OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] How do I require subject not to be a member of a givengroup?



If you allow the following:

<AttributeValue DataType="xacml:sequence-string">
  <AttributeValue DataType="xs:string">Value1</AttributeValue>
  <AttributeValue DataType="xs:string">Value2</AttributeValue>
</AttributeValue>

You must introduce a whole new set of functions that deal with sequences
of each primative type.

For example, these things can show up in the Subject or a Resource.

Such as
<Subject>
<Attribute AttributeId="FirstNames" DataType="xacml:sequence-string">
    <AttributeValue DataType="xacml:sequence-string">
      <AttributeValue DataType="xs:string">James</AttributeValue>
      <AttributeValue DataType="xs:string">Jimbo</AttributeValue>
    </AttributeValue>
</Attribute>
</Subject>

Now, performing a

	<SubjectAttributeDesingator AttributeId="FirstNames">

returns a sequence of length 1, containing:

[
    <AttributeValue DataType="xacml:sequence-string">
      <AttributeValue DataType="xs:string">James</AttributeValue>
      <AttributeValue DataType="xs:string">Jimbo</AttributeValue>
    </AttributeValue>
]

You need functions to pull that apart.

If we want to find out the amount of "first names" in the list we must:

<Apply FunctionId="function:string-sequnence-length">
  <Apply FunctionId="function:string-sequence-first">
     <SubjectAttributeDesingator AttributeId="FirstNames">
  </Apply>
</Apply>

so we need functions that deal with sequence of each primiative type.

time-sequence-length
dateTime-sequence-length
anyURIsequence--length
Qname-sequence-length
x500Name-sequence-length
rfc822Name-sequence-length
NOTATION-sequence-length
gregorian-sequence-length
hex-binary-sequence-length
base64-sequence-length

and the analogous ones for -equal, -first, -rest, -member-of, -union,
-intersection,

Question: Do we really want to make the "xacml:*-sequence" data types
equivalent with the sequences returned from XPATH or AttributeDesignators?

-Polar


On Wed, 21 Aug 2002, Anne Anderson wrote:

> Daniel: This may be a use case for your issue with specifying a
> sequence in an AttributeValue.  Could you let me know if this is
> the correct way to do it?
>
> Rule in English: Any subject who is not a member of the
> "convicted-felons" group may perform any action on any resource.
>
> Rule in  XACML:
>
>     <Rule
>           RuleId="identifier:conformance-test:IIC008:rule"
>           Effect="Permit">
>         <Description>
>             Any subject who is not a member of the
>             convicted-felons group may perform any action on any
>             resource.
>         </Description>
>         <Target>
>             <Subjects>
>                 <AnySubject/>
>             </Subjects>
>             <Resources>
>                 <AnyResource/>
>             </Resources>
>             <Actions>
>                 <AnyAction/>
>             </Actions>
>         </Target>
>         <Condition FunctionId="function:integer-equal">
>             <Apply FunctionId="function:integer-length">
>                 <Apply FunctionId="function:string-intersection">
>                     <SubjectAttributeDesignator
>                           AttributeId="identifier:conformance-test:group"
>                           DataType="xacml:sequence-string"/>
>                     <AttributeValue
>                           DataType="xacml:sequence-string">
>                         <AttributeValue
>                               DataType="xs:string">convicted-felon</AttributeValue>
>                     </AttributeValue>
>                 </Apply>
>             </Apply>
>             <AttributeValue
>                   DataType="xs:integer">0</AttributeValue>
>         </Condition>
>     </Rule>
>
>
>
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC