[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] How do I require subject not to be a member of a given group?
Daniel: This may be a use case for your issue with specifying a
sequence in an AttributeValue. Could you let me know if this is
the correct way to do it?
Rule in English: Any subject who is not a member of the
"convicted-felons" group may perform any action on any resource.
Rule in XACML:
<Rule
RuleId="identifier:conformance-test:IIC008:rule"
Effect="Permit">
<Description>
Any subject who is not a member of the
convicted-felons group may perform any action on any
resource.
</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Condition FunctionId="function:integer-equal">
<Apply FunctionId="function:integer-length">
<Apply FunctionId="function:string-intersection">
<SubjectAttributeDesignator
AttributeId="identifier:conformance-test:group"
DataType="xacml:sequence-string"/>
<AttributeValue
DataType="xacml:sequence-string">
<AttributeValue
DataType="xs:string">convicted-felon</AttributeValue>
</AttributeValue>
</Apply>
</Apply>
<AttributeValue
DataType="xs:integer">0</AttributeValue>
</Condition>
</Rule>
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC