[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] How do I require subject not to be a member of a givengroup?
We currently take the values returned from *AttributeDesignator* to be sequences of a certain type, and those types are understood to be within the "xs:" namespace, which are simplistic, or should I say "primitive" types. Now, if we choose to make xacml:sequence-* types, we have to make more functions to handle them. This situation means you have to come up with a whole new array of functions. If an AttributeValue has these xacml:sequence-string types, then a *AttributeDesignator* returns a sequence-<xacml:sequence-string>. The two types xacml:sequence-string and "sequence:<xs:string>" are NOT the same. This leads to problems with the "*Match* elements such as SubjectMatch. What function do you specify when the AttributeDesignator returns a sequence-<xacml:sequence-string>? -Polar On Wed, 21 Aug 2002, Anne Anderson wrote: > Daniel: This may be a use case for your issue with specifying a > sequence in an AttributeValue. Could you let me know if this is > the correct way to do it? > > Rule in English: Any subject who is not a member of the > "convicted-felons" group may perform any action on any resource. > > Rule in XACML: > > <Rule > RuleId="identifier:conformance-test:IIC008:rule" > Effect="Permit"> > <Description> > Any subject who is not a member of the > convicted-felons group may perform any action on any > resource. > </Description> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <AnyAction/> > </Actions> > </Target> > <Condition FunctionId="function:integer-equal"> > <Apply FunctionId="function:integer-length"> > <Apply FunctionId="function:string-intersection"> > <SubjectAttributeDesignator > AttributeId="identifier:conformance-test:group" > DataType="xacml:sequence-string"/> > <AttributeValue > DataType="xacml:sequence-string"> > <AttributeValue > DataType="xs:string">convicted-felon</AttributeValue> > </AttributeValue> > </Apply> > </Apply> > <AttributeValue > DataType="xs:integer">0</AttributeValue> > </Condition> > </Rule> > > > > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC