OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Groups - IPC WD-05 uploaded


The examples are a step forward, but they need to be valid per the wd-17 schema and use the proposed IPC attribute ids.  One way to create valid XML is to use a schema-aware xml editor.  I just updated http://wiki.oasis-open.org/xacml/RelaxNG_Schemas with the wd-17 schema for the benefit of those who use emacs nxml-mode or some other RelaxNG tool.

 

I’ve attached a partially-corrected version of the first policy—it is schema-valid but still has some nonstandard AttributeIds.

 

Also attached is an html view of the policy which employs a graphical notation to show attribute constraints in target matches and conditions.

 

I will have more comments on the business intent of the policies, but my first impression is that they are more academic in nature than real-world.  Copyrights and trademarks are by definition already protected IP, and although XACML can be used to enforce license agreements around these types of IP I do not see that as the biggest challenge in this space.  The trade secret policy is meatier; I will have more comments and some alternate approaches for this.

 

Regards,

--Paul

 

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of John Tolbert
Sent: Friday, October 14, 2011 12:27
To: xacml@lists.oasis-open.org
Subject: [xacml] Groups - IPC WD-05 uploaded

 

Submitter's message
WD-05 contains sample requests and policies.
-- Mr. John Tolbert

Document Name: IPC WD-05


Description
XACML Intellectual Property Controls profile, working draft 5
Download Latest Revision
Public Download Link


Submitter: Mr. John Tolbert
Group: OASIS eXtensible Access Control Markup Language (XACML) TC
Folder: Specifications and Working Drafts
Date submitted: 2011-10-14 10:26:53

 

Title: copyright-approve

Policy: copyright-approve

Version: 1

Description

Example access control policy for copyright material

Target

This policy applies to requests that meet the following conditions.

string-equal COPYRIGHT
Resource@ip-type

Rules

The rule combining algorithm is deny-overrides.

Rule: right to use copyrighted material match

allow if subject's association to the designated custodian of the copyright agrees

Target

This policy applies to requests that meet the following conditions.

and
string-equal Wiley Corp
Subject@Organizational-Affiliation
string-equal CR101
Subject@Agreement-Designator
string-equal CR101
Resource@agreement-designator
string-equal Acme
Resource@ip-owner
string-equal Wiley Corp
Resource@ip-designee

Condition

IF THEN
and
date-greater-than-or-equal
date-one-and-only Environment@current-date
date-one-and-only Resource@effective-date
date-less-than-or-equal
date-one-and-only Environment@current-date
date-one-and-only Resource@expiration-date
Permit

Obligations

Obligation: urn:oasis:names:tc:ipc:1.0:obligation:encrypt

Fulfill on

Permit

Obligation: urn:oasis:names:tc:ipc:1.0:obligation:marking

Fulfill on

Permit

Attribute assignments

id value
urn:oasis:names:tc:xacml:2.0:example:attribute:text ©2011 Acme
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
	PolicyId="copyright-approve" Version="1" 
	RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
  <Description>Example access control policy for copyright material</Description>
  <Target>
    <AnyOf>
      <AllOf>
	<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
	  <AttributeValue 
	      DataType="http://www.w3.org/2001/XMLSchema#string";>COPYRIGHT
	  </AttributeValue>
	  <AttributeDesignator 
	      Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
	      AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-type" 
	      DataType="http://www.w3.org/2001/XMLSchema#string"; 
	      MustBePresent="false"/>
	</Match>
      </AllOf>
    </AnyOf>
  </Target>
  <Rule RuleId="right to use copyrighted material match" Effect="Permit">
    <Description>
      allow if subject's association to the designated custodian of the 
      copyright agrees
    </Description>
    <Target>
      <AnyOf>
	<AllOf>
	  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
	    <AttributeValue 
		DataType="http://www.w3.org/2001/XMLSchema#string";>Wiley Corp
	    </AttributeValue>
	    <AttributeDesignator 
		Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  
		AttributeId="Organizational-Affiliation" 
		DataType="http://www.w3.org/2001/XMLSchema#string"; 
		MustBePresent="false"/>
	  </Match>
	  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
	    <AttributeValue 
		DataType="http://www.w3.org/2001/XMLSchema#string";>CR101
	    </AttributeValue>
	    <AttributeDesignator 
		Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  
		AttributeId="Agreement-Designator" 
		DataType="http://www.w3.org/2001/XMLSchema#string"; 
		MustBePresent="false"/>
	  </Match>
	  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
	    <AttributeValue
		DataType="http://www.w3.org/2001/XMLSchema#string";>CR101
	    </AttributeValue>
	    <AttributeDesignator 
		Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
		AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:agreement-designator" 
		DataType="http://www.w3.org/2001/XMLSchema#string"; 
		MustBePresent="false"/>  
	  </Match>
	  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
	    <AttributeValue 
		DataType="http://www.w3.org/2001/XMLSchema#string";>Acme
	    </AttributeValue>
	    <AttributeDesignator 
		Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  
		AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-owner" 
		DataType="http://www.w3.org/2001/XMLSchema#string"; 
		MustBePresent="false"/>
	  </Match>					                                                                             
	  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
	    <AttributeValue 
		DataType="http://www.w3.org/2001/XMLSchema#string";>Wiley Corp
	    </AttributeValue>
	    <AttributeDesignator 
		Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  
		AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-designee" 
		DataType="http://www.w3.org/2001/XMLSchema#string"; 
		MustBePresent="false"/>
	  </Match>
	</AllOf>
      </AnyOf>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
	<Apply 
	    FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal">
	  <Apply 
	      FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
	    <AttributeDesignator
		Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
		DataType="http://www.w3.org/2001/XMLSchema#date";
		AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date"
		MustBePresent="false"/>
	  </Apply>
	  <Apply 
	      FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
	    <AttributeDesignator 
		Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  
		AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:effective-date" 
		DataType="http://www.w3.org/2001/XMLSchema#date"; 
		MustBePresent="false"/>
	  </Apply>
	</Apply>
	<Apply 
	    FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal">
	  <Apply 
	      FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
	    <AttributeDesignator
		Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
		DataType="http://www.w3.org/2001/XMLSchema#date";
		AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date"
		MustBePresent="false"/>
	  </Apply>
	  <Apply 
	      FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
	    <AttributeDesignator 
		Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  
		AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:expiration-date" 
		DataType="http://www.w3.org/2001/XMLSchema#date"; 
		MustBePresent="false"/>
	  </Apply>
	</Apply>
      </Apply>
    </Condition>
  </Rule>
  <ObligationExpressions>
    <ObligationExpression ObligationId="urn:oasis:names:tc:ipc:1.0:obligation:encrypt" 
			  FulfillOn="Permit"/>	    
    <ObligationExpression ObligationId="urn:oasis:names:tc:ipc:1.0:obligation:marking" 
			  FulfillOn="Permit">
      <AttributeAssignmentExpression  
	  AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text">
	<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>©2011  Acme</AttributeValue>
      </AttributeAssignmentExpression>
    </ObligationExpression>
  </ObligationExpressions>      
</Policy>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]