[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Groups - IPC WD-05 uploaded
The examples are a step forward, but they need to be valid per the wd-17 schema and use the proposed IPC attribute ids. One way to create valid XML is to use a schema-aware xml editor. I just updated http://wiki.oasis-open.org/xacml/RelaxNG_Schemas with the wd-17 schema for the benefit of those who use emacs nxml-mode or some other RelaxNG tool. I’ve attached a partially-corrected version of the first policy—it is schema-valid but still has some nonstandard AttributeIds. Also attached is an html view of the policy which employs a graphical notation to show attribute constraints in target matches and conditions. I will have more comments on the business intent of the policies, but my first impression is that they are more academic in nature than real-world. Copyrights and trademarks are by definition already protected IP, and although XACML can be used to enforce license agreements around these types of IP I do not see that as the biggest challenge in this space. The trade secret policy is meatier; I will have more comments and some alternate approaches for this. Regards, --Paul From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of John Tolbert Submitter's message
|
Policy: copyright-approveVersion: 1DescriptionExample access control policy for copyright material TargetThis policy applies to requests that meet the following conditions.
RulesThe rule combining algorithm is deny-overrides. Rule: right to use copyrighted material matchallow if subject's association to the designated custodian of the copyright agrees TargetThis policy applies to requests that meet the following conditions.
Condition
ObligationsObligation: urn:oasis:names:tc:ipc:1.0:obligation:encryptFulfill onPermit Obligation: urn:oasis:names:tc:ipc:1.0:obligation:markingFulfill onPermit Attribute assignments
|
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="copyright-approve" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description>Example access control policy for copyright material</Description> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">COPYRIGHT </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="right to use copyrighted material match" Effect="Permit"> <Description> allow if subject's association to the designated custodian of the copyright agrees </Description> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Wiley Corp </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizational-Affiliation" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CR101 </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Agreement-Designator" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CR101 </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:agreement-designator" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Acme </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-owner" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Wiley Corp </AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:ip-designee" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#date" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" MustBePresent="false"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:effective-date" DataType="http://www.w3.org/2001/XMLSchema#date" MustBePresent="false"/> </Apply> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#date" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" MustBePresent="false"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:3.0:profiles:ipc:expiration-date" DataType="http://www.w3.org/2001/XMLSchema#date" MustBePresent="false"/> </Apply> </Apply> </Apply> </Condition> </Rule> <ObligationExpressions> <ObligationExpression ObligationId="urn:oasis:names:tc:ipc:1.0:obligation:encrypt" FulfillOn="Permit"/> <ObligationExpression ObligationId="urn:oasis:names:tc:ipc:1.0:obligation:marking" FulfillOn="Permit"> <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">©2011 Acme</AttributeValue> </AttributeAssignmentExpression> </ObligationExpression> </ObligationExpressions> </Policy>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]