[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] How do I require subject not to be a member of a givengroup?
If you allow the following: <AttributeValue DataType="xacml:sequence-string"> <AttributeValue DataType="xs:string">Value1</AttributeValue> <AttributeValue DataType="xs:string">Value2</AttributeValue> </AttributeValue> You must introduce a whole new set of functions that deal with sequences of each primative type. For example, these things can show up in the Subject or a Resource. Such as <Subject> <Attribute AttributeId="FirstNames" DataType="xacml:sequence-string"> <AttributeValue DataType="xacml:sequence-string"> <AttributeValue DataType="xs:string">James</AttributeValue> <AttributeValue DataType="xs:string">Jimbo</AttributeValue> </AttributeValue> </Attribute> </Subject> Now, performing a <SubjectAttributeDesingator AttributeId="FirstNames"> returns a sequence of length 1, containing: [ <AttributeValue DataType="xacml:sequence-string"> <AttributeValue DataType="xs:string">James</AttributeValue> <AttributeValue DataType="xs:string">Jimbo</AttributeValue> </AttributeValue> ] You need functions to pull that apart. If we want to find out the amount of "first names" in the list we must: <Apply FunctionId="function:string-sequnence-length"> <Apply FunctionId="function:string-sequence-first"> <SubjectAttributeDesingator AttributeId="FirstNames"> </Apply> </Apply> so we need functions that deal with sequence of each primiative type. time-sequence-length dateTime-sequence-length anyURIsequence--length Qname-sequence-length x500Name-sequence-length rfc822Name-sequence-length NOTATION-sequence-length gregorian-sequence-length hex-binary-sequence-length base64-sequence-length and the analogous ones for -equal, -first, -rest, -member-of, -union, -intersection, Question: Do we really want to make the "xacml:*-sequence" data types equivalent with the sequences returned from XPATH or AttributeDesignators? -Polar On Wed, 21 Aug 2002, Anne Anderson wrote: > Daniel: This may be a use case for your issue with specifying a > sequence in an AttributeValue. Could you let me know if this is > the correct way to do it? > > Rule in English: Any subject who is not a member of the > "convicted-felons" group may perform any action on any resource. > > Rule in XACML: > > <Rule > RuleId="identifier:conformance-test:IIC008:rule" > Effect="Permit"> > <Description> > Any subject who is not a member of the > convicted-felons group may perform any action on any > resource. > </Description> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <AnyAction/> > </Actions> > </Target> > <Condition FunctionId="function:integer-equal"> > <Apply FunctionId="function:integer-length"> > <Apply FunctionId="function:string-intersection"> > <SubjectAttributeDesignator > AttributeId="identifier:conformance-test:group" > DataType="xacml:sequence-string"/> > <AttributeValue > DataType="xacml:sequence-string"> > <AttributeValue > DataType="xs:string">convicted-felon</AttributeValue> > </AttributeValue> > </Apply> > </Apply> > <AttributeValue > DataType="xs:integer">0</AttributeValue> > </Condition> > </Rule> > > > > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC