Subject: Example: 35. Policy on revealing missing attributes

We agreed to close #35 so long as someone wrote up how an
existing XACML policy can be used for this.  This is a proof of
concept example.  Other representations are possible and probably

Use model: the PDP-side component that builds the Response
Context (response-context-builder) has its own PDP.  This PDP is
configured with the policies used to determine which actions the
response-context-builder is allowed to perform.

For each action the response-context-builder attempts to perform
(such as add a missing attribute to the list), it issues an XACML
Request to the PDP that looks as follows:

      <Attribute AttributeId="resource-id">
      <Attribute AttributeId="action-id">

This is an example of a policy that the
response-context-builder's PDP might be configured with:

<Policy PolicyId="25" PolicyCombiningAlg="deny-overrides">
  <Rule Effect="Permit">
    <Condition FunctionId="and">
      <Apply FunctionId="anyURI-equal">
        <ActionAttributeDesignator AttributeId="action-id"/>
      <Apply FunctionId="all-of-any">
        <Function FunctionId="anyURI-equal">
        <ResourceAttributeDesignator AttributeId="resource-id"/>
        <Apply FunctionId="anyURI-bag">
          <!-- list of all AttributeIds the component is allowed to
               return ->

If the result is "Permit", then the component adds the attribute
to the return list.  Otherwise, the component omits the attribute
from the return list.

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

