[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] v16: Revised "Simple example" for the specification
This is in response to my Action Item to provide a "simple example" for the specification. I have revised it slightly for the current schema 16g. This is intended to go into v16 of the specification as an introductory example. Assume that a corporation named Medi Corp (medico.com) has an access control policy that states, in English: Any user with an e-mail name in the "medico.com" namespace is allowed to perform any action on any resource." In XACML, this policy is expressed as follows: <?xml version=1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:0.1:context" xmlns:function="urn:oasis:names:tc:xacml:1.0:function" xmlns:identifier="urn:oasis:names:tc:xacml:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-policy-01.xsd" PolicyId="identifier:example:SimplePolicy1" RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides"> <Description> Medi Corp access control policy </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="identifier:example:SimpleRule1" Effect="Permit"> <Description> Any subject with an e-mail name in the medico.com domain can perform any action on any resource. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function:rfc822name-equal"> <SubjectAttributeDesignator AttributeId="identifier:subject:subject-id" DataType="identifier:datatype:rfc822name"/> <AttributeValue DataType="identifier:datatype:rfc822name"> @medico.com </AttributeValue> </SubjectMatch> </Subject> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> </Rule> </xacml:Policy> If Bart Simpson, with e-mail name "bs@simpsons.com", attempts to read his medical record at Medi Corp, his request looks as follows in XACML: <?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:1.0:context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context-01.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="identifier:rfc822name"> <AttributeValue> bs@simpsons.com </AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="identifier:resource:resource-uri" DataType="xs:anyURI"> <AttributeValue> http://medico.com/record/patient/BartSimpson </AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="identifier:example:action" DataType="xs:string"> <AttributeValue> read </AttributeValue> </Attribute> </Action> </Request> The XACML Policy Decision Point (PDP) receiving this Request locates the Policy in its policy repository. It compares the Subject, Resource, and Action in the Request against the Subjects, AnyResource, and AnyAction in the policy Target. Since the policy Target matches AnySubject, AnyResource, and AnyAction, the policy applies to this Request. The PDP now compares the Subject, Resource, and Action in the Request against the Target of the one Rule in this policy. The requested resource matches "AnyResource" and the requested action matches "AnyAction", but the requesting subject-id does not match "@medico.com". As a result, there is no Rule in this Policy that returns a "Permit" result for this request. The Rule Combining Algorithm for the Policy specifies that, in this case, a result of "Deny" should be returned. In XACML, this response looks as follows: <?xml version="1.0" encoding="UTF-8"?> <Response xmlns="urn:oasis:names:tc:xacml:1.0:context" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context-01.xsd"> <Result> <Decision> Deny </Decision> </Result> </Response> Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC