OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft

exactly. so at the risk of sounding obtuse, aren't you just using an 
existing function to match XPath on <md:PatientName> and <md:Physician> 
combining the input with an OR function? (which is how i was thinking 
this would be handled in my previous note). how does this introduce the 
'hierarchical resource' mechanics? or more precisely, how does this 
affect michiharu's proposal?

sorry, i but i am missing the connection. this is why i asked the 
initial question; it seems to me that 'hierarchical resources' are by 
definition something that needs to be treated iteratively.

thanks

b


Anne Anderson wrote:

> Request:
>    <Subject>subject-id="Anne Anderson"</Subject>
>    <Resource>resource-id="http://www.medco.com/patient-records/Record0001.xml";
>      <ResourceContent>
>          <md:Record>
>            <md:PatientName>Anne Anderson</md:PatientName>
>            <md:Physician>Dr. Doofus</md:Physician>
>            <md:Diagnosis>sick</md:Diagnosis>
>          </md:Record>
>      </ResourceContent>
>    </Resource>
>    <Action>action-id="read"</Action>
> 
> <Policy PolicyId="Anne's example" CombiningAlgorithm="whatever">
>    <Target>
>       <Resource MatchId="anyURI-match">
>           <AttributeValue
>              DataType="anyURI">http://www.medco.com/patient-records/Record0001.xml</AttributeValue>
>           <ResourceAttributeDesignator
>              AttributeId="resource-id"
>              DataType="anyURI"/>
>       </Resource>
>    </Target>
>  <Rule Effect="Permit">
>    <Condition FunctionId="or">
>       <Apply FunctionId="string-match">
>          <AttributeSelector
>             RequestContextPath="//Resource/ResourceContent/md:Record/md:PatientName/text()"
>             DataType="string"/>
>          <SubjectAttributeDesignator
>             AttributeId="subject-id"
>             DataType="string"/>
>       </Apply>
>       <Apply FunctionId="string-match">
>          <AttributeSelector
>             RequestContextPath="//Resource/ResourceContent/md:Record/md:Physician/text()"
>             DataType="string"/>
>          <SubjectAttributeDesignator
>             AttributeId="subject-id"
>             DataType="string"/>
>       </Apply>
>       <Apply FunctionId="string-match">
>          <AttributeValue            
>             DataType="string">urn:medco:role:Administrator</AttributeValue>
>          <SubjectAttributeDesignator
>             AttributeId="role"
>             DataType="anyURI"/>
>       </Apply>
>    </Condition>
>   </Rule>
> </Policy>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]