <Subjects>
      <Subject>
        <SubjectMatch MatchId="function:rfc822name-equal">
          <SubjectAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
              DataType="urn:oasis:names:tc:xacml:1.0:datatype:rfc822name"/>
          <AttributeValue
              DataType="urn:oasis:names:tc:xacml:1.0:rfc822name">
            @medico.com
          </AttributeValue>
        </SubjectMatch>
      </Subject>
    </Subjects>
    <AnyResource/>
    <AnyAction/>
  </Target>
  <RuleSet>
    <Rule
        RuleId="urn:oasis:names:tc:xacml:1.0:example:Rule1"
        Effect="Permit">
      <Description>
        Always return Permit if Target matches.
      </Description>
    </Rule>
  </RuleSet>
</xacml:Policy>

If Bart Simpson, with e-mail name "bs@simpsons.com", attempts to
read his medical record at Medico Corporation, his request looks
as follows in XACML:

<?xml version="1.0" encoding="UTF-8"?>
<Request
    xmlns="urn:oasis:names:tc:xacml:1.0:context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
    xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
        http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context-01.xsd";>
  <Subject>
    <Attribute
        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
      <AttributeValue>
        bs@simpsons.com
      </AttributeValue>
    </Attribute>
  </Subject>
  <Resource>
    <ResourceSpecifier
        Format="xs:anyURI"
        ResourceId="http://medico.com/record/patient/BartSimpson"/>
  </Resource>
  <Action
      Namespace="urn:oasis:names:tc:xacml:1.0:example:action">
    read
  </Action>
</Request>

The XACML Policy Decision Point compares the Subject, Resource,
and Action in the Request against the Subjects, AnyResource, and
AnyAction in the policy Target.  The requested resource matches
"AnyResource" and the requested action matches "AnyAction", but
the requesting subject-id does not match "@medico.com".

As a result, there is no Rule in this Policy that returns a
"Permit" result for this request.  The Rule Combining Algorithm
specifies that in this case, a result of "Deny" should be
returned.  In XACML, this response looks as follows:

<?xml version="1.0" encoding="UTF-8"?>
<Response
    xmlns="urn:oasis:names:tc:xacml:1.0:context"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
        http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context-01.xsd";>
  <Result>
    <Decision>
      Deny
    </Decision>
  </Result>
</Response>

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC