[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] AttributeSelector initial context as resourcenode
Paul, I believe you can get the desired result by doing something like this: <Match MatchId="xpath-node-equal"> <AttributeValue DataType="xpathExpression"> xpath-which-selects-the-permissible-nodes </AttributeValue> <AttributeDesignator DataType="xpathExpression" AttributeId="resource-id" /> </Match> Replace "xpath-which-selects-the-permissible-nodes" with an xpath which selects bar nodes which do not have a foo ancestor. You need to look up the exact details in the spec, but I hope you get the idea. I think the functionality which you proposed is fairly complex and I would like to avoid adding that to the spec since the use case can already be handled in this manner. Regards, Erik Tyson, Paul H wrote: > Consider adding an optional attribute on <AttributeSelector> to start at > the resource node instead of the <Content> element. This would only > have to be supported under a hierarchical profile. The attribute could > be named "ResourceContextPath", and would be used instead of > "RequestContextPath" when the evaluation should start from the node on > which a decision is wanted. > > When writing policies for hierarchical resources, it is sometimes > convenient to express a condition based on the value of another node in > the request content, relative to the resource node on which the decision > is requested. > > <AttributeSelector> only allows xpath expressions with initial context > of the <Content> request element. > > For example, suppose the resource content looks like this: > > <node xmlns="my-namespace"> > <att name="att1">foo</att> > <node> > <att name="att1">foo</att> > <att name="att2">abc</att> > </node> > <node> > <att name="att1">bar</att> > <att name="att2">xyz</att> > </node> > </node> > > I have a business rule that says no node with att1="bar" should have an > ancestor node whose att1="foo". (Conversely, no node with att1="foo" > should have a descendant with att1="bar". But I don't want a decision > on the ancestor, I want a decision for each descendant.) > > I want decisions on all nested nodes, so my request will include the > appropriate scope and resource-id attributes for an xpath-expression > multi-resource request. > > The problem is writing the rule. Nodes can be nested to any depth. The > rule can be stated as: "if the resource att1='bar', and any ancestor > node has att1='foo', then deny; otherwise permit". This goes directly > into a XACML Policy with two Rules. The essential parts of the policy > might look like this (using the proposed "ResourceContextPath" attribute > on AttributeSelector): > > <Policy xmlns:mns="my-namespace" > RuleCombiningAlgId="...first-applicable"> > > <Target> > <AnyOf> > <AllOf> > <Match > MatchId="urn:oasis:names:tc:xacml:3.0:xpath-node-match"> > <AttributeValue > > DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression" > > XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > >> mns:node//mns:node</AttributeValue> >> > <AttributeDesignator > > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath" > > DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/> > </Match> > </AllOf> > </AnyOf> > </Target> > > <Rule RuleId="deny-bar-if-ancestor-foo" Effect="Deny"> > <Target> > <AnyOf> > <AllOf> > <Match > > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">bar</AttributeValue> > <AttributeSelector > ResourceContextPath="mns:att[@name='att1'] > DataType="http://www.w3.org/2001/XMLSchema#string" > MustBePresent="false" > > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"/> > </Match> > <Match > > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">foo</AttributeValue> > <AttributeSelector > > ResourceContextPath="ancestor::mns:node/mns:att[@name='att1']" > DataType="http://www.w3.org/2001/XMLSchema#string" > MustBePresent="false" > > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"/> > </Match> > </AllOf> > </AnyOf> > </Target> > </Rule> > > <Rule RuleId="permit-otherwise" Effect="Permit"/> > > </Policy> > > If there is another way to address this use case using existing XACML > features I would like to know about it. > > --Paul Tyson > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]