[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] How do I require subject not to be a member of a given group?
Daniel: This may be a use case for your issue with specifying a sequence in an AttributeValue. Could you let me know if this is the correct way to do it? Rule in English: Any subject who is not a member of the "convicted-felons" group may perform any action on any resource. Rule in XACML: <Rule RuleId="identifier:conformance-test:IIC008:rule" Effect="Permit"> <Description> Any subject who is not a member of the convicted-felons group may perform any action on any resource. </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Condition FunctionId="function:integer-equal"> <Apply FunctionId="function:integer-length"> <Apply FunctionId="function:string-intersection"> <SubjectAttributeDesignator AttributeId="identifier:conformance-test:group" DataType="xacml:sequence-string"/> <AttributeValue DataType="xacml:sequence-string"> <AttributeValue DataType="xs:string">convicted-felon</AttributeValue> </AttributeValue> </Apply> </Apply> <AttributeValue DataType="xs:integer">0</AttributeValue> </Condition> </Rule> -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC