OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] How do I require subject not to be a member of a givengroup?

We currently take the values returned from *AttributeDesignator* to be
sequences of a certain type, and those types are understood to be within
the "xs:" namespace, which are simplistic, or should I say "primitive"

Now, if we choose to make xacml:sequence-* types, we have to make more
functions to handle them.

This situation means you have to come up with a whole new array of
functions. If an AttributeValue has these xacml:sequence-string types,
then a *AttributeDesignator* returns a sequence-<xacml:sequence-string>.

The two types xacml:sequence-string and "sequence:<xs:string>" are NOT the

This leads to problems with the "*Match* elements such as SubjectMatch.
What function do you specify when the AttributeDesignator returns a


On Wed, 21 Aug 2002, Anne Anderson wrote:

> Daniel: This may be a use case for your issue with specifying a
> sequence in an AttributeValue.  Could you let me know if this is
> the correct way to do it?
> Rule in English: Any subject who is not a member of the
> "convicted-felons" group may perform any action on any resource.
> Rule in  XACML:
>     <Rule
>           RuleId="identifier:conformance-test:IIC008:rule"
>           Effect="Permit">
>         <Description>
>             Any subject who is not a member of the
>             convicted-felons group may perform any action on any
>             resource.
>         </Description>
>         <Target>
>             <Subjects>
>                 <AnySubject/>
>             </Subjects>
>             <Resources>
>                 <AnyResource/>
>             </Resources>
>             <Actions>
>                 <AnyAction/>
>             </Actions>
>         </Target>
>         <Condition FunctionId="function:integer-equal">
>             <Apply FunctionId="function:integer-length">
>                 <Apply FunctionId="function:string-intersection">
>                     <SubjectAttributeDesignator
>                           AttributeId="identifier:conformance-test:group"
>                           DataType="xacml:sequence-string"/>
>                     <AttributeValue
>                           DataType="xacml:sequence-string">
>                         <AttributeValue
>                               DataType="xs:string">convicted-felon</AttributeValue>
>                     </AttributeValue>
>                 </Apply>
>             </Apply>
>             <AttributeValue
>                   DataType="xs:integer">0</AttributeValue>
>         </Condition>
>     </Rule>
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC