OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] v16: Revised "Simple example" for the specification


This is in response to my Action Item to provide a "simple
example" for the specification.  I have revised it slightly for
the current schema 16g.  This is intended to go into v16 of the
specification as an introductory example.

Assume that a corporation named Medi Corp (medico.com) has an
access control policy that states, in English:

 Any user with an e-mail name in the "medico.com" namespace is allowed to perform
 any action on any resource."

In XACML, this policy is expressed as follows:

<?xml version=1.0" encoding="UTF-8"?>
<Policy
   xmlns="urn:oasis:names:tc:xacml:0.1:context"
   xmlns:function="urn:oasis:names:tc:xacml:1.0:function"
   xmlns:identifier="urn:oasis:names:tc:xacml:1.0"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy
      http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-policy-01.xsd";
   PolicyId="identifier:example:SimplePolicy1"
   RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
  <Description>
    Medi Corp access control policy
  </Description>
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Resources>
      <AnyResource/>
    </Resources>
    <Actions>
      <AnyAction/>
    </Actions>
  </Target>
  <Rule
     RuleId="identifier:example:SimpleRule1"
     Effect="Permit">
    <Description>
      Any subject with an e-mail name in the medico.com domain
      can perform any action on any resource.
    </Description>
    <Target>
      <Subjects>
        <Subject>
          <SubjectMatch MatchId="function:rfc822name-equal">
            <SubjectAttributeDesignator
               AttributeId="identifier:subject:subject-id"
               DataType="identifier:datatype:rfc822name"/>
            <AttributeValue
               DataType="identifier:datatype:rfc822name">
              @medico.com
            </AttributeValue>
          </SubjectMatch>
        </Subject>
      </Subjects>
      <Resources>
        <AnyResource/>
      </Resources>
      <Actions>
        <AnyAction/>
      </Actions>
    </Target>
  </Rule>
</xacml:Policy>

If Bart Simpson, with e-mail name "bs@simpsons.com", attempts to
read his medical record at Medi Corp, his request looks as
follows in XACML:

<?xml version="1.0" encoding="UTF-8"?>
<Request
   xmlns="urn:oasis:names:tc:xacml:1.0:context"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
    http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context-01.xsd";>
  <Subject>
    <Attribute
       AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
       DataType="identifier:rfc822name">
      <AttributeValue>
        bs@simpsons.com
      </AttributeValue>
    </Attribute>
  </Subject>
  <Resource>
    <Attribute
       AttributeId="identifier:resource:resource-uri"
       DataType="xs:anyURI">
      <AttributeValue>
        http://medico.com/record/patient/BartSimpson
      </AttributeValue>
    </Attribute>
  </Resource>
  <Action>
    <Attribute
       AttributeId="identifier:example:action"
       DataType="xs:string">
      <AttributeValue>
        read
      </AttributeValue>
    </Attribute>
  </Action>
</Request>

The XACML Policy Decision Point (PDP) receiving this Request
locates the Policy in its policy repository.  It compares the
Subject, Resource, and Action in the Request against the
Subjects, AnyResource, and AnyAction in the policy Target.  Since
the policy Target matches AnySubject, AnyResource, and AnyAction,
the policy applies to this Request.

The PDP now compares the Subject, Resource, and Action in the
Request against the Target of the one Rule in this policy.  The
requested resource matches "AnyResource" and the requested action
matches "AnyAction", but the requesting subject-id does not match
"@medico.com".

As a result, there is no Rule in this Policy that returns a
"Permit" result for this request.  The Rule Combining Algorithm
for the Policy specifies that, in this case, a result of "Deny"
should be returned.  In XACML, this response looks as follows:

<?xml version="1.0" encoding="UTF-8"?>
<Response
    xmlns="urn:oasis:names:tc:xacml:1.0:context"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
        http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context-01.xsd";>
  <Result>
    <Decision>
      Deny
    </Decision>
  </Result>
</Response>

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC