9. XACML extensibility points (non-normative)

1 3 OASIS eXtensible Access Control Markup Language (XACML) 4 Working Draft 16a, 10 September 2002 5 Document identifier: draft-xacml-specification-16.doc 6 Location: http://www.oasis-open.org/committees/xacml/docs/ 7 Send comments to: xacml-comment@lists.oasis-open.org 2 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Editors: Simon Godik, Overxeer (simon.godik@overxeer.com) Tim Moses, Entrust (tim.moses@entrust.com) Contributors: Anne Anderson, Sun Microsystems Bill Parducci, Overxeer Carlisle Adams, Entrust Daniel Engovatov, Crosslogix Don Flinn, Hitachi Ernesto Damiani, University of Milan James MacLean, Affinitex Hal Lockhart, Entegrity Ken Yagen, Crosslogix Konstantin Besnozov, Hitachi Michiharu Kudo, IBM, Japan Pierangela Samarati, University of Milan Polar Humenn, Syracuse University Sekhar Vajjhala, Sun Microsystems Gerald Brose, Xtradyne Abstract: 28 29 30 This specification defines an XML schema for an extensible access-control policy language. Status: 31 32 This version of the specification is a working draft of the committee. As such, it is expected to change prior to adoption as an OASIS standard. 33 34 35 36 If you are on the xacml@lists.oasis-open.org list for committee members, send comments there. If you are not on that list, subscribe to the xacml-comment@lists.oasis-open.org list and send comments there. To subscribe, send an email message to xacml-commentrequest@lists.oasis-open.org with the word "subscribe" as the body of the message. draft-xacml-specification-16a.doc 37 38 Copyright (C) OASIS Open 2002. All Rights Reserved. draft-xacml-specification-16a.doc 2 39 Table of contents 40 1. Glossary (non-normative) 7 41 1.1. Preferred terms 7 42 1.2. Related terms 8 43 2. Introduction (non-normative) 8 44 2.1. Notation 8 45 2.2. Background 9 46 2.3. Requirements 9 47 2.4. Rule and policy combining 10 48 2.5. Combining algorithms 11 49 2.6. Policies based on subject and resource attributes 11 50 2.7. Policies based on resource contents 11 51 2.8. Operators 12 52 2.9. Policy distribution 12 53 2.10. Policy indexing 13 54 2.11. Abstraction layer 13 55 2.12. Actions performed in conjunction with enforcement 14 56 2.13. Schema organization and namespaces 14 57 3. Examples (non-normative) 14 58 3.1. Example one 14 59 3.2. Example two 16 60 3.2.1 Example medical record instance 17 61 3.2.2 Example request context 18 62 3.2.3 Example plain-language rules 19 63 3.2.4 Example XACML rule instances 20 64 4. Models (non-normative) 25 65 4.1. Data-flow model 25 66 4.2. XACML context 27 67 4.3. Policy language model 27 68 4.3.1 Rule 28 69 4.3.2 Policy 30 70 4.3.3 Policy set 33 71 5. Functional requirements (normative) 34 72 5.1. Policy Decision Point 34 73 5.2. Hierarchical resources 35 74 6. Policy syntax (normative, with the exception of the schema fragments) draft-xacml-specification-16a.doc 36 3 75 6.1. Element <PolicySet> 36 76 6.2. Element <Description> 37 77 6.3. Element <PolicySetDefaults> 38 78 6.4. Element <Target> 38 79 6.5. Element <Subjects> 39 80 6.6. Element <Subject> 39 81 6.7. Element <SubjectMatch> 40 82 6.8. Element <Resources> 40 83 6.9. Element <Resource> 41 84 6.10. Element <ResourceMatch> 41 85 6.11. Element <Actions> 42 86 6.12. Element <Action> 42 87 6.13. Element <ActionMatch> 42 88 6.14. Element <PolicySetIdReference> 43 89 6.15. Element <PolicyIdReference> 43 90 6.16. Element <Policy> 43 91 6.17. Element <Rule> 45 92 6.18. Simple type EffectType 45 93 6.19. Element <Condition> 46 94 6.20. Element <Apply> 46 95 6.21. Complex type AttributeDesignatorType 47 96 6.22. Element <SubjectAttributeDesignator> 47 97 6.23. Element <ResourceAttributeDesignator> 48 98 6.24. Element <ActionAttributeDesignator> 48 99 6.25. Element <EnvironmentAttributeDesignator> 48 100 6.26. Element <SubjectAttributeDesignatorWhere> 49 101 6.27. Element <AttributeSelector> 49 102 6.28. Element <AttributeValue> 50 103 6.29. Element <Obligations> 50 104 6.30. Element <Obligation> 51 105 6.31. Element <AttributeAssignment> 51 106 7. Context syntax (normative with the exception of the schema fragments) 52 107 7.1. Element <Request> 52 108 7.2. Element <Subject> 53 109 7.3. Element <Resource> 53 110 7.4. Element <ResourceContent> 54 111 7.5. Element <Action> 54 draft-xacml-specification-16a.doc 4 112 7.6. Element <Environment> 54 113 7.7. Element <Attribute> 55 114 7.8. Element <AttributeValue> 55 115 7.9. Element <Response> 55 116 7.10. Element <Result> 56 117 7.11. Element <Decision> 57 118 7.12. Element <Status> 57 119 7.13. Element <StatusCode> 57 120 7.14. Element <StatusMessage> 58 121 7.15. Element <StatusDetail> 58 122 8. 123 124 125 XACML extensibility points (non-normative) 8.1. 9. URIs 58 Security and privacy considerations (non-normative) 9.1. 58 Threat model 59 59 126 9.1.1 Unauthorized disclosure 59 127 9.1.2 Impersonation 59 128 9.1.3 Message replay 59 129 9.1.4 Message insertion 60 130 9.1.5 Message deletion 60 131 9.1.6 Message modification 60 132 9.1.7 Resource matching 60 133 9.1.8 Negative rules 61 134 9.2. Safeguards 61 135 9.2.1 Authentication 61 136 9.2.2 Confidentiality 62 137 9.2.3 Policy integrity 62 138 9.2.4 Message freshness 63 139 9.2.5 Policy identifiers 63 140 9.2.6 Trust model 63 141 9.2.7 Privacy 64 142 10. Conformance (normative) 64 143 10.1. Introduction 64 144 10.2. XACML test suite 64 145 10.3. Conformance tables 65 146 10.3.1 Schema elements 65 147 10.3.2 Algorithms 66 148 10.3.3 Identifiers 66 draft-xacml-specification-16a.doc 5 149 10.3.4 Function identifier References 67 150 11. 151 Appendix A. Function names and legal type combinations 71 152 A.1. 71 153 Appendix B. XACML identifiers (normative) 76 154 B.1. XACML namespaces 76 155 B.2. Authentication locality 76 156 B.3. Access subject categories 76 157 B.4. XACML functions 77 158 B.5. Data types 77 Functions 69 159 B.5.1. X.500 distinguished name 77 160 B.5.2. RFC822 Name 77 161 B.5.3. Unix file-system path 77 162 B.5.4. Numeric 77 163 B.6. Environment attributes 78 164 B.7. Subject attributes 78 165 B.8. Resource attributes 78 166 B.9. Status codes 79 167 B.10. Combining algorithms 79 168 B.10. Identifiers used only in XACML conformance tests 79 169 B.11. Attributes used in examples 80 170 B.12. Actions used in examples 80 171 Appendix C. Combining algorithms (normative) 81 172 C.1. Deny-overrides 81 173 C.2. Permit-overrides 83 174 C.3. First-applicable 85 175 Appendix D. Acknowledgments 87 176 Appendix E. Revision history 88 177 Appendix F. Notices 89 178 179 draft-xacml-specification-16a.doc 6 180 181 182 1. Glossary (non-normative) 1.1. Preferred terms 183 Access - Performing an action 184 Access control - Controlling access in accordance with a policy 185 Action - An operation on a resource 186 Applicable policy - The policy that governs access for a specific decision request 187 188 Attribute - Characteristic of a subject, resource, action or environment that may be referenced in a predicate or target 189 190 Authorization decision - The result of evaluating applicable policy. A function that evaluates to "permit, deny or indeterminate", and (optionally) a set of obligations 191 Condition - An expression of predicates. A function that evaluates to "True" or "False" 192 Context - The canonical representation of a decision request and an authorization decision 193 Decision request - The request by a PEP to a PDP to render an authorization decision 194 Effect - The intended consequence of a satisfied condition (either "Permit" or "Deny") 195 196 Environment - The set of attributes that are independent of a particular subject, resource or action 197 198 Obligation - An operation specified in a policy or policy set that should be performed in conjunction with the issuance of an authorization decision 199 200 Policy - A set of rules, an identifier for the rule-combining algorithm and (optionally) a set of obligations 201 Policy administration point (PAP) - The system entity that creates a policy or policy set 202 203 Policy-combining algorithm - The procedure for combining the target, obligations and conditions from multiple policies 204 205 Policy decision point (PDP) - The system entity that evaluates applicable policy and renders an authorization decision 206 207 Policy enforcement point (PEP) - The system entity that performs access control, by enforcing authorization decisions 208 Policy information point (PIP) - The system entity that acts as a source of attribute values draft-xacml-specification-16a.doc 7 209 210 Policy set - A set of policies, other policy sets, a policy-combining algorithm and (optionally) a set of obligations 211 Predicate - A statement about attributes whose truth can be evaluated 212 Resource - Data, service or system component 213 Rule - A target, an effect and a condition 214 215 Rule-combining algorithm - The procedure for combining the target, effect and conditions from multiple rules 216 Subject - An actor whose attributes may be referenced by a predicate 217 218 Target - The set of decision requests, identified by definitions for resource, subject and action, that a rule, policy or policy set is intended to evaluate 219 1.2. Related terms 220 221 In the field of access control and authorization there are several closely related terms in common use. For purposes of precision and clarity, certain of these terms are not used in this specification. 222 For instance, the term attribute is used in place of the terms: group and role. 223 224 In place of the terms: privilege, permission, authorization, entitlement and right, we use the term rule. 225 The term object is also in common use, but we use the term resource in this specification. 226 Requestors and initiators are covered by the term subject. 227 2. Introduction (non-normative) 228 2.1. Notation 229 230 This specification contains schema conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded policy statements. 231 232 233 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119 rfc2119: 234 235 "they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions)" 236 237 238 239 These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense. 240 241 242 Listings of XACML schemas appear like this. Example code listings appear like this. draft-xacml-specification-16a.doc 8 243 244 245 Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example: 246  The prefix saml: stands for the SAML assertion namespace. 247  The prefix ds: stands for the W3C XML Signature namespace. 248  The prefix xs: stands for the W3C XML Schema namespace. 249 250 251 This specification uses the following typographical conventions in text: <XACMLElement>, <ns:ForeignElement>, Attribute, Datatype, OtherCode. Terms in italic bold-face are intended to have the meaning defined in the Glossary. 2.2. Background 252 253 254 255 256 257 258 The "economics of scale" have driven computing platform vendors to develop products with very generalized functionality, so that they can be used in the widest possible range of situations. "Out of the box", these products have the maximum possible privilege for accessing data and executing software, so that they can be used in as many application environments as possible, including those with the most permissive security policies. In the more common case of a relatively restrictive security policy, the platform's inherent privileges must be constrained, by configuration. 259 260 261 262 263 264 265 266 267 268 269 The security policy of a large enterprise has many elements and many points of enforcement. Elements of policy may be managed by the Information Systems department, by Human Resources, by the Legal department and by the Finance department. And the policy may be enforced by the extranet, mail, WAN and remote-access systems; platforms which inherently implement a permissive security policy. The current practice is to manage the configuration of each point of enforcement independently in order to implement the security policy as accurately as possible. Consequently, it is an expensive and unreliable proposition to modify the security policy. And, it is virtually impossible to obtain a consolidated view of the safeguards in effect throughout the enterprise to enforce the policy. At the same time, there is increasing pressure on corporate and government executives from consumers, shareholders and regulators to demonstrate "best practice" in the protection of the information assets of the enterprise and its customers. 270 271 272 273 274 275 For these reasons, there is a pressing need for a common language for expressing security policy. If implemented throughout an enterprise, a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems. Managing security policy may include some or all of the following steps: writing, reviewing, testing, approving, issuing, combining, analyzing, modifying, withdrawing, retrieving and enforcing policy. 276 277 278 XML is a natural choice as the basis for the common security-policy language, due to the ease with which its syntax and semantics can be extended to accommodate the unique requirements of this application, and the widespread support that it enjoys from all the main platform and tool vendors. 2.3. Requirements 279 280 The basic requirements of a policy language for expressing information system security policy are: 281 282  To provide a method for combining individual rules and policies into a single policy set that applies to a given action. 283 284  To provide a method for flexible definition of the procedure by which rules and policies are combined. draft-xacml-specification-16a.doc 9 285 286  To provide a method for basing an authorization decision on attributes of the subject and resource. 287 288  To provide a method for basing an authorization decision on the contents of an information resource. 289 290  To provide a set of logical and mathematical operators on attributes of the subject, resource and environment. 291 292  To provide a method for distribution of policies by means of an enterprise repository, or their attachment to the resources to which they apply. 293 294  To provide a method for rapidly identifying the policy that applies to a given action, based either on the identity or attributes of either the subject or the resource. 295 296  To provide an abstraction-layer that insulates the policy-writer from the details of the application environment. 297 298  To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement. 299 300 301 The motivation behind XACML is to express these well-established ideas in the field of accesscontrol policy using an extension language of XML. The XACML solutions for each of these requirements are discussed in the following sections. 302 2.4. Rule and policy combining 303 304 305 306 307 308 The complete policy applicable to a particular decision request may be composed of a number of individual rules or policies, specified by different policy writers. For instance, in a personal privacy application, the owner of the personal information may define certain aspects of disclosure policy, whereas the enterprise that holds the information may define certain other aspects. In order to render an authorization decision, it must be possible to combine the two separate policies to form the single policy applicable to the request. 309 310 311 312 313 314 XACML defines three top-level policy elements: <Rule>, <Policy> and <PolicySet>. The <Rule> element contains a boolean expression that can be evaluated in isolation, but that is not intended to be passed between the major actors in the XACML architectural model. So, it is not intended to form the basis of an authorization decision by itself. It is intended to exist in isolation only within an XACML PAP, where it may form the basic unit of management, and be re-used in multiple policies. 315 316 317 318 The <Policy> element contains a set of <Rule> elements and a specified procedure for combining the results of their evaluation. It is the basic unit of policy that may be exchanged between the major actors in the XACML architectural model, and so it is intended to form the basis of an authorization decision. 319 320 321 The <PolicySet> element contains a set of <Policy> or other <PolicySet> elements and a specified procedure for combining the results of their evaluation. It is the standard means for combining separate policies into a single combined policy. 322 323 Hinton et al [Hinton94] discuss the question of the compatibility of separate policies applicable to the same decision request. draft-xacml-specification-16a.doc 10 2.5. Combining algorithms 324 325 326 327 328 329 330 331 XACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the <Policy> or <PolicySet> elements, respectively. The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules. Similarly, the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies. Standard combining algorithms are defined for: 332  Deny-overrides, 333  Permit-overrides and 334  First applicable. 335 336 337 338 339 340 In the first case, if a single <Rule> or <Policy> element is encountered that evaluates to "Deny", then, regardless of the evaluation result of the other <Rule> or <Policy> elements in the applicable policy, the combined result is "Deny". Likewise, in the second case, if a single "Permit" result is encountered, then the combined result is "Permit". In the case of the "First applicable" combining algorithm, the combined result is the same as the result of evaluating the first rule in the list of rules whose target is applicable to the decision request. 341 342 343 344 Users of the standard may, if necessary, define their own combining algorithms. However, this approach is harmful to interoperability. User defined combining algorithms should specify how the combined result is to be derived from separate evaluation of the individual <Rule> or <Policy> elements. 345 346 347 348 349 350 351 352 353 354 355 2.6. Policies based on subject and resource attributes Another common requirement is to base an authorization decision on some characteristic of the subject other than its identity. Perhaps, the most common application of this idea is the subject's role [RBAC]. XACML provides facilities to support this approach. Attributes of subjects are identified by the <SubjectAttributeDesignator> element. This element may contain a URN that identifies the attribute, or an XPath expression over the request context to identify a particular subject attribute value by its location in the context (see section 2.11 for an explanation of context). XACML provides a standard way to reference the attributes defined in the LDAP series of specifications [LDAP]. This is intended to encourage implementers to use standard attribute identifiers for some common subject attributes. 2.7. Policies based on resource contents 356 357 358 359 360 In many applications, it is required to base an authorization decision on data contained in the information resource to which access is requested. For instance, a common component of privacy policy is that a person should be allowed to read records for which he or she is the subject. The corresponding policy must contain a reference to the subject identified in the information resource itself. 361 362 363 XACML provides facilities for doing this when the information resource can be represented as an XML document. The <AttributeSelector> element may contain an XPath expression over the request context to identify data in the information resource to be used in the policy evaluation. 364 365 In cases where the information resource is not an XML document, specified attributes of the resource can be referenced. draft-xacml-specification-16a.doc 11 366 2.8. Operators 367 368 369 370 371 372 373 374 Information security policies operate upon attributes of subjects and resources and the action to be performed on the resource in order to arrive at an authorization decision. In the process of arriving at the authorization decision, attributes of many different types may have to be compared or computed. For instance, in a financial application, a person's available credit may have to be calculated by adding their credit limit to their account balance. The result may then have to be compared with the transaction value. This sort of situation gives rise to the need for arithmetic operations on attributes of the subject (account balance and credit limit) and the resource (transaction value). 375 376 377 378 Even more commonly, a policy may identify the set of roles that are permitted to perform a particular action. The corresponding operation involves checking whether there is a non-empty intersection between the set of roles occupied by the subject and the set of roles identified in the policy. Hence the need for set operations. 379 380 381 382 383 384 385 386 XACML includes a number of built-in functions and a method of adding non-standard functions. These functions may be applied recursively to build arbitrarily complex expressions. This is achieved with the <Apply> element. The <Apply> element has an XML attribute called FunctionId that identifies the function to be applied to the contents of the element. Each standard function is defined for specific argument type combinations, and its return value is also specified. Therefore, type consistency of the policy can be checked at the time the policy is written. And, the types of the data values presented in the request context can be checked against the values expected by the policy to ensure a predictable outcome. 387 388 389 390 In addition to operators on numerical and set arguments, operators are defined for date, time and duration arguments. Date operations are notoriously difficult to standardize, due to local rules for handling weekends, statutory holidays, etc.. Therefore, the first level of XACML conformance does not require support for date operations. 391 392 Relationship operators (equality and inequality) are also defined for a number of data-types, including the RFC822 and X.500 name-forms, strings, URIs, etc.. 393 394 395 Also noteworthy are the operators over boolean data types, which permit the logical combination of predicates in a rule. For example, a rule may contain the statement that access may be permitted during business hours AND from a terminal on business premises. 396 The XACML method of representing functions borrows heavily from MathML [MathML]. 397 2.9. Policy distribution 398 399 400 401 402 403 404 In a distributed system, individual policy statements may be written by several policy writers and enforced at several enforcement points. In addition to facilitating the collection and combination of independent policy components, this approach allows policies to be updated as required. XACML policy statements may be distributed in any one of a number of ways. But, XACML does not describe any normative way to do this. Regardless of the means of distribution, PDPs are expected to confirm, by examining the policy's <Target> element that the policy is applicable to the decision request that it is processing. 405 406 407 408 <Policy> elements may be attached to the information resources to which they apply, as described by Perritt [Perritt93]. Alternatively, <Policy> elements may be maintained in a central location from which they are retrieved for evaluation. In such cases, the applicable policy may be referenced by an identifier or locator closely associated with the information resource. draft-xacml-specification-16a.doc 12 409 2.10. Policy indexing 410 411 412 413 414 For efficiency of evaluation and ease of management, the overall security policy in force across an enterprise may be expressed as multiple independent policy components. In this case, it is necessary to identify and retrieve the applicable policy statement and verify that it is the correct one for the requested action before evaluating it. This is the purpose of the <Target> element in XACML. 415 Two approaches are supported: 416 417 418 419 420 1. Policy statements may be stored in a database, whose data-model is congruent with that of the <Target> element. The PDP should use the contents of the decision request that it is processing to form the database read command by which the applicable policy statement is retrieved. Nevertheless, the PDP should still evaluate the <Target> element of the policy statement returned as a result of the read command as defined by the XACML specification. 421 422 423 2. Alternatively, the PDP may evaluate the <Target> element from each of the policies that it has available to it, in the context of a particular decision request, in order to identify the single policy that is applicable to that request. 424 425 In either case, it is the policy writer's responsibility to ensure that only one policy statement applies to a particular decision request. 426 The use of constraints limiting the applicability of a policy were described by Sloman [Sloman94]. 427 2.11. Abstraction layer 428 429 430 431 432 433 434 435 PEPs come in many forms. For instance, a PEP may be part of a remote-access gateway, part of a Web server or part of an email user-agent, etc.. It is unrealistic to expect that all PEPs in an enterprise do currently, or will in the future, issue decision requests to a PDP in a common format. Nevertheless, a particular policy may have to be enforced by multiple PEPs. It would be inefficient to force a policy writer to write the same policy several different ways in order to accommodate the format requirements of each PEP. Therefore, there is a need for a canonical form of the request and response handled by an XACML PDP. This canonical form is called the XACML "Context". Its syntax is defined in XML schema. 436 437 438 439 Naturally, XACML-conformant PEPs may issue requests and receive responses in the form of an XACML context. But, where this situation does not exist, an intermediate step is required to convert between the request/response format understood by the PEP and the XACML context format understood by the PDP. 440 441 The benefit of this approach is that policies may be written and analyzed independent of the specific environment in which they are to be enforced. 442 443 444 In the case where the native request/response format is specified in XML Schema (e.g. a SAMLconformant PEP), the transformation between the native format and the XACML context may be specified in the form of an Extensible Stylesheet Language Transformation [XSLT]. 445 446 447 448 Similarly, in the case where the resource to which access is requested is an XML document, the resource itself may be included in, or referenced by, the request context. Then, through the use of XPath expressions [XPath] in the policy, values in the resource may be included in the policy evaluation. draft-xacml-specification-16a.doc 13 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 2.12. Actions performed in conjunction with enforcement In many applications, policies specify actions that MUST be performed, either instead of, or in addition to, actions that MAY be performed. This idea was described by Sloman [Sloman94]. XACML provides facilities to specify actions that MUST be performed in conjunction with policy evaluation in the <Obligations> element. There are no standard definitions for these actions in version 1.0 of XACML. Therefore, bilateral agreement between a PAP and the PEP that will enforce its policies is required for correct interpretation. PEPs that conform with v1.0 of XACML are required to deny access unless they understand all the <Obligations> elements associated with the applicable policy. <Obligations> elements are returned to the PEP for enforcement. 2.13. Schema organization and namespaces The XACML policy syntax is defined in a schema associated with the following XML namespace: urn:oasis:names:tc:xacml:1.0:policy The XACML context syntax is defined in a schema associated with the following XML namespace: urn:oasis:names:tc:xacml:1.0:context XACML functions have the following namespace prefix. 464 urn:oasis:names:tc:xacml:1.0:function 465 466 Note: The XACML namespace names are temporary and may change when XACML 1.0 is finalized. 467 468 469 The XML Signature XMLSigXSD is imported into the XACML schema and is associated with the following XML namespace: http://www.w3.org/2000/09/xmldsig# 470 3. Examples (non-normative) 471 472 473 474 This section contains two examples of the use of XACML for illustrative purposes. The first example is a relatively simple one to illustrate the function of target, context, matching functions and subject attributes. The second example additionally illustrates the use of the rule-combining algorithm and obligations. 475 3.1. Example one 476 477 Assume that a corporation named Medi Corp (medico.com) has an access control policy that states, in English: 478 479 Any user with an e-mail name in the "medico.com" namespace is allowed to perform any action on any resource. 480 In XACML, this policy is expressed as follows: 481 482 483 484 485 <?xml version=1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:context" xmlns:function="urn:oasis:names:tc:xacml:1.0:function" xmlns:identifier="urn:oasis:names:tc:xacml:1.0" draft-xacml-specification-16a.doc 14 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-policy01.xsd" PolicyId="identifier:example:SimplePolicy1" RuleCombiningAlgId="identifier:rule-combining-algorithm:denyoverrides"> <Description> Medi Corp access control policy </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="identifier:example:SimpleRule1" Effect="Permit"> <Description> Any subject with an e-mail name in the medico.com domain can perform any action on any resource. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function:rfc822name-match"> <SubjectAttributeDesignator AttributeId="identifier:subject:subject-id" DataType="identifier:datatype:rfc822name"/> <AttributeValue DataType="identifier:datatype:rfc822name"> *@medico.com </AttributeValue> </SubjectMatch> </Subject> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> </Rule> </xacml:Policy> If Bart Simpson, with e-mail name "bs@simpsons.com", attempts to read his medical record at Medi Corp, the corresponding request context looks as follows: <?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:1.0:context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schema-context01.xsd"> <Subject> draft-xacml-specification-16a.doc 15 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="identifier:rfc822name"> <AttributeValue> bs@simpsons.com </AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="identifier:resource:resource-uri" DataType="xs:anyURI"> <AttributeValue> http://medico.com/record/patient/BartSimpson </AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="identifier:example:action" DataType="xs:string"> <AttributeValue> read </AttributeValue> </Attribute> </Action> </Request> 574 575 576 577 The PDP processing this request context locates the policy in its policy repository. It compares the subject, resource and action in the request context with the subjects, resources and actions in the policy target. Since the policy target matches the <AnySubject/>, <AnyResource/> and <AnyAction/> elements, the policy mathces this context. 578 579 580 581 The PDP now compares the subject, resource and action in the request context with the target of the one rule in this policy. The requested resource matches the <AnyResource/> element and the requested action matches the <AnyAction/> element, but the requesting subject-id attribute does not match "*@medico.com". 582 583 584 As a result, there is no rule in this policy that returns a "Permit" result for this request. The rulecombining algorithm for the policy specifies that, in this case, a result of "Deny" should be returned. The response context looks as follows: 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 <?xml version="1.0" encoding="UTF-8"?> <Response xmlns="urn:oasis:names:tc:xacml:1.0:context" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context http://www.oasis-open.org/tc/xacml/1.0/sc-xacml-schemacontext-01.xsd"> <Result> <Decision> Deny </Decision> </Result> </Response> 3.2. Example two This section contains an example XML document, an example request context and example XACML rules. The XML document is a medical record. Four separate rules are defined. These illustrate rule-combining and obligations. draft-xacml-specification-16a.doc 16 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 3.2.1 Example medical record instance Following is an instance of a medical record to which the example XACML rules can be applied. The <record> schema is defined in the registered namespace administered by "//medico.com". <?xml version="1.0" encoding="UTF-8"?> <record xmlns="medico.com/records.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="medico.com/records.xsd http://www.medico.com/schema/record.xsd"> <patient> <patientName> <first>Bartholomew</first> <last>Simpson</last> </patientName> <patientContact> <street>27 Shelbyville Road</street> <city>Springfield</city> <state>MA</state> <zip>12345</zip> <phone>555.123.4567</phone> <fax/> <email/> </patientContact> <patientDoB xsi:type="date">1992-03-21</patientDoB> <patientGender xsi:type="string">male</patientGender> <policyNumber xsi:type="string">555555</policyNumber> </patient> <parentGuardian> <parentGuardianName> <first>Homer</first> <last>Simpson</last> </parentGuardianName> <parentGuardianContact> <street>27 Shelbyville Road</street> <city>Springfield</city> <state>MA</state> <zip>12345</zip> <phone>555.123.4567</phone> <fax/> <email>homers@aol.com</email> </parentGuardianContact> </parentGuardian> <primaryCarePhysician> <physicianName> <first>Julius</first> <last>Hibbert</last> </physicianName> <physicianContact> <street>1 First St</street> <city>Springfield</city> <state>MA</state> <zip>12345</zip> <phone>555.123.9012</phone> <fax>555.123.9013</fax> <email/> </physicianContact> <registrationID>ABC123</registrationID> </primaryCarePhysician> <insurer> <name>Blue Cross</name> <street>1234 Main St</street> <city>Springfield</city> draft-xacml-specification-16a.doc 17 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 <state>MA</state> <zip>12345</zip> <phone>555.123.5678</phone> <fax>555.123.5679</fax> <email/> </insurer> <medical> <treatment> <drug> <name>methylphenidate hydrochloride</name> <dailyDosage>30mgs</dailyDosage> <startDate>1999-01-12</startDate> </drug> <comment>patient exhibits side-effects of skin coloration and carpal degeneration</comment> </treatment> <result> <test>blood pressure</test> <value>120/80</value> <date>2001-06-09</date> <performedBy>Nurse Betty</performedBy> </result> </medical> </record> 686 3.2.2 Example request context 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 The following example illustrates a request context to which the example rules are intended to be applicable. It represents a request by the physician Julius Hibbert to read the patient date of birth in the record of Bartholomew Simpson. <?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:0.16f:context" xmlns:identifier="urn:oasis:names:tc:xacml:identifier" xmlns:xacml="urn:oasis:names:tc:xacml:0.16f:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:0.16f:context draftxacml-schema-context-16f.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-category" Issuer="www.medco.com" IssueInstant="2001-12-17T09:30:47-05:00"> <AttributeValue>urn:oasis:names:tc:xacml:1.0:subjectcategory:acces s-subject</AttributeValue> </Attribute> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Issuer="www.medco.com" IssueInstant="2001-12-17T09:30:47-05:00"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:name-format" Issuer="www.medco.com" IssueInstant="2001-12-17T09:30:47-05:00"> <AttributeValue>urn:oasis:names:tc:xacml:1.0:datatype:x500name</At tributeValue> </Attribute> draft-xacml-specification-16a.doc 18 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:example:attribute:role" Issuer="www.medco.com" IssueInstant="2001-12-17T09:30:47-05:00"> <AttributeValue>physician</AttributeValue> </Attribute> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:example:attribute:physicia n-id" Issuer="www.medco.com" IssueInstant="2001-12-17T09:30:47-05:00"> <AttributeValue>jh1234</AttributeValue> </Attribute> </Subject> <Resource> <ResourceContent> <md:record xmlns:md="http:www.medco.com/shemas/record.xsd"> <md:patient> <md:patientDoB>1992-03-21</md:patientDoB> </md:patient>  </md:record> </ResourceContent> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-uri"> <AttributeValue> //medco.com/records/bart-simpson.xml# xmlns(md=http:www.medico.com/schemas/record.xsd)xpointer(/md:recor d/md:patient/md:patientDoB) </AttributeValue> </Attribute> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"> <AttributeValue> xmlns(md=http:www.medico.com/schemas/record.xsd)xpointer(/md:recor d/md:patient/md:patientDoB) </AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action"> <AttributeValue>read</AttributeValue> </Attribute> </Action> </Request> 764 3.2.3 Example plain-language rules 765 The following plain-language rules are to be enforced: 766 1. A person may read any record for which he or she is the designated patient. 767 768 2. A person may read any record for which he or she is the designated parent or guardian, and for which the patient is under 16 years of age. 769 770 3. A physician may write any medical element for which he or she is the designated primary care physician, provided an email is sent to the patient. 771 4. An administrator shall not be permitted to read or write medical elements of a patient record. 772 These rules may be written by different PAPs, operating independently, or by a single PAP. draft-xacml-specification-16a.doc 19 773 774 3.2.4 Example XACML rule instances 3.2.4.1 Rule 1 775 776 Rule 1 illustrates a simple rule with a single <Condition> element. The following XACML <Rule> instance expresses Rule 1. 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 <?xml version="1.0" encoding="UTF-8"?> <Rule xmlns="urn:oasis:names:tc:xacml:0.16f:policy" xmlns:function="urn:oasis:names:tc:xacml:0.16f:function" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:0.16f:policy draftxacml-schema-policy-16f.xsd" xmlns:ctx="urn:oasis:names:tc:xacml:0.16f:context" xmlns:md="http:www.medco.com/schemas/record.xsd" RuleId="urn:oasis:names:tc:xacml:examples:ruleid:1" Effect="Permit"> <Description> A person may read any record defined by the http://www.medco.com/scheams/record.xsd namespace for which he or she is a designated patient </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function:string-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:resource:target-namespace" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">http://www.medco.com/schemas/record.xsd</Attri buteValue> </ResourceMatch> <ResourceMatch MatchId="function:node-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:resource:xpath" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">/md:record</AttributeValue> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="function:string-equal"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:action" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">read</AttributeValue> </ActionMatch> </Action> </Actions> </Target> <Condition FunctionId="function:string-equal"> <SubjectAttributeDesignatorWhere AttributeId="urn:oasis:names:tc:xacml:examples:attribute:policynumber" DataType="xsi:string"/> draft-xacml-specification-16a.doc 20 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 <AttributeSelector RequestContextPath= "/ctx:Request/ctx:Resource/ctx:ResourceContent/md:record/md:patien t/md:policyNumber" DataType="xsi:string"/> </Condition> </Rule> 3.2.4.2 Rule 2 Rule 2 illustrates the use of a mathematical function, i.e. the <Apply> element with functionId value of "function:date-subtract" to calculate age. It also illustrates the use of predicate expressions, with the functionId value of "function:and". <?xml version="1.0" encoding="UTF-8"?> <Rule xmlns="urn:oasis:names:tc:xacml:0.16f:policy" xmlns:function="urn:oasis:names:tc:xacml:0.16f:function" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:0.16f:policy draft-xacml-schema-policy-16f.xsd" xmlns:ctx="urn:oasis:names:tc:xacml:0.16f:context" xmlns:md="http:www.medco.com/schemas/record.xsd" RuleId="urn:oasis:names:tc:xacml:examples:ruleid:2" Effect="Permit"> <Description> A person may read any medical record defined by the http://www.medco.com/records.xsd namespace for which he or she is the designated patient or guardian, and for which the patient is under 16 years of age </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function:string-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:resource:target-namespace" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">http://www.medco.com/schemas/record.xsd</Attri buteValue> </ResourceMatch> <ResourceMatch MatchId="function:node-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:resource:xpath" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">/md:record</AttributeValue> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="function:string-equal"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:action" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">read</AttributeValue> </ActionMatch> </Action> draft-xacml-specification-16a.doc 21 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 </Actions> </Target> <Condition FunctionId="function:and"> <Apply FunctionId="function:string-equal"> <SubjectAttributeDesignatorWhere AttributeId="urn:oasis:names:tc:xacml:examples:attribute:parentguardian-id" DataType="xs:string"/> <AttributeSelector RequestContextPath= "/ctx:Request//ctx:ResourceContent/md:record/md:parentGuardian/md: parentGuardianId" DataType="xs:string"/> </Apply> <Apply FunctionId="function:dayTimeDuration-greater-than"> <Apply FunctionId="function:date-substract"> <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:env:date" DataType="xs:date"/> <AttributeSelector RequestContextPath= "/ctx:Request//ctx:ResourceContent/md:patient/md:patientDoB" DataType="xs:date"/> </Apply> <AttributeValue DataType="xs:dateTimeDuration">16-00</AttributeValue> </Apply> </Condition> </Rule> 3.2.4.3 Rule 3 Rule 3 illustrates the use of an obligation. The XACML <Rule> element syntax does not include an element suitable for carrying an obligation, therefore Rule 3 has to be formatted as a <Policy> element. <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:0.16f:policy" xmlns:function="urn:oasis:names:tc:xacml:0.16f:function" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:0.16f:policy draftxacml-schema-policy-16f.xsd" xmlns:ctx="urn:oasis:names:tc:xacml:0.16f:context" xmlns:md="http:www.medco.com/schemas/record.xsd" PolicyId="urn:oasis:names:tc:xacml:examples:policyid:3" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combiningalgorithm:deny-overrides"> <Description> Policy for any medical record defined by the http://www.medco.com/schemas/record.xsd namespace </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function:string-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:resource:target-namespace" DataType="xsi:string"/> draft-xacml-specification-16a.doc 22 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 <AttributeValue DataType="xsi:string">http://www.medco.com/schemas/record.xsd</Attri buteValue> </ResourceMatch> </Resource> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="urn:oasis:names:tc:xacml:examples:ruleid:3" Effect="Permit"> <Description> A physician may write any medical element is a record for which he or she is the designated primary care physician, provided an email is sent to the patient </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function:string-match"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:examples:attribute:group" DataType="xsi:string"/> <AttributeValue DataType="xs:string">physician</AttributeValue> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function:node-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:resource:xpath" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">/md:record/md:medical</AttributeValue> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="function:string-equal"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:action" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">write</AttributeValue> </ActionMatch> </Action> </Actions> </Target> <Condition FunctionId="function:string-equal"> <SubjectAttributeDesignatorWhere AttributeId="urn:oasis:names:tc:xacml:examples:attribute:physician -id" DataType="xsi:string"/> <AttributeSelector RequestContextPath= "/ctx:Request/ctx:Resource/ctx:ResourceContent/md:record/md:primar yCarePhysician/md:physicianId" DataType="xsi:string"/> </Condition> draft-xacml-specification-16a.doc 23 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 </Rule> <Obligations> <Obligation ObligationId="urn:oasis:names:tc:xacml:examples:obligation:email" FulfilOn="Permit"> <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:examples:attribute:mailto" DataType="xs:string"> <AttributeSelector RequestContextPath= "/ctx:Request//ctx:ResourceContent/md:/record/md:patient/md:patien tContact/md:email" DataType="xs:string"/> </AttributeAssignment> <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:examples:attribute:text" DataType="xs:string"> <AttributeValue DataType="xs:string">Your medical record has been accessed by:</AttributeValue> </AttributeAssignment> <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:examples:attribute:text" DataType="xs:string"> <SubjectAttributeDesignator AttributeId="urn:osasis:names:tc:xacml:subject:subject-id" DataType="xs:string"/> </AttributeAssignment> </Obligation> </Obligations> </Policy> 3.2.4.4 Rule 4 Rule 4 illustrates the use of the "Deny" effect value, and a <Rule> with no <Condition> element. <?xml version="1.0" encoding="UTF-8"?> <Rule xmlns="urn:oasis:names:tc:xacml:0.16f:policy" xmlns:function="urn:oasis:names:tc:xacml:0.16f:function" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:0.16f:policy draft-xacml-schema-policy-16f.xsd" xmlns:ctx="urn:oasis:names:tc:xacml:0.16f:context" xmlns:md="http:www.medco.com/schemas/record.xsd" RuleId="urn:oasis:names:tc:xacml:example:ruleid:4" Effect="Deny"> <Description> An Administrator shall not be permitted to read or write medical elements of a patient record defined by the http://www.medico.com/records.xsd namespace. </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function:string-equal"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:example:attribute:role" DataType="xs:string"/> <AttributeValue DataType="xs:string">administrator</AttributeValue> </SubjectMatch> </Subject> </Subjects> draft-xacml-specification-16a.doc 24 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 <Resources> <Resource> <ResourceMatch MatchId="function:string-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:resource:target-namespace" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">http://www.medco.com/schemas/record.xsd</Attri buteValue> </ResourceMatch> <ResourceMatch MatchId="function:node-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:resource:xpath" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">/md:record/md:medical</AttributeValue> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="function:string-equal"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:action" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">read</AttributeValue> </ActionMatch> </Action> <Action> <ActionMatch MatchId="function:string-equal"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:action" DataType="xsi:string"/> <AttributeValue DataType="xsi:string">write</AttributeValue> </ActionMatch> </Action> </Actions> </Target> </Rule> 1111 4. Models (non-normative) 1112 The domain model and language model of XACML are described in the following sub-sections. 1113 1114 4.1. Data-flow model The major actors in the XACML domain are shown in the data-flow diagram of Figure 1. draft-xacml-specification-16a.doc 25 access requester PEP 2. access request 11. obligations obligations service 7. resource resource 3. request 10. response PDP 8. request context 9. response context context handler 4. attribute 6. attribute query PIP 1. policy 5c. resource attributes 5b. envrionment attributes 5a. subject attributes PAP subjects environment 1115 1116 Figure 1 - Data-flow diagram 1117 1118 1119 1120 1121 Note: some of the data-flows shown in the diagram may be facilitated by a repository. For instance, the communications between the context handler and the PIP or the communications between the PDP and the PAP may be facilitated by a repository. The XACML specification is not intended to place restrictions on the location of any such repository, or indeed to prescribe a particular communication protocol for any of the data-flows. 1122 The model operates by the following steps. 1123 1124 1. PAPs write policies and make them available to the PDP. Its policies represent the complete policy for a particular target. 1125 2. The access requester sends a request for access to the PEP. 1126 1127 3. The PEP sends the request for access to the context handler in its native request format. The context handler constructs a request context in accordance with steps 4,5,6 and 7. 1128 4. Subject, resource and environment attributes are requested from a PIP. 1129 5. The PIP obtains the requested attributes. 1130 6. The PIP returns the requested attributes to the context handler. 1131 7. Optionally, the context handler includes the resource in the context. draft-xacml-specification-16a.doc 26 1132 1133 8. The context handler sends the request context to the PDP. The PDP identifies the policy applicable to the request context. The PDP evaluates the policy. 1134 9. The PDP returns the response context to the context handler. 1135 1136 10. The context handler translates the response context to the native response format of the PEP. The context handler returns the response to the PEP. 1137 11. The PEP fulfills the obligations. 1138 12. If access is permitted, then PEP permits access to the resource. 4.2. XACML context 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 XACML is designed to be applicable to a variety of application environments. The core language is insulated from the application environment by the XACML context, as shown in Figure 2, in which the scope of the XACML specification is indicated by the shaded area. The XACML context is defined in XML schema, describing a canonical representation for the inputs and outputs of the PDP. Attributes referenced by an instance of XACML may be in the form of XPath expressions on the context. Implementations must convert between the attribute representations in the application environment (e.g., SAML, J2SE, CORBA, and so on) and the attribute representations in the XACML context. How this is achieved is outside the scope of the XACML specification. In some cases, such as SAML, this conversion may be accomplished in an automated way through the use of an XSLT transformation. xacml.xml domain-specific inputs xacmlContext/ request.xml PDP xacmlContext/ response.xml domain-specific outputs 1150 1151 Figure 2 - XACML context 4.3. Policy language model 1152 1153 The policy language model is shown in Figure 3. The main components of the model are: 1154  Rule; 1155  Policy; and 1156  Policy set. 1157 These are described in the following sub-sections. draft-xacml-specification-16a.doc 27 1 PolicySet 1 1 0..* 1 1 Policy Combining Alogorithm 1 1 0..* 0..* 0..1 1 Target Policy Obligations 0..1 1 1 1..* 1 1 1 1..* 1..* Subject 0..1 Resource 1 Rule Combining Algorithm Action 1 0..* 1 Rule Condition 1 0..1 1 1 Effect 1158 Figure 3 - Policy language model 1159 4.3.1 Rule 1160 1161 The main components of a rule are: 1162  a target; 1163  an effect; and 1164  a condition. draft-xacml-specification-16a.doc 28 1165 These are discussed in the following sub-sections. 4.3.1.1 1166 Rule target 1167 The target defines the set of: 1168  resources; 1169  subjects; and 1170  actions 1171 1172 1173 1174 1175 to which the rule is intended to apply. If the rule is intended to apply to all entities of a particular type, then an empty element named <AnySubject/>, <AnyResource/> or <AnyAction/> is used. An XACML PDP verifies that the resources, subjects and actions identified in the request context are all present in the target of the rules that it uses to evaluate the decision request. Target definitions are discrete, in order that they may be indexed by the PDP. 1176 1177 The <Target> element may be absent from a <Rule>. In this case, the <Rule> inherits its target from the parent <Policy> element. 1178 1179 1180 1181 1182 1183 1184 1185 1186 4.3.1.2 Effect The effect of the rule indicates the rule-writer's intended consequence of a "True" evaluation for the rule. Two values are allowed: "Permit" and "Deny". 4.3.1.3 Condition Condition is a general expression of predicates of attributes. It should not duplicate the exact predicates implied by the target. Therefore, it may be absent. 4.3.1.4 Rule evaluation A rule has a value that can be calculated by evaluating its contents. Rule evaluation involves separate evaluation of the rule's target and condition. The rule truth table is shown in Table 1. Target Condition Rule Match True Effect Match False Not applicable Match Indeterminate Indeterminate No-match True Not applicable No-match False Not applicable No-match Indeterminate Not applicable 1187 Table 1 - Rule truth table 1188 1189 The target value is "Match" if the resource, subject and action specified in the request context are all present in the target defined in the rule. Otherwise, its value is "No-match". 1190 1191 The condition value is "True" if the <Condition> element is absent, or if it evaluates to "True" for the attribute values supplied in the request context. Its value is "False" if the <Condition> draft-xacml-specification-16a.doc 29 1192 1193 1194 element evaluates to "False" for the attribute values supplied in the request context. If any attribute value referenced in the condition cannot be obtained, then the condition evaluates to "Indeterminate". 4.3.2 Policy 1195 1196 1197 From the data-flow model one can see that rules are not exchanged amongst system entities. Therefore, a PAP combines rules in a policy. A policy comprises four main components: 1198  a target; 1199  a rule-combining algorithm-identifier; 1200  a set of rules; and 1201  obligations. 1202 1203 Rules are described above. The remaining components are described in the following subsections. 4.3.2.1 1204 Policy target 1205 1206 1207 The target of a policy must include all the decision requests that the policy is intended to evaluate. The target may be declared by the writer of the policy, or computed from the targets of its component rules. 1208 1209 If the target of the policy is computed from the targets of the component rules, two approaches are permitted: 1210 1211  the target of the policy may be the union of the target definitions for resource, subject and action that are contained in the component rules; or 1212 1213  the target of the policy may be the intersection of the target definitions for resource, subject and action that are contained in the component rules. 1214 1215 1216 1217 In the case where the policy target is computed as the union of the targets of the individual rules, the target may be omitted from the individual rules, and the targets from the component rules must be included in the form of conditions in their respective rules. As an example, the following rule target and condition may be merged in a single condition. 1218 Target 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 <Target> <Subjects MatchId="function:rfc822Name-equal" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Subject/Attribute[@DataType='iden tifier:rfc822Name']" DataType="identifier:rfc822Name"/> <Attribute DataType="identifier:rfc822Name">@</Attribute> </Subjects> <Resources MatchId="function:string-match" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Resource/@ResourceURI" DataType="xs:anyURI"/> <Attribute DataType="xs:anyURI">//medico.com/record.*</Attribute> </Resources> <Actions MatchId="function:subset" DataType="xs:boolean"> draft-xacml-specification-16a.doc 30 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 <AttributeDesignator Designator="//xacmlContext/Action[@Namespace=]" DataType="xs:string"/> <Attribute DataType="xs:string">read</Attribute> </Actions> </Target> Condition <Condition FunctionId="function:string-equal" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Subject/Attribute[@DataType='iden tifier:patientName']" DataType="xs:string"/> <AttributeDesignator Designator="//xacmlContext/Request/Resource/patientName" DataType="xs:string"/> </Condition> merged Condition. 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 <Condition FunctionId="function:and" DataType="xs:boolean"> <Function FunctionId="function:string-match" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Resource/@ResourceURI" DataType="xs:anyURI"/> <Attribute DataType="xs:anyURI">//medico.com/record.*</Attribute> </Function> <Function FunctionId="function:subset" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Action[@Namespace=]" DataType="xs:string"/> <Attribute DataType="xs:string">read</Attribute> </Function> <Function FunctionId="function:string-equal" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Subject/Attribute[@DataType='iden tifier:patientName']" DataType="xs:string"/> <AttributeDesignator Designator="//xacmlContext/Request/Resource/patientName" DataType="xs:string"/> </Function> </Condition> 1276 1277 In the case where the policy target is computed as the intersection of the targets of the individual rules, the targets may be omitted from the individual rules. 1278 1279 In the case that a rule target is present, the rule is evaluated according to the truth table of Table 1. 1280 4.3.2.2 Rule-combining algorithm 1281 1282 The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined, when evaluating the policy. 1283 1284 1285 The result of evaluating the policy is defined by the rule-combining algorithm. In the case that the PDP uses a policy to determine its response to a decision request, the Decision value is the value of the policy, as defined by the rule-combining algorithm. 1286 See Appendix C for an example of a rule-combining algorithm. draft-xacml-specification-16a.doc 31 4.3.2.3 1287 Obligations 1288 1289 The XACML <Rule> syntax does not contain an element suitable for carrying obligations, therefore, if required in a policy, obligations must be added by the writer of the policy. 1290 1291 1292 When a PDP evaluates a policy containing obligations, it returns certain of those obligations to the PEP in its response context. The obligations that it returns to the PEP are those whose xacml:FulfilOn attributes have the same value as the result of evaluating the policy. 4.3.2.4 1293 Example policy 1294 1295 1296 This section uses the example of Section 3 to illustrate the process of combining rules. The policy governing read access to medical elements of a record is formed from each of the four rules described in Section 3.2.4. In plain language, the combined rule is: 1297  Either the requestor is the patient; or 1298  the requestor is the parent or guardian and the patient is under 16; or 1299  the requestor is the primary care physician and a notification is sent to the patient; and 1300  the requestor is not an administrator. 1301 1302 The following XACML <Policy> illustrates the combined rules. Rules 1 and 4 are included by reference, rule 2 is included as a digest and rule 3 is explicitly included. 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 <?xml version="1.0" encoding="UTF-8"?> <saml:Assertion MajorVersion="0" MinorVersion="28" AssertionID="A7F34K90" Issuer="medico.com" IssueInstant="2002-0322T08:23:47-05:00"> <PolicyStatement PolicyId="//medico.com/rules/policy5" RuleCombiningAlgId="urn:oasis:names:tc:XACML:identifier:ruleCombinin gAlgorithms:denyOverrides" xmlns="urn:oasis:names:tc:xacml:0.15i:policy" xmlns:function="urn:oasis:names:tc:xacml:0.15i:function" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:0.15i:policy D:\MYDOCU~1\Standards\XACML\v15\draft-xacml-schema-policy-15i.xsd"> <Target> <Subjects MatchId="function:superset" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Subject/Attribute[@DataType='iden tifier:role']" DataType="xs:string"/> <Attribute DataType="xs:string"></Attribute> </Subjects> <Resources MatchId="function:anyURI-equal" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Resource/@ResourceURI" DataType="xs:anyURI"/> <Attribute DataType="xs:anyURI">//medico.com/record/medical.*</Attribute> </Resources> <Actions MatchId="function:subset" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Action[@Namespace=]" DataType="xs:string"/> <Attribute DataType="xs:string">read</Attribute> </Actions> </Target> draft-xacml-specification-16a.doc 32 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 <RuleSet> <RuleDesignator> <RuleId>//medico.com/rules/rule1</RuleId> </RuleDesignator> <RuleDesignator> <RuleDigest Base64Digest="H7jiE0+jwkn63k/JhB3+D9aI4V3J9z/o0"/> </RuleDesignator> <Rule RuleId="//medico.com/rules/rule3" Effect="Permit"> <Description>A physician may write any medical element for which he or she is the designated primary care physician</Description> <Condition FunctionId="function:and" DataType="xs:boolean"> <Function FunctionId="function:string-equal" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Subject/SubjectId" DataType="xs:string"/> <AttributeDesignator Designator="//xacmlContext/Request/Resource/physicianName" DataType="xs:string"/> </Function> <Function FunctionId="function:present" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Resource/patient/email" DataType="xs:string"/> </Function> </Condition> </Rule> <RuleDesignator> <RuleId>//medico.com/rules/rule4</RuleId> </RuleDesignator> </RuleSet> <Obligations> <Obligation ObligationId="//medico.com/emailer" FulfilOn="Permit"> <AttributeDesignator Designator="//xacmlContext/Request/Resource/patient/email" DataType="xs:string"/> <AttributeAssignment DataType="xs:string" AttributeId="//medico.com/text">Your medical record has been accessed by:</AttributeAssignment> <AttributeDesignator Designator="//xacmlContext/Request/Subject/SubjectId" DataType="xs:string"/> </Obligation> </Obligations> </PolicyStatement> </saml:Assertion> 1389 4.3.3 Policy set 1390 A policy set comprises four main components: 1391  a target; 1392  a policy-combining algorithm-identifier 1393  a set of policies; and draft-xacml-specification-16a.doc 33 1394  obligations. 1395  . 1396 1397 The target and policy statement components are described above. The other components are described in the following sub-sections. 1398 1399 1400 1401 4.3.3.1 Obligations The writer of a policy set may add obligations to the policy set, in addition to those contained in the component policies and policy sets. 4.3.3.2 Policy-combining algorithm 1402 1403 1404 1405 The policy-combining algorithm is the procedure by which the results of evaluating the component policies are combined to form the value of the policy set. In the case that the PDP uses a policy set to determine its response to a decision request, the Decision value is the result of evaluating the policy set. 1406 1407 1408 1409 When a PDP evaluates a policy set containing obligations, it returns certain of those obligations to the PEP in its response context. The XACML <Obligation> elements that are returned to the PEP are those whose xacml:FulfilOn attributes have the same value as the result of evaluating the policy set. 1410 1411 1412 As a consequence of this procedure, no obligations are returned to the PEP if the policies from which they are drawn are not evaluated, or their evaluated result is "Indeterminate" or "Not applicable". 1413 See Appendix C for an example of a policy-combining algorithm. 1414 5. Functional requirements (normative) 1415 1416 This section specifies certain functional requirements that are not directly associated with the production or consumption of a particular XACML element-. 1417 5.1. Policy Decision Point 1418 1419 1420 Given a valid XACML policy or policy set, a compliant XACML PDP MUST evaluate the policy as specified in Sections 5 and 6. The PDP MUST return a response context, with one <Decision> element values "Permit", "Deny", "Indeterminate" or "NotApplicable". 1421 1422 If the "Permit" value is returned, then the PEP MAY permit access to the resource. If the "Deny" value is returned, then the PEP SHALL deny access to the resource. 1423 1424 1425 1426 1427 1428 1429 If the "Permit" value is returned with one or more obligations, then the PEP MAY permit access provided that all the obligations are successfully fulfilled. If the "Deny" value is returned with one or more obligations, then the PEP SHALL deny access, but it MUST still fulfill the obligations. In the case that an obligation cannot be fulfilled, the PEP SHOULD raise an error. How the error is raised is outside the scope of XACML. In any case, the PDP MAY return additional information in the <statusCode> element of the response context. In the case of a "Permit" decision, the PDP MAY specify which rules were used in arriving at the decision. 1430 1431 If an "Indeterminate" decision value is returned, it means that the PDP could not make a decision. The PDP MAY return a decision value of "Indeterminate" with a status code of: draft-xacml-specification-16a.doc 34 1432 "urn:oasis:names:tc:xacml:1.0:missing-attribute", 1433 1434 1435 1436 signifying that more information is needed. In this case, the <Status> element MAY list the names of any attributes of the subject and the resource that are needed by the PDP to refine its decision. A PEP MAY resubmit a refined request context in response to a decision of "Indeterminate" with a status code of 1437 "urn:oasis:names:tc:xacml:1.0:missing-attribute", 1438 1439 by adding attribute values for the attribute names that were listed in the response. When the PDP returns a decision of "Indeterminate", with a status code of 1440 "urn:oasis:names:tc:xacml:1.0:missing-attribute", 1441 1442 1443 1444 it MUST NOT list the names of any attribute of the subject or the resource of the request for which values were supplied in the request. Note, this requirement forces the PDP to eventually return a decision of "Permit", "Deny" or "Indeterminate" with some other reason, in response to successively-refined requests. 1445 1446 If a decision value of "NotApplicable" is returned, it means that the PDP's policy is not applicable to the request, implying that the PEP should send its request to another PDP. 1447 1448 1449 1450 XACML says nothing about how top-level XACML policies should be configured. For example, a top-level policy might be a <Policy> element containing a <Target> element that matches every request, or it might be a <Policy> element containing a <Target> element that matches only a specific subject. 1451 1452 1453 1454 1455 1456 1457 5.2. Hierarchical resources It is often the case that a resource is organized as a hierarchy (e.g. file system, XML document). Some applications may require access to an entire subtree of the resource specified by a node. XACML allows the PEP (or Context Handler) to specify whether the access is just for a single resource or for a subtree below the specified resource. The latter is equivalent to repeating a single request for each node in the entire subtree. When a request context contains a resource attribute of type 1458 "urn:oasis:names:tc:xacml:1.0:resource:scope" 1459 1460 with a value of "Immediate", or if it does not contain that attribute, then access is requested to just the single resource specified by the ResourceId attribute. 1461 When the 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 "urn:oasis:names:tc:xacml:1.0:resource:scope" attribute has the value "Children", access is requested for both the specified resource and its children resources. When the "urn:oasis:names:tc:xacml:1.0:resource:scope" attribute has the value "Descendant", access is requested for both the specified resource and all its descendant resources. In the case of "Children" and "Descendant", the authorization decision MAY include multiple results for the multiple resources. An XACML response can contain multiple <Result> elements. In this case, the <Status> element SHOULD be included only in the first <Result> element (the remaining <Result> elements SHOULD NOT include the <Status> element). Note that the method by which the PDP discovers whether the resource is hierarchically organized or not is outside the scope of XACML. 1473 draft-xacml-specification-16a.doc 35 1475 Policy syntax (normative, with the exception of the schema fragments) 1476 6.1. Element <PolicySet> 1474 6. 1477 1478 1479 1480 1481 The <PolicySet> element is a top-level element in the XACML policy schema. <PolicySet> is an aggregation of other policy sets and policies. Policy sets MAY be included in an enclosing <PolicySet> element either directly by the <PolicySet> element or indirectly by the <PolicySetIdReference> element. Policies MAY be included in an enclosing <PolicySet> either directly by the <Policy> element or indirectly by the <PolicyIdReference> element. 1482 1483 1484 If a<PolicySet> element contains references to other policy sets or policies in the form of URIs, then these references MAY be resolvable. Applications MAY use SAML protocol extensions to query for the <PolicySetAssertion> or <PolicyAssertion> by reference. 1485 1486 Policies included in the <PolicySet> element MUST be combined by the algorithm specified by the PolicyCombiningAlgId attribute. 1487 1488 1489 1490 The <Target> element defines the applicability of the <PolicySet> to decision requests. If there is a match between the <Target> element within <PolicySet> and the authorization request, then the <PolicySet> element MAY be used by the PDP in making the authorization decision. 1491 1492 1493 The <Obligations> element is a set of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision. If the PEP does not understand any obligation, then it MUST act as if the PDP returned a “Deny” authorization decision value. 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 <xs:element name="PolicySet" type="xacml:PolicySetType"/> <xs:complexType name="PolicySetType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:PolicySetDefaults" minOccurs="0"/> <xs:element ref="xacml:Target"/> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element ref="xacml:PolicySet"/> <xs:element ref="xacml:Policy"/> <xs:element ref="xacml:PolicySetIdReference"/> <xs:element ref="xacml:PolicyIdReferece"/> </xs:choice> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="PolicySetId" type="xs:anyURI" use="required"/> <xs:attribute name="PolicyCombiningAlgId" type="xs:anyURI" use="required"/> </xs:complexType> 1513 The <PolicySet> element is of PolicySetType complex type. 1514 The <PolicySet> element contains the following attributes and elements: 1515 PolicySetId [Required] 1516 1517 1518 1519 Policy set identifier. The party assigning the identifier MUST minimize the potential of some other party reusing the same identifier. This MAY be achieved by following a predefined URN or URI scheme. If the policy set identifier is in the form of a URI it MAY be resolvable. draft-xacml-specification-16a.doc 36 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 PolicyCombiningAlgId [Required] The identifier of the policy-combining algorithm by which the <PolicySet> components MUST be combined. Standard policy-combining algorithms are listed in Appendix C. Standard policy-combining algorithm identifiers are listed in Section B.10. <Description> [Optional] A free-form description of the <PolicySet>. <PolicySetDefaults> [Optional] A set of default values applicable to the <PolicySet>. This set of policy defaults does not propagate down into <PolicySet> components. <Target> [Required] 1530 The <Target> element defines the applicability of a <PolicySet> to decision requests. 1531 1532 1533 The <Target> element MAY be declared by the creator of the <PolicySet> or it MAY be computed from the <Target> elements of the referenced <Policy> elements, either as an intersection or as a union. 1534 1535 1536 1537 1538 If the <xacml-context:Subject>, <xacml-context:Resource>, and <xacmlcontext:Action> elements of the <xacml-context:Request> element match the <Subjects>, <Resources>, and <Actions> elements of the <Target> within the <PolicySet> element, then it MAY be used by the PDP in making an authorization decision. 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 <PolicySet> [Any Number] A policy set component that is included in this policy set. <Policy> [Any Number] The policy component that is included in this policy set. <PolicySetIdReference> [Any Number] A reference to the <PolicySet> component that MUST be included in this policy set. If <PolicySetIdReference> is an URI, then it MAY be resolvable. Applications MAY use SAML protocol extensions to query <PolicySet> by reference. <PolicyIdReference> [Any Number] A reference to the <Policy> component that MUST be included in this policy set. If the <PolicyIdReference> is an URI, then it MAY be resolvable. Applications MAY use SAML protocol extensions to query <Policy> by reference. <Obligations> [Optional] Contains the set of <Obligation> elements that MUST be discharged by the PEP. If the PEP does not understand any obligation in this set, then it MUST act as if the decision request was denied by the PDP. 6.2. Element <Description> The <Description> element is used for a free-form description of the <PolicySet> element and <Policy> element. The <Description> element is of xs:string simple type. draft-xacml-specification-16a.doc 37 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 <xs:element name="Description" type="xs:string"/> 6.3. Element <PolicySetDefaults> The <PolicySetDefaults> element is used to specify default values for the <PolicySet> element. <xs:element name="PolicySetDefaults" type="xacml:DefaultsType"/> <xs:complexType name="DefaultsType"> <xs:sequence minOccurs="0" maxOccurs="unbounded"> <xs:element ref="xacml:AbstractDefaults"/> </xs:sequence> </xs:complexType> 1568 <PolicySetDefaults> element is of DefaultsType complex type. 1569 <AbstractDefaults> [Any Number] 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 This is the head of a substitution group to specify default parameters. The only element in this substitution group defined at this time is the <XpathVersion> element. 6.4. Element <Target> The <Target> element identifies the set of decision requests that the parent element is intended to evaluate. The <Target> element appears as a child of <PolicySet>, <Policy>, and <Rule> elements. It contains definitions for subjects, resources and actions. <xs:element name="Target" type="xacml:TargetType"/> <xs:complexType name="TargetType"> <xs:sequence> <xs:element ref="xacml:Subjects"/> <xs:element ref="xacml:Resources"/> <xs:element ref="xacml:Actions"/> </xs:sequence> </xs:complexType> 1584 1585 1586 If the subject, resource and action in the <xacml-context:Request> element match the definitions of subjects, resources and actions in the <Target> element, then the policy component containing the <Target> element MAY be applicable to the decision request. 1587 1588 1589 1590 1591 For the purposes of matching, the <Subjects>, <Resources>, and <Actions> children of the <Target> element are combined using the logical ‘AND’ operation. For the parent of the <Target> element to be applicable to the decision request, at least one <Subject>, one <Resource>, and one <Action> MUST match the corresponding elements in the <xacmlcontext:Request> element. 1592 The <Target> element is of TargetType complex type. 1593 Note: a disjunctive sequence is a sequence of elements combined using the logical ‘OR’ operation. 1594 <Subjects> [Required] 1595 1596 1597 1598 This element is either a disjunctive sequence of <Subject> elements that match this target with subject attributes in the request context, or a special element <AnySubject> that matches any subject attribute in the request context. <Resources> [Required] draft-xacml-specification-16a.doc 38 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 This element is either a disjunctive sequence of <Resource> elements that match this target with resource attributes in the request context, or a special element <AnyResource> that matches any resource attribute in the request context. <Actions> [Required] This element is either a disjunctive sequence of <Action> elements that match this target with action attributes in the request context, or a special element <AnyAction> that matches any action attribute in the request context. 6.5. Element <Subjects> The <Subjects> element is a child of the <Target> element and is a wrapper for the disjunctive sequence of <Subject> elements. The <Subjects> element is combined using the logical ‘AND’ operation with other children of the <Target> element. <xs:element name="Subjects" type="xacml:SubjectsType"/> <xs:complexType name="SubjectsType"> <xs:choice> <xs:element ref="xacml:Subject" maxOccurs="unbounded"/> <xs:element ref="xacml:AnySubject"/> </xs:choice> </xs:complexType> 1617 The <Subjects> element is of SubjectsType complex type. 1618 <Subject> [Required] 1619 1620 1621 1622 1623 A disjunctive sequence of one or more matching specifications against subject attributes in the request context. <AnySubject> [Required] An element matching any subject attribute in the request context. 6.6. Element <Subject> 1624 1625 Note: a conjunctive sequence is a sequence of elements combined using the logical ‘AND’ operation. 1626 1627 The <Subject> element is a conjunctive sequence of individual matches against subject attributes in the request context. 1628 1629 1630 1631 1632 1633 <xs:element name="Subject" type="xacml:SubjectType"/> <xs:complexType name="SubjectType"> <xs:sequence> <xs:element ref="xacml:SubjectMatch" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 1634 The <Subject> element is of SubjectType complex type. 1635 <Subject> element contains following elements: 1636 <SubjectMatch> [One to Many] 1637 1638 A conjunctive sequence of individual matches with the subject attributes in the request context. draft-xacml-specification-16a.doc 39 1639 6.7. Element <SubjectMatch> 1640 1641 The <SubjectMatch> element identifies a set of subject-related entities by matching values in the <Subject> element of the context with values embedded in the <Policy> element. 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 <xs:element name="SubjectMatch" type="xacml:SubjectMatchType"/> <xs:complexType name="SubjectMatchType"> <xs:sequence> <xs:choice> <xs:element ref="xacml:SubjectAttributeDesignator"/> <xs:element ref="xacml:AttributeSelector"/> </xs:choice> <xs:element ref="xacml:AttributeValue"/> </xs:sequence> <xs:attribute name="MatchId" type="xs:QName" use="required"/> </xs:complexType> 1653 The <SubjectMatch> element is of SubjectMatchType complex type. 1654 The <SubjectMatch> element contains following attributes and elements: 1655 MatchId [required] 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 Specifies a matching function. The value of this attribute MUST be of type Qname, with legal values documented inAppendix A. <SubjectAttributeDesignator> [required] Identifies one or more values in the <Subject> element of the <xacmlcontext:Request> element. <AttributeSelector> [required] MAY be used to identify one or more values in the <Subject> element of <xacmlcontext:Request> element. It MUST contain a legal xpath expression over the <Subject> element of the <xacml-context:Request> element. 6.8. Element <Resources> The <Resources> element is a child of the <Target> element and is a wrapper for the disjunctive sequence of <Resource> elements. The <Resources> element is combined using the logical ‘AND’ operation with other children of the <xacml:Target> element. <xs:element name="Resources" type="xacml:ResourcesType"/> <xs:complexType name="ResourcesType"> <xs:choice> <xs:element ref="xacml:Resource" maxOccurs="unbounded"/> <xs:element ref="xacml:AnyResource"/> </xs:choice> </xs:complexType> 1676 The <Resources> element is of ResourcesType complex type. 1677 The <Resources> element consists of the following elements: 1678 <Resource> [Required] 1679 1680 A disjunctive sequence of one or more matching specifications against resource attributes in the request context. draft-xacml-specification-16a.doc 40 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 <AnyResource> [Required] An element matching any resource attribute in the request context. 6.9. Element <Resource> The <Resource> element is a conjunctive sequence of individual matches against the resource attributes in the request context. <xs:element name="Resource" type="xacml:ResourceType"/> <xs:complexType name="ResourceType"> <xs:sequence> <xs:element ref="xacml:ResourceMatch" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 1692 The <Resource> element is of ResourceType complex type. 1693 The <Resource> element contains the following elements: 1694 <ResourceMatch> [One to Many] 1695 1696 1697 A conjunctive sequence of individual matches with the resource attributes in the request context. 6.10. Element <ResourceMatch> 1698 1699 The <ResourceMatch> element identifies a set of resource-related entities by matching values in the <Resource> element of the request context with values embedded in the <Policy> element. 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 <xs:element name="ResourceMatch" type="xacml:ResourceMatchType"/> <xs:complexType name="ResourceMatchType"> <xs:sequence> <xs:choice> <xs:element ref="xacml:ResourceAttributeDesignator"/> <xs:element ref="xacml:AttributeSelector"/> </xs:choice> <xs:element ref="xacml:AttributeValue"/> </xs:sequence> <xs:attribute name="MatchId" type="xs:QName" use="required"/> </xs:complexType> 1711 The <ResourceMatch> element is of ResourceMatchType complex type. 1712 The <ResourceMatch> element contains the following attributes and elements: 1713 MatchId [Required] 1714 1715 1716 1717 1718 1719 Specifies a matching function. Value of this attribute MUST be of type Qname, with legal values documented in Appendix A. <ResourceAttributeDesignator> [Required] Identifies one or more values in the <Resource> element of the <xacmlcontext:Request> element. <AttributeSelector> [Required] draft-xacml-specification-16a.doc 41 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 MAY be used to identify one or more values in the <Resource> element of the <xacmlcontext:Request> element. It MUST contain a legal xpath expression over the <Resource> element of the <xacml-context:Request> element. 6.11. Element <Actions> The <Actions> element is a child of the <Target> element and is a wrapper for the disjunctive sequence of the <Action> elements. The <Actions> element is combined by logical ‘AND’ with other children of the <Target> element. <xs:element name="Actions" type="xacml:ActionsType"/> <xs:complexType name="ActionsType"> <xs:choice> <xs:element ref="xacml:Action" maxOccurs="unbounded"/> <xs:element ref="xacml:AnyAction"/> </xs:choice> </xs:complexType> 1734 The <Actions> element is of ActionsType complex type. 1735 The <Actions> element contains the following elements: 1736 <Action> [Required] 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 A disjunctive sequence of one or more matching specifications against action attributes in the request context. <AnyAction> [Required] An element matching any action attribute in the request context. 6.12. Element <Action> The <Action> element is a conjunctive sequence of individual matches against the action attributes in the request context. <xs:element name="Action" type="xacml:ActionType"/> <xs:complexType name="ActionType"> <xs:sequence> <xs:element ref="xacml:ActionMatch" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 1750 The <Action> element is of ActionType complex type. 1751 The <Action> element contains the following elements: 1752 <ActionMatch> [One to Many] 1753 1754 1755 1756 1757 1758 1759 A conjunctive sequence of individual action matches with the action in the request context. 6.13. Element <ActionMatch> The <ActionMatch> element identifies a set of action-related entities by matching values in the <Action> element of the context with values embedded in the <Policy> element. <xs:element name="ActionMatch" type="xacml:ActionMatchType"/> <xs:complexType name="ActionMatchType"> draft-xacml-specification-16a.doc 42 1760 1761 1762 1763 1764 1765 1766 1767 1768 <xs:sequence> <xs:choice> <xs:element ref="xacml:ActionAttributeDesignator"/> <xs:element ref="xacml:AttributeSelector"/> </xs:choice> <xs:element ref="xacml:AttributeValue"/> </xs:sequence> <xs:attribute name="MatchId" type="xs:QName" use="required"/> </xs:complexType> 1769 The <ActionMatch> element is of ActionMatchType complex type. 1770 The <ActionMatch> element contains the following attributes and elements: 1771 MatchId [Required] 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 Specifies a matching function. The value of this attribute MUST be of type Qname, with legal values documented in Appendix A. <ActionAttributeDesignator> [Required] Identifies one or more values in the <Resource> element of the <xacmlcontext:Request> element. <AttributeSelector> [Required] MAY be used to identify one or more values in the <Action> element of the <xacmlcontext:Request> element. It MUST contain a legal xpath expression over the <Resource> element of <xacml-context:Request> element. 6.14. Element <PolicySetIdReference> The <PolicySetIdReference> element is used to reference a <PolicySet> element by id. If <PolicySetIdReference> is a URI, then it MAY be resolvable to the <PolicySet>. The mechanism for resolving a policy set reference to the corresponding policy set is implementation dependent. Applications MAY use the xacml SAML protocol extension to query <PolicySetStatement> by id. <xs:element name="PolicySetIdReference" type="xs:anyURI"/> Element <PolicySetIdReference> is of xs:anyURI simple type. 6.15. Element <PolicyIdReference> The <xacml:PolicyIdReference> element is used to reference a <Policy> element by id. If <PolicyIdReference> is a URI, then it MAY be resolvable to the <Policy>. The mechanism for resolving a policy reference to the corresponding policy is implementation dependent. Applications MAY use the xacml SAML protocol extension to query <PolicyStatement> by id. <xs:element name="PolicyIdReference" type="xs:anyURI"/> Element <PolicyIdReference> is of xs:anyURI simple type. 6.16. Element <Policy> The <Policy> element is the smallest entity that can be presented to the PDP for evaluation. draft-xacml-specification-16a.doc 43 1798 1799 The main components of this element are the <Target>, <Rule>, and <Obligations> elements and the RuleCombiningAlgId attribute. 1800 1801 1802 1803 The <Target> element defines <Policy> applicability to decision requests. A sequence of <Rule> elements specifies authorizations that MUST be combined according to the RuleCombiningAlgId attribute. The <Obligations> element contains a set of obligations that MUST be discharged by the PDP in conjunction with the authorization decision. 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 <xs:element name="Policy" type="xacml:PolicyType"/> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:PolicyDefaults" minOccurs="0"/> <xs:element ref="xacml:Target"/> <xs:element ref="xacml:Rule" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="PolicyId" type="xs:anyURI" use="required"/> <xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use="required"/> </xs:complexType> 1818 The <Policy> element is of PolicyType complex type. 1819 The <Policy> element contains the following attributes and elements: 1820 PolicyId [Required] 1821 1822 1823 1824 Policy identifier. The party assigning this identifier MUST minimize the potential of some other party reusing the same identifier. This MAY be achieved by following a predefined URN or URI scheme. It is OPTIONAL for the PolicyId URI to be resolvable to the corresponding <Policy> object. 1825 RuleCombiningAlgId [Required] 1826 1827 1828 The identifier of the rule-combining algorithm by which the <Policy> components MUST be combined. Standard rule-combining algorithms are listed in Appendix C. Standard rulecombining algorithm identifiers are listed in Section B.10.<Description> [Optional] 1829 1830 1831 1832 1833 A free-form description of the policy. <PolicyDefaults> [Optional] Defines a set of default values applicable to the policy. The scope of <PolicyDefaults> element is the enclosing policy. <Target> [Required] 1834 The <Target> element defines the applicability of a <Policy> to decision requests. 1835 1836 1837 The <Target> element MAY be declared by the creator of the <Policy> element, or it MAY be computed from the <Target> elements of the referenced <Rule> elements either as an intersection or as a union. 1838 1839 1840 1841 <Rule> [Any Number] A sequence of authorizations that MUST be combined according to the RuleCombiningAlgId attribute. Rules with <Target> elements matching the decision request MUST be considered. Rules with <Target> elements that do not match the draft-xacml-specification-16a.doc 44 1842 1843 1844 decision request MUST NOT be considered. Applicability of rules to the decision request is detailed in Appendix C. <Obligations> [Optional] 1845 1846 1847 1848 1849 1850 A conjunctive sequence of obligations that MUST be discharged by the PEP in conjunction with the authorization decision. If the PEP does not understand the obligations, then it MUST act as if the PDP denied access to the requested resource. 6.17. Element <Rule> The <Rule> element defines individual rules in the policy. The main components of this element are the <Target> and <Condition> elements, and the Effect attribute. <xs:element name="Rule" type="xacml:RuleType"/> <xs:complexType name="RuleType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Target" minOccurs="0"/> <xs:element ref="xacml:Condition" minOccurs="0"/> </xs:sequence> <xs:attribute name="RuleId" type="xs:anyURI" use="required"/> <xs:attribute name="Effect" type="xacml:EffectType" use="required"/> </xs:complexType> 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 The <Rule> element is of RuleType complex type. 1863 The <Rule> element contains the following attributes and elements: 1864 RuleId 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 A URN identifying this rule. Effect Rule effect. Values of this attribute are either “Permit” or “Deny”. <Description> [optional] A free-form description of the rule. <Target> [optional] Identifies the set of decision requests that the <Rule> element is intended to evaluate. If this element is omitted, then the target for the <Rule> is defined by the enclosing <Policy> element. See Section 6.4for details. <Condition> [optional] A predicate that MUST be satisfied for the rule to be assigned its Effect value. A condition is a boolean function over a combination of subject, resource and environment attributes or other functions. 6.18. Simple type EffectType The EffectType simple type defines the values allowed for the Effect attribute of the <Rule> element and for the FulfillOn attribute of the <Obligation> element. <xs:simpleType name="EffectType"> draft-xacml-specification-16a.doc 45 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 <xs:restriction base="xs:string"> <xs:enumeration value="Permit"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType> 6.19. Element <Condition> The <Condition> element is a boolean function over subject, resource, action and environment attributes or functions of attributes. If the <Condition> element evaluates to "True", then the enclosing <Rule> element is assigned its Effect value. <xs:element name="Condition" type="xacml:ApplyType"/> The <Condition> element if of ApplyType complex type. 6.20. Element <Apply> The <Apply> element denotes application of a function to its arguments, thus encoding a function call. The <Apply> element can be applied to any combination of <Apply>, <AttributeValue>, <SubjectAttributeDesignator>, <SubjectAttributeDesignatorWhere>, <ResourceAttributeDesignator>, <ActionAttributeDesignator>, <EnvironmentAttributeDesignator> and <AttributeSelector> arguments. <xs:element name="Apply" type="xacml:ApplyType"/> <xs:complexType name="ApplyType"> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element ref="xacml:Apply"/> <xs:element ref="xacml:AttributeValue"/> <xs:element ref="xacml:SubjectAttributeDesignatorWhere"/> <xs:element ref="xacml:SubjectAttributeDesignator"/> <xs:element ref="xacml:ResourceAttributeDesignator"/> <xs:element ref="xacml:ActionAttributeDesignator"/> <xs:element ref="xacml:EnvironmentAttributeDesignator"/> <xs:element ref="xacml:AttributeSelector"/> </xs:choice> <xs:attribute name="FunctionId" type="xs:QName" use="required"/> </xs:complexType> 1914 1915 The <Apply> element is of ApplyType complex type. The top-level element of the ApplyType is a <Condition> element described in Section6.19. 1916 The <Apply> element contains the following attributes and elements: 1917 FunctionId [Required] 1918 1919 1920 The QName of a function. Xacml-defined functions are described in Appendix A. <Apply> [Optional] A nested function-call argument. 1921 <AttributeValue> [Optional] 1922 A literal value argument. 1923 1924 <SubjectAttributeDesignatorWhere> A subject attribute argument. draft-xacml-specification-16a.doc 46 1925 1926 <SubjectAttributeDesignator> [Optional] A subject attribute argument. 1927 <ResourceAttributeDesignator> [Optional] 1928 A resource attribute argument. 1929 <ActionAttributeDesignator> [Optional] 1930 An action attribute argument. 1931 <EnvironmentAttributeDesignator> [Optional] 1932 An environment attribute argument. 1933 1934 1935 <AttributeSelector> [Optional] An attribute selector argument. 6.21. Complex type AttributeDesignatorType 1936 1937 1938 Elements of the AttributeDesignatorType complex type are used as a pointing device into various elements of the <xacml-context:Request> element. <AttributeDesignatorType> is an XML syntax alternative to the xpath expressions used by the <AttributeSelector> element. 1939 1940 1941 Elements of AttributeDesignatorType type select a set of attributes from the request context, each of them having the same AttributeId value. As such, the attribute designator semantics are identical to those of an xpath expression. 1942 1943 1944 1945 1946 1947 <xs:complexType name="AttributeDesignatorType"> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:anyURI" use="optional"/> </xs:complexType> 1948 The <AttributeDesignatorType> contains the following attributes: 1949 AttributeId [Required] 1950 The attribute identifier selecting an attribute within the <xacml-context:Request> element. 1951 DataType [Required] 1952 1953 The data type for interpreting the corresponding attribute value in the <xacmlcontext:Request> element. 1954 Issuer [Optional] 1955 1956 1957 1958 1959 1960 The authority that issued the attribute. 6.22. Element <SubjectAttributeDesignator> The <SubjectAttributeDesignator> element selects a set of subject attribute values having the same attribute identifier from within all <Subject> elements of the <xacmlcontext:Request> element. As such, the <SubjectAttributeDesignator> element behaves like an xpath expression. draft-xacml-specification-16a.doc 47 1961 1962 1963 1964 Note that because the <xacml-context:Request> element MAY have multiple <xacmlcontext:Subject> elements, attribute values from all of them are selected. The <SubjectAttributeDesignatorWhere> element provides a way to narrow down this selection to a specific subject. 1965 1966 The <SubjectAttributeDesignator> element is used by the <SubjectMatch> element and can be passed to the <Apply> element as an argument. 1967 1968 1969 1970 <xs:element name="SubjectAttributeDesignator" type="xacml:AttributeDesignatorType"/> The <SubjectAttributeDesignator> element is of AttributeDesignatorType complex type. 6.23. Element <ResourceAttributeDesignator> 1971 1972 1973 1974 The <ResourceAttributeDesignator> element selects a set of resource attribute values having the same attribute identifier from within <Resource> element of the <xacmlcontext:Request> element. As such, the <ResourceAttributeDesignator> element behaves like an xpath expression. 1975 1976 The <ResourceAttributeDesignator> element is used by the <ResourceMatch> element and can be passed to the <Apply> element as an argument. 1977 1978 1979 1980 <xs:element name="ResourceAttributeDesignator" type="xacml:AttributeDesignatorType"/> The <ResourceAttributeDesignator> element is of AttributeDesignatorType complex type. 6.24. Element <ActionAttributeDesignator> 1981 1982 1983 1984 The <ActionAttributeDesignator> element selects a set of action attribute values having the same attribute identifier from within the <Action> element of the <xacmlcontext:Request> element. As such, the <ActionAttributeDesignator> element behaves like an xpath expression. 1985 1986 The <ActionAttributeDesignator> element is used by the <ActionMatch> element and can be passed to the <Apply> element as an argument. 1987 1988 1989 1990 <xs:element name="ActionAttributeDesignator" type="xacml:AttributeDesignatorType"/> The <ActionAttributeDesignator> element is of AttributeDesignatorType complex type. 6.25. Element <EnvironmentAttributeDesignator> 1991 1992 1993 1994 The <EnvironmentAttributeDesignator> element selects a set of environment attribute values having the same attribute identifier from within the <Environment> element of the <xacml-context:Request> element. As such, the <EnvironmentAttributeDesignator> element behaves like an xpath expression. 1995 1996 The <EnvironmentAttributeDesignator> element can be passed to the <Apply> element as an argument. 1997 1998 <xs:element name="EnvironmentAttributeDesignator" type="xacml:AttributeDesignatorType"/> draft-xacml-specification-16a.doc 48 1999 2000 2001 The <EnvironmentAttributeDesignator> element is of AttributeDesignatorType complex type. 6.26. Element <SubjectAttributeDesignatorWhere> 2002 2003 The element <SubjectAttributeDesignatorWhere> specifies additional subject matches when a subject attribute value is selected from the <xacml-contex:Request> element. 2004 2005 2006 Because the <xacml-context:Request> element MAY contain multiple <xacmlcontext:Subject> elements, the <SubjectAttributeDesignatorWhere> element provides a way to focus the subject attribute selection on a particular subject. 2007 2008 2009 2010 The <SubjectAttributeDesignatorWhere> element is designed to make Complex selections such as: Select the attribute value for the subject attribute whose id is “A”, such that the attribute value for the subject attribute whose id is “B” is “valueB” and the attribute value for the subject attribute whose id is “C” is “valueC”. 2011 Every subject match narrows down a set of attributes selected by the previous match. 2012 2013 Element <SubjectAttributeDesignatorWhere> is passed as an argument to the <Apply> element. 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 <xs:element name="SubjectAttributeDesignatorWhere" type="xacml:SubjectAttributeDesignatorWhereType"/> <xs:complexType name="SubjectAttributeDesignatorWhereType"> <xs:complexContent> <xs:extension base="xacml:AttributeDesignatorType"> <xs:sequence> <xs:element ref="xacml:SubjectMatch" minOccurs="0"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> 2026 2027 The <SubjectAttributeDesignatorWhere> element is of SubjectAttributeDesignatorWhereType complex type. 2028 2029 In addition to its base type, the <SubjectAttributeDesignatorWhere> element contains the following elements: 2030 <SubjectMatch> [Any Number] 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 A conjunctive sequence of matches against the <Subject> element of the <xacmlcontext:Request> element. Each subject match in a sequence narrows down a set of subject attributes selected by the previous match. 6.27. Element <AttributeSelector> The <AttributeSelector> element is a free-form pointing device into the <xacmlcontext:Request> element. It uses xpath syntax to select elements from the request context. There are no restrictions on the xpath. However, the full power of the xpath syntax should be used with care: a policy writer MUST ensure that, when the <AttributeSelector> element is used in place of one of the elements of type AttributeDesignatorType, it is pointing to the correct section of the <xacml-context:Request> element. Support for the <AttributeSelector> element is OPTIONAL. draft-xacml-specification-16a.doc 49 2042 2043 2044 2045 2046 2047 2048 2049 2050 <xs:element name="AttributeSelector" type="xacml:AttributeSelectorType"/> <xs:complexType name="AttributeSelectorType"> <xs:attribute name="RequestContextPath" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:attribute name="XPathVersion" type="xs:anyURI" use="optional"/> </ xs:complexType> 2051 The <AttributeSelector> element is of AttributeSelectorType complex type. 2052 The <AttributeSelector> element has the following attributes: 2053 RequestContextPath [Required] 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 An Xpath expression into the request context. There is no restriction on the xpath syntax. DataType [Required] The data type of the selected item. It could be an xml-schema-defined data type or any other derived data type. XpathVersion [Optional] Xpath version. The default value for this attribute is: http://www.w3.org/TR/1999/Recxpath-19991116, which is xpath 1.0. It could be overwritten by another value or by the <XpathVersion> element of the <PolicySetDefaults> element.. 6.28. Element <AttributeValue> The <AttributeValue> element contains a literal attribute value. The type of the value MUST be contained in the DataType attribute. 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 <xs:element name="AttributeValue" type="xacml:AttributeValueType"/> <xs:complexType name="AttributeValueType"> <xs:complexContent> <xs:extension base="xs:anyType"> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> 2075 The <AttributeValue> element is of AttributeValueType complex type. 2076 The <AttributeValue> element contains the following attributes: 2077 DataType [required] 2078 2079 2080 2081 2082 2083 The type of the value. The attribute MAY be one of the xml-schema-defined types. Alternatively, it MAY be of a structured type defined in some other namespace. 6.29. Element <Obligations> The <Obligations> element contains a set of <Obligation> elements. A PEP MUST fulfill all obligations returned by the PDP. If a PEP does not understand an obligation, then it MUST act as if the PDP had returned a “Deny” authorization decision. draft-xacml-specification-16a.doc 50 2084 2085 2086 2087 2088 2089 <xs:element name="Obligations" type="xacml:ObligationsType"/> <xs:complexType name="ObligationsType"> <xs:sequence> <xs:element ref="xacml:Obligation" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 2090 The <Obligations> element is of ObligationsType complexType. 2091 <Obligation> [One to Many] 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 A sequence of obligations that MUST be fulfilled by the PEP. If the PEP does not understand an obligation, then it MUST act as if the PDP had returned a “Deny” authorization decision. 6.30. Element <Obligation> The <Obligation> element contains an identifier for the obligation and a set of attributes that form arguments of the action defined by the obligation. The FulfillOn attribute indicates the decision value for which this obligation MUST be fulfilled. <xs:element name="Obligation" type="xacml:ObligationType"/> <xs:complexType name="ObligationType"> <xs:choice maxOccurs="unbounded"> <xs:element ref="xacml:AttributeAssignment"/> </xs:choice> <xs:attribute name="ObligationId" type="xs:anyURI" use="required"/> <xs:attribute name="FulfilOn" type="xacml:EffectType" use="required"/> </xs:complexType> 2109 The <Obligation> element is of ObligationType complexType. 2110 The ObligationId [required] 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 Obligation identifier. The value of the obligation identifier is interpreted by the PEP. FulfillOn [required] The decision value for which this obligation MUST be fulfilled. <AttributeAssignment> [required] Obligation arguments assignment. The values of the obligation arguments are interpreted by the PEP. 6.31. Element <AttributeAssignment> The <AttributeAssignment> element contains an AttributeId and the corresponding attribute value. The AttributeId is part of attribute meta-data, and is used when the attribute cannot be referenced by its location in the <xacml-context:Request>. This situation may arise in an <Obligation> element if the obligation includes parameters. <xs:element name="AttributeAssignment" type="xacml:AttributeAssignmentType"/> <xs:complexType name="AttributeAssignmentType"> <xs:complexContent> <xs:extension base="xacml:AttributeValueType"> draft-xacml-specification-16a.doc 51 2127 2128 2129 2130 2131 <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> 2132 The <AttributeAssignment> element is of AttributeAssignmentType complex type. 2133 AttributeId [Required] 2134 2135 2136 2137 2138 2139 The attribute Identifier DataType [Required] The data type for the assigned value. 7. Context syntax (normative with the exception of the schema fragments) 7.1. Element <Request> 2140 2141 2142 The <Request> element is a top-level element in the XACML context schema. A <Request> element is an abstraction layer used by the policy language. Any proprietary system using the XACML specification MUST transform its input into the xacml context request form. 2143 2144 The <Request> element consists of four sections denoted by the <Subject>, <Resource>, <Action>, and <Environment> elements. 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 <xs:element name="Request" type="xacml-context:RequestType"/> <xs:complexType name="RequestType"> <xs:sequence> <xs:element ref="xacml-context:Subject" maxOccurs="unbounded"/> <xs:element ref="xacml-context:Resource"/> <xs:element ref="xacml-context:Action"/> <xs:element ref="xacml-context:Environment" minOccurs="0"/> </xs:sequence> </xs:complexType> 2155 The <Request> element is of RequestType complex type. 2156 The <Request> element contains the following elements: 2157 <Subject> [One to Many] 2158 2159 2160 Identifies a subject in the request context. One or more <Subject> elements are allowed. Each <Subject> element MUST contain a number of predefined <Attribute> elements. It MAY contain additional <Attribute> elements. 2161 [Issue: list required attributes] 2162 2163 <Resource> [Required] Contains information about the resource to which access is being requested. It MAY draft-xacml-specification-16a.doc 52 2164 2165 include a <ResourceContent> element, and it MUST contain a number of predefined <Attribute> elements. Additional <Attribute> elements MAY be included. 2166 [Issue: list required attributes] 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 <Action> [Required] Identifies the requested action by listing a set of <Attribute> elements associated with the action. <Environment> [Optional] Contains a set of <Attribute> elements of the environment. These <Attribute> elements MAY form a part of policy evaluation. 7.2. Element <Subject> The <Subject> element specifies a subject of a decision request context by listing a sequence of <Attribute> elements associated with the subject. <xs:element name="Subject" type="xacml-context:SubjectType"/> <xs:complexType name="SubjectType"> <xs:sequence> <xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 2183 The <Subject> element is of SubjectType complex type. 2184 <Attribute> [Any Number] 2185 2186 A sequence of attributes associated with the subject. A number of attributes MUST be present for each <Subject> element upon construction of the request context. 2187 [Issue: Describe required attributes] 2188 7.3. Element <Resource> 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 The <Resource> element encapsulates the requested resource and lists a sequence of <Attribute> elements associated with that resource and optional resource content. <xs:element name="Resource" type="xacml-context:ResourceType"/> <xs:complexType name="ResourceType"> <xs:sequence> <xs:element ref="xacml-context:ResourceContent" minOccurs="0"/> <xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 2200 The <Resource> element is of ResourceType complex type. 2201 The <Resource> element contains the following elements: 2202 <ResourceContent> [Optional] 2203 The resource content. draft-xacml-specification-16a.doc 53 2204 2205 2206 2207 <Attribute> [Any Number] A sequence of resource attributes. A number of <Attribute> elements MUST be included. Additional <Attribute> elements MAY be present. 7.4. Element <ResourceContent> 2208 2209 2210 The <ResourceContent> element is a notional placeholder for the resource content. If an xacml policy references the contents of the resource, then the <ResourceContent> element is used as the reference point. 2211 2212 2213 2214 2215 2216 2217 <xs:complexType name="ResourceContentType"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:complexType> 2218 The <ResourceContent> element is of ResourceContentType complex type. 2219 The <ResourceContent> element allows arbitrary elements and attributes. 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 7.5. Element <Action> The <Action> element identifies the requested action by listing a set of <Attribute> elements associated with the action. <xs:element name="Action" type="xacml-context:ActionType"/> <xs:complexType name="ActionType"> <xs:sequence> <xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 2230 The <Action> element is of ActionType complex type. 2231 The <Attribute> [Any Number] 2232 Action attributes. 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 7.6. Element <Environment> The <Environment> element contains a set of attributes of the environment. These attributes MAY form part of policy evaluation. <xs:element name="Environment" type="xacmlcontext:EnvironmentType"/> <xs:complexType name="EnvironmentType"> <xs:sequence> <xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 2244 The <Environment> element is of EnvironmentType complex type. 2245 The <Environment> element contains the following elements: draft-xacml-specification-16a.doc 54 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 <Attribute> [Any Number] A list of environment attributes. Environment attributes are attributes that are not associated with either the subject, resource or action. 7.7. Element <Attribute> The <Attribute> element is a central abstraction of the request context. It contains an attribute value and attribute meta-data. The attribute meta-data comprises the attribute identifier, attribute issuer and attribute issue instant. Attribute designators and attribute selectors in the policy refer to attributes by this meta-data. <xs:element name="Attribute" type="xacml-context:AttributeType"/> <xs:complexType name="AttributeType"> <xs:sequence> <xs:element ref="xacml-context:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:string" use="optional"/> <xs:attribute name="IssueInstant" type="xs:dateTime" use="optional"/> </xs:complexType> 2266 The <Attribute> element is of AttributeType complex type. 2267 The <Attribute> element contains the following attributes and elements: 2268 AttributeId [Required] 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 Attribute identifier. A number of identifiers are reserved by XACML to denote commonly used attributes. Issuer [Optional] Attribute issuer. This MAY be a URIthat binds to a public key, or some other identifier exchanged out-of-band by issuing and relying parties. IssueInstant [Optional] Attribute issue instant. 7.8. Element <AttributeValue> The <AttributeValue> element contains the value of an attribute. <xs:element name="AttributeValue" type="xs:anyType"/> The <AttributeValue> element is of xs:anyType type. 7.9. Element <Response> The <Response> element encapsulates the authorization decision returned by the PDP. It includes a sequence of one or more results with one <Result> element per requested resource. Multiple results MAY be returned when the value of the “urn:oasis:xacml:1.0:resource:scope” resource attribute in the request context is “Descendants”. Support for multiple results is OPTIONAL. draft-xacml-specification-16a.doc 55 2286 2287 2288 2289 2290 2291 2292 <xs:element name="Response" type="xacml-context:ResponseType"/> <xs:complexType name="ResponseType"> <xs:sequence> <xs:element ref="xacml-context:Result" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 2293 The <Response> element is of ResponseType complex type. 2294 The <Response> element contains the following elements: 2295 <Result> [One to Many] 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 An authorization decision result. 7.10. Element <Result> The <Result> element represents an authorization decision result for the resource specified by the ResourceURI attribute. It MAY include a set of obligations that MUST be fulfilled by the PEP. If the PEP does not understand an obligation, then it MUST act as if the PDP had denied access to the requested resource. <xs:element name="Result" type="xacml-context:ResultType"/> <xs:complexType name="ResultType"> <xs:sequence> <xs:element ref="xacml-context:Decision"/> <xs:element ref="xacml-context:Status" minOccurs="0"/> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="ResourceURI" type="xs:anyURI" use="optional"/> </xs:complexType> 2312 The <Result> element is of ResultType complex type. 2313 The <Result> element contains the following attributes and elements: 2314 ResourceURI [Optional] 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 The URI for the requested resource. If this attribute is omitted, then the resource URI is specified by the “urn:oasis:names:tc:xacml:1.0:resource:resource-uri” resource attribute in the <Request> element. <Decision> [Required] The authorization decision <Status> [Optional] Indicates whether the request succeeded or not. <Obligations> [Optional] A list of obligations that MUST be discharged by the PEP. If the PEP does not understand an obligation, then it MUST act as if the PDP had denied access to the requested resource. draft-xacml-specification-16a.doc 56 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 7.11. Element <Decision> The <Decision> element contains the result of policy evaluation. <xs:element name="Decision" type="xacml-context:DecisionType"/> <xs:simpleType name="DecisionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Permit"/> <xs:enumeration value="Deny"/> <xs:enumeration value="Indeterminate"/> <xs:enumeration value="NotApplicable"/> </xs:restriction> </xs:simpleType> The <Decision> element is of DecisionType simple type. 7.12. Element <Status> The <Status> element represents the status of the authorization decision result. <xs:element name="Status" type="xacml-context:StatusType"/> <xs:complexType name="StatusType"> <xs:sequence> <xs:element ref="xacml-context:StatusCode"/> <xs:element ref="xacml-context:StatusMessage" minOccurs="0"/> <xs:element ref="xacml-context:StatusDetail" minOccurs="0"/> </xs:sequence> </xs:complexType> 2348 The <Status> element is of StatusType complex type. 2349 The <Status> element contains the following elements: 2350 <StatusCode> [Required] 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 Status code. <StatusMessage> [Optional] A status message describing the status code. <StatusDetail> [Optional] Additional status information. 7.13. Element <StatusCode> The <StatusCode> element contains a major status code value and an optional sequence of minor status codes. <xs:element name="StatusCode" type="xacmlcontext:StatusCodeType"/> <xs:complexType name="StatusCodeType"> <xs:sequence> <xs:element ref="xacml-context:StatusCode" minOccurs="0"/> </xs:sequence> <xs:attribute name="Value" type="xs:QName" use="required"/> </xs:complexType> The <StatusCode> element is of StatusCodeType complex type. draft-xacml-specification-16a.doc 57 2368 The <StatusCode> element contains the following attributes and elements: 2369 Value [Required] 2370 2371 See Section B.9 for a list of values. <StatusCode> [Any Number] 2372 Minor status code. This status code qualifies its parent status code. 7.14. Element <StatusMessage> 2373 2374 The <StatusMessage> element is a free-form description of the status code. <xs:element name="StatusMessage" type="xs:string"/> 2375 2376 The <StatusMessage> element is of xs:string type. 7.15. Element <StatusDetail> 2377 2378 The <StatusDetail> element qualifies the <Status> element with additional information. <xs:element name="StatusDetail" type="xacmlcontext:StatusDetailType"/> <xs:complexType name="StatusDetailType"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> 2379 2380 2381 2382 2383 2384 2385 2386 2387 The <StatusDetail> element is of StatusDetailType complex type. 2388 The <StatusDetail> element allows arbitrary xml content. 2389 8. XACML extensibility points (non-normative) 2390 2391 This section describes the points within the XACML model and schema where extensions can be added 8.1. URIs 2392 2393 The following XML attributes are URIs. 2394  Function, 2395  RuleCombiningAlgId, 2396  PolicyCombiningAlgId, draft-xacml-specification-16a.doc 58 2398 9. Security and privacy considerations (nonnormative) 2399 2400 2401 2402 This section identifies possible security and privacy compromise scenarios that should be considered when implementing an XACML-based system. The section is informative only. It is left to the implementer to decide whether these compromise scenarios are practical in their environment and to select appropriate safeguards. 2397 2403 9.1. Threat model 2404 2405 The general Internet threat model described in the IETF guidelines for security considerations [ref.] is the basis for the XACML threat model. 2406 2407 We assume here that the adversary has access to the communication channel between the XACML actors and is able to interpret, insert, delete and modify messages or parts of messages. 2408 2409 2410 2411 Additionally, an actor may use information from a former transaction maliciously in subsequent transactions. It is further assumed that rules and policies are only as reliable as the actors that produce them. Thus it is incumbent on each actor to establish appropriate trust in the other actors upon which it relies. Mechanisms for trust establishment are outside the scope of this specification. 2412 2413 2414 2415 The messages that are transmitted between the actors in the XACML model are susceptible to attack by malicious third parties. Other points of vulnerability include the PEP, the PDP and the PAP. While some of these entities are not strictly within the scope of this specification, their compromise could lead to the compromise of access control enforced by the PEP. 2416 2417 2418 It should be noted that there are other components of a distributed system that may be compromised, such as an operating system and the domain-name system (DNS) that are outside the scope of this discussion of threat models. And such compromise may lead to a policy violation. 2419 The following sections detail specific compromise scenarios that are relevant to an XACML system. 2420 9.1.1 Unauthorized disclosure 2421 2422 2423 2424 2425 2426 2427 XACML does not specify any inherent mechanisms for confidentiality of the messages exchanged between actors. Therefore, an adversary could observe the messages in transit. Under certain security policies, disclosure of this information is a violation. Disclosure of attributes or the types of decision requests that a subject makes may be a breach of privacy policy. In the commercial sector, the consequences of unauthorized disclosure of personal data may range from embarrassment to the custodian to imprisonment and large fines in the case of medical or financial data. 2428 Unauthorized disclosure is addressed by confidentiality mechanisms. 2429 9.1.2 Impersonation 2430 2431 2432 2433 2434 9.1.3 Message replay A message replay attack is one in which the adversary records and replays legitimate messages between XACML actors. This attack may lead to denial of service, the use of out-of-date information or impersonation. draft-xacml-specification-16a.doc 59 2435 Prevention of replay attacks requires the use of message freshness mechanisms. 2436 2437 Note that encryption of the message does not mitigate a replay attack since the message is just replayed and does not have to be understood by the adversary. 2438 9.1.4 Message insertion 2439 2440 A message insertion attack is one in which the adversary inserts messages in the sequence of messages between XACML actors. 2441 2442 2443 2444 2445 The solution to a message insertion attack is to use mutual authentication and a message integrity mechanism between the actors. It should be noted that just using SSL mutual authentication is not sufficient. This only proves that the other party is the one identified by the subject of the X.509 certificate. In order to be effective it is necessary to confirm that the certificate subject is authorized to send the message. 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 9.1.5 Message deletion A message deletion attack is one in which the adversary deletes messages in the sequence of messages between XACML actors. Message deletion may lead to denial of service. However, a properly designed XACML system should not render an incorrect authorization decision as a result of a message deletion attack. The solution to a message deletion attack is to use a message integrity mechanism between the actors. 9.1.6 Message modification If an adversary can intercept a message and change its contents they may be able to alter an authorization decision. Message integrity mechanisms can prevent a successful message modification attack. 9.1.7 Resource matching 2459 2460 2461 2462 2463 2464 2465 It is vital that the matching algorithm used by the PDP to identify the applicable policy based on the target resource be functionally equivalent to the one used by the PEP to form the decision request. This requirement applies particularly in the case where the <Decision> value of “NotApplicable” is treated as equivalent to the value “Permit” (as is common in many Web servers). This situation does not usually occur when the PEP intercepts the decision request at the point of execution, but is frequently an issue if the PEP is implemented as a proxy or filter by developers other than those that developed the resource server. 2466 2467 2468 2469 2470 2471 2472 A common example of this behavior is found in Web servers. Commercial http responders permit a variety of syntaxes to be treated equivalently. The “%” character can be used to represent characters by hex value. In the URL path, the character string: “/../” provides multiple ways of specifying the same value. Multiple character sets may be permitted and in some cases, the same printed character can be represented by different binary values. If the target-matching algorithm considers two resource strings to be different, and the underlying Web server considers them to be the same, this may result in unauthorized access. 2473 2474 2475 2476 The usual solution to this problem is to put the decision request in a canonical form before matching. There may be practical difficulties with this strategy if the transformations are not completely documented or subject to change without notice from one version to the next. Therefore, it is important to be aware of this issue and perform careful checking of marginal cases. draft-xacml-specification-16a.doc 60 9.1.8 Negative rules 2477 2478 2479 2480 2481 2482 A negative rule is one that is based on a predicate not being "True". If not used with care, negative rules can lead to policy violation, therefore some authorities recommend that they NOT be used. However, negative rules can be extremely efficient in certain cases, so XACML has chosen to include them. Nevertheless, it is recommended that they be used with care and avoided if possible. 2483 2484 2485 2486 2487 2488 2489 2490 2491 A common use for negative rules is to deny access to an individual or subgroup when their membership in a larger group would otherwise permit them access. For example, we might want to write a rule that allows all Vice Presidents to see the unpublished financial data, except for Joe, who is only a Ceremonial Vice President and can be indiscreet in his communications. If we have complete control of the administration of subject attributes, a superior approach would be to define “Vice President” and “Ceremonial Vice President” as distinct groups and then define rules accordingly. However, in some environments this approach may not be feasible. (It is worth noting in passing that, generally speaking, referring to individuals in rules does not scale well. Generally, shared attributes are preferred.) 2492 2493 2494 2495 2496 2497 2498 If not used with care, negative rules can lead to policy violation in two common cases. They are: when attributes are suppressed and when the base group changes. An example of suppressed attributes would be if we have a policy that access should be permitted, unless the subject is a credit risk. If it is possible that the attribute of being a credit risk may be unknown to the PDP for some reason, unauthorized access may be permitted. In some environments, the subject may be able to suppress the publication of attributes by the application of privacy controls, or the server or repository that contains the information may be unavailable for accidental or intentional reasons. 2499 2500 2501 2502 2503 2504 2505 2506 An example of a changing base group would be if there is a policy that everyone in the engineering department may change software source code, except for secretaries. Suppose now that the department were to merge with another engineering department and the intent is to maintain the same policy. However, the new department also includes individuals identified as administrative assistants, who ought to be treated in the same way as secretaries. Unless the policy is altered, they will unintentionally be permitted to change software source code. Problems of this type are easy to avoid when one individual administers all policies, but when administration is distributed, as XACML allows, this type of situation must be explicitly guarded against. 9.2. Safeguards 2507 9.2.1 Authentication 2508 2509 2510 Authentication provides the means for one party in a transaction to determine the identity of the other party in the transaction. Authentication may be in one direction, or it may be bilateral 1. 2511 2512 2513 Given the sensitive nature of access control systems, it is important for a PEP to authenticate the identity of the PDP to which it sends decision requests. Otherwise, there is a risk that an adversary could provide false or invalid authorization decisions, leading to a policy violation. 2514 2515 2516 2517 It is equally important for a PDP to authenticate the identity of the PEP and assess the level of trust to determine what, if any, sensitive data should be passed. One should keep in mind that even simple "Permit" or "Deny" responses could be exploited if an adversary were allowed to make unlimited requests to a PDP. 1 Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) section 4.1 draft-xacml-specification-16a.doc 61 2518 2519 2520 2521 Many different techniques may be used to provide authentication, such as co-located code, a private network, a VPN or digital signatures. Authentication may also be performed as part of the communication protocol used to exchange the contexts. In this case, authentication may be performed at the message level or at the session level. 9.2.2 Confidentiality 2522 2523 2524 2525 2526 Confidentiality mechanisms ensure that the contents of a message can be read only by the desired recipients and not by anyone else who encounters the message while it is in transit 2. There are two areas in which confidentiality should be considered: one is confidentiality during transmission; the other is confidentiality within a <Policy> element. 9.2.2.1 2527 Communication confidentiality 2528 2529 2530 2531 2532 2533 In some environments it is deemed good practice to treat all data within an access control system as confidential. In other environments, policies may be made freely available for distribution, inspection and audit. The idea behind keeping policy information secret is to make it more difficult for an adverary to know what steps might be sufficient to obtain unauthorized access. Regardless of the approach chosen, the security of the access control system should not depend on the secrecy of the policy. 2534 2535 2536 2537 2538 Any security concerns or requirements related to transmitting or exchanging XACML <policy> elements are outside the scope of the XACML standard. While it is often important to ensure that the integrity and confidentiality of <policy> elements is maintained when they are exchanged between two parties, it is left to the implementers to determine the appropriate mechanisms for their environment. 2539 2540 2541 Communications confidentiality can be provided by a confidentiality mechanism, such as SSL. Using a point-to-point scheme like SSL may lead to other vulnerabilities when one of the recipients of a particular point-to-point hop is compromised. 9.2.2.2 2542 Statement level confidentiality 2543 2544 In some cases, an implementation may want to encrypt only parts of an XACML <Policy> element. 2545 2546 2547 The XML Encryption Syntax and Processing Candidate Recommendation from W3C can be used to encrypt all or parts of an XML document. This specification is recommended for use with XACML. 2548 2549 2550 It should go without saying that if a repository is used to facilitate the communication of cleartext (i.e., unencrypted) policy between the PAP and PDP, then a secure repository should be used to store this sensitive data. 9.2.3 Policy integrity 2551 2552 2553 2554 2555 2556 The XACML policy, used by the PDP to evaluate the request context, is the heart of the system. Therefore, maintaining its integrity is essential. There are two aspects to maintaining the integrity of the policy. One is to ensure that <Policy> elements have not been altered since they were originally created by the PAP. The other is to ensure that <Policy> elements have not been inserted or deleted from the set of policies. 2 Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) section 4. draft-xacml-specification-16a.doc 62 2557 2558 2559 2560 2561 2562 In many cases, both aspects can be achieved by ensuring the integrity of the actors and implementing session-level mechanisms to secure the communication between actors. The selection of the appropriate mechanisms is left to the implementers. However, when policy is distributed between organizations to be acted on at a later time, or when the policy travels with the protected resource, it would be useful to sign the policy. In these cases, the XML Signature Syntax and Processing standard from W3C is recommended to be used with XACML. 2563 2564 2565 2566 2567 2568 Digital signatures should only be used to ensure the integrity of the statements. Digital signatures should not be use as a method of selecting or evaluating policy. That is, the PDP should not request a policy based on who signed it or whether or not it has been signed (as such a basis for selection would, itself, be a matter of policy). However, the PDP must verify that the key used to sign the policy is one controlled by the purported issuer of the policy. The means to do this are dependent on the specific signature technology chosen and are outside the scope of this document. 9.2.4 Message freshness 2569 2570 Timestamp or nonce. 9.2.5 Policy identifiers 2571 2572 2573 2574 2575 2576 2577 2578 2579 Since policies can be referenced by their identifiers, it is the responsibility of the PAP to ensure that these are unique. Confusion between identifiers could lead to misidentification of the applicable policy. This specification is silent on whether a PAP must generate a new identifier when a policy is modified or may use the same identifier in the modified policy. This is a matter of administrative practice. However, care must be taken in either case. If the identifier is reused, there is a danger that other policies or policy sets that reference it may be adversely affected. Conversely, if a new identifier is used, these other policies may continue to use the prior policy, unless it is deleted. In either case the results may not be what the policy administrator intends. 9.2.6 Trust model 2580 2581 2582 2583 2584 2585 Discussions of authentication, integrity and confidentiality mechanisms necessarily assume an underlying trust model: how can one actor come to believe that a given key is uniquely associated with a specific, identified actor so that the key can be used to encrypt data for that actor or verify signatures (or other integrity structures) from that actor? Many different types of trust model exist, including strict hierarchies, distributed authorities, the Web, the bridge and so on. 2586 2587 It is worth considering the relationships between the various actors of the access control system in terms of the interdependencies that do and do not exist. 2588 2589  None of the entities of the authorization system are dependent on the PEP. They may collect data from it, for example authentication, but are responsible for verifying it. 2590 2591  The correct operation of the system depends on the ability of the PEP to actually enforce policy decisions. 2592 2593 2594  The PEP depends on the PDP to correctly evaluate policies. This in turn implies that the PDP is supplied with the correct inputs. Other than that, the PDP does not depend on the PEP. 2595 2596  The PDP depends on the PAP to supply appropriate policies. The PAP is not dependent on other components. draft-xacml-specification-16a.doc 63 9.2.7 Privacy 2597 2598 2599 2600 2601 2602 2603 2604 2605 It is important to be aware that any transactions that occur with respect to access control may reveal private information about the actors. For example, if an XACML policy states that certain data may only be read by subjects with “Gold Card Member” status, then any transaction in which a subject is permitted access to that data leaks information to an adversary about the subject's status. Privacy considerations may therefore lead to encryption and/or to access control policies surrounding the enforcement of XACML policy instances themselves: confidentiality-protected channels for the request/response protocol messages, protection of subject attributes in storage and in transit, and so on. 2606 2607 2608 Selection and use of privacy mechanisms appropriate to a given environment are outside the scope of XACML. The decision regarding whether, how and when to deploy such mechanisms is left to the implementers associated with the environment. 2609 10. Conformance (normative) 10.1. Introduction 2610 2611 Conformance claims MAY be made by either one of two components in the XACML model: 2612 2613 1. An implementation of a PAP that produces <Policy> elements that conform with the XACML schema; and 2614 2615 2. An implementation of a PDP that produces authorization decisions in response to a request context on the basis of XACML <Policy> elements that conform with the XACML schema. 2616 2617 PAPs MAY claim conformance with the XACML specification provided merely that they produce schema-compliant policy statements. 2618 2619 PDPs MAY claim conformance with the XACML specification provided that they correctly execute the XACML conformance test suite provided at: … 2620 http://www.oasis-open.org/ 2621 10.2. XACML test suite 2622 2623 An implementation that "successfully uses" the XACML specification MUST pass the test suite. The test suite comprises three directories: 2624  Request context 2625  Policy 2626  Response context 2627 2628 The input context directory contains a set of text/xml/ xacmlContext:RequestType files that are valid XACML input contexts. 2629 2630 The policy directory contains precisely one XACML policy file whose target is appropriate for each of the input contexts. 2631 2632 The output context directory contains a set of text/xml/ xacmlContext:ResponseType files containing the output contexts that correspond to the input contexts in the input context directory. draft-xacml-specification-16a.doc 64 2633 2634 2635 A conformant XACML PDP implementation shall create an output context in response to each and every input context. The output contexts are linked to the corresponding input contexts by the request context ID attribute. [There’s no such thing at the moment.] 2636 2637 2638 XACML implementations that target a specific application domain (e.g., SAML or J2SE) may use a tool or process that is not an integral part of the XACML implementation to convert between the XACML contexts and its private data representation. 2639 2640 2641 Disclaimer: Implementers SHALL NOT consider the test cases provided in the XACML conformance test suite as providing 100% test coverage. OASIS does not represent that a conformant implementation will operate correctly in all respects nor that it is fit for its purpose. 2642 10.3. Conformance tables 2643 2644 This section lists those portions of the specification that MUST be included in an implementation of a PDP that claims to conform with XACML v1.0. 2645 Note: "M" means mandatory-to-implement. "O" means optional. 2646 10.3.1 Namespace xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy xacml:Policy Schema elements Element AbstractDefaults Action ActionAttributeDesignator ActionMatch Actions AnyAction AnyResource AnySubject Apply AttributeAssignment AttributeSelector AttributeValue Condition Description EnvironmentAttributeDesignator Obligation Obligations Policy PolicyDefaults PolicyId PolicySet PolicySetDefaults PolicySetId Resource ResourceAttributeDesignator ResourceMatch Resources Rule Subject SubjectAttributeDesignator SubjectAttributeDesignatorWhere SubjectMatch Subjects Target draft-xacml-specification-16a.doc M/O ? M M M M M M M M O O M M M M O O M ? M M ? M M M M M M M M M M M M 65 xacml:Policy xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context xacml:Context 2647 2648 XPathVersion Action Attribute AttributeValue Decision Environment Obligations Request Resource ResourceContent Response Result Status StatusCode StatusDetail StatusMessage Subject 10.3.2 2650 Algorithms The implementation MUST include the rule- and policy-combining algorithms marked "M". Algorithm Deny-Overrides First-Applicable Permit-Overrides 2649 O M M M M M O M M O M M O O O O M 10.3.3 M/O M M M Identifiers The implementation MUST properly process those identifiers marked with an "M". Identifier urn:oasis:names:tc:xacml:1.0 urn:oasis:names:tc:xacml:1.0:auth-locality:dns-name urn:oasis:names:tc:xacml:1.0:auth-locality:ip-address urn:oasis:names:tc:xacml:1.0:conformance-test urn:oasis:names:tc:xacml:1.0:context urn:oasis:names:tc:xacml:1.0:datatype:numeric urn:oasis:names:tc:xacml:1.0:datatype:rfc822name urn:oasis:names:tc:xacml:1.0:datatype:ufs-path urn:oasis:names:tc:xacml:1.0:datatype:x500name urn:oasis:names:tc:xacml:1.0:environment:current-time urn:oasis:names:tc:xacml:1.0:example:action urn:oasis:names:tc:xacml:1.0:example:action:read urn:oasis:names:tc:xacml:1.0:example:action:xml-ac urn:oasis:names:tc:xacml:1.0:example:attribute urn:oasis:names:tc:xacml:1.0:example:attribute:group urn:oasis:names:tc:xacml:1.0:example:attribute:role urn:oasis:names:tc:xacml:1.0:function urn:oasis:names:tc:xacml:1.0:policy urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:denyoverrides urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:firstapplicable urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permitoverrides urn:oasis:names:tc:xacml:1.0:resource:resource-location draft-xacml-specification-16a.doc M/O M M O M M M M M M M O O O O O O M M M M M M 66 urn:oasis:names:tc:xacml:1.0:resource:resource-uri urn:oasis:names:tc:xacml:1.0:resource:simple-file-name urn:oasis:names:tc:xacml:1.0:resource:xpath urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:denyoverrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:firstapplicable urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permitoverrides urn:oasis:names:tc:xacml:1.0:status:missing-attribute urn:oasis:names:tc:xacml:1.0:status:ok urn:oasis:names:tc:xacml:1.0:status:processing-error urn:oasis:names:tc:xacml:1.0:status:syntax-error urn:oasis:names:tc:xacml:1.0:subject:authentication-method urn:oasis:names:tc:xacml:1.0:subject:authentication-time urn:oasis:names:tc:xacml:1.0:subject:key-info urn:oasis:names:tc:xacml:1.0:subject:request-time urn:oasis:names:tc:xacml:1.0:subject:session-start-time urn:oasis:names:tc:xacml:1.0:subject:subject-category urn:oasis:names:tc:xacml:1.0:subject:subject-id urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier urn:oasis:names:tc:xacml:1.0:subject-category:access-subject urn:oasis:names:tc:xacml:1.0:subject-category:codebase urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine xs:Gregorian xs:dayTimeDuration xs:yearMonthDuration 2651 2652 10.3.4 M M M M M O O O O M M M M M M M M M O O O O M O O Function identifier The implementation MUST properly process those functions marked with an "M". Function function:integer-add function:decimal-add function:add-yearMonthDuration-to-date function:add-yearMonthDuration-to-date function:add-dayTimeDuration-to-time function:add-yearMonthDuration-to dateTime function:add-dayTimeDuration-to-dateTime function:add-yearMonthDurations function:add-dayTimeDurations function:integer-subtract function:decimal-subtract function:date-subtract function:subtract-yearMonthDuration-from-date function:subtract-dayTimeDuration-from-date function:time-subtract function:subtract-dayTimeDuration-from-time function:datetime-subtract function:subtract-yearMonthDuration-from-dateTime function:subtract-dayTimeDuration-from-dateTime function:subtract-yearMonthDurations function:subtract-dayTimeDurations function:integer-multiply draft-xacml-specification-16a.doc M/O M M O O O O O O O M M O O O O O O O O O O M 67 function:decimal-multiply function:multiply-yearMonthDurations function:multiply-dayTimeDurations function:integer-divide function:decimal-divide function:divide-yearMonthDurations function:divide-dayTimeDurations function:integer-mod function:decimal-mod function:round function:floor function:abs function:integer function:decimal function:integer-equal function:decimal-equal function:boolean-equal function:string-equal function:rfc822Name-equal function:x500Name-equal function:date-equal function:time-equal function:datetime-equal function:yearMonthDuration-equal function:dayTimeDuration-equal function:gregorian-equal function:hex-binary-equal function:base64-binary-equal function:anyURI-equal function:QName-equal function:NOTATION-equal function:numeric-not-equal function:boolean-not-equal function:string-not-equal function:date-not-equal function:time-not-equal function:datetime-not-equal function:yearMonthDuration-not-equal function:dayTimeDuration-not-equal function:gregorian-not-equal function:hex-binary-not-equal function:base64-binary-not-equal function:anyURI-not-equal function:QName-not-equal function:NOTATION-not-equal function:integer-greater-than function:decimal-greater-than function:string-greater-than function:date-greater-than function:time-greater-than function:datetime-greater-than function:yearMonthDuration-greater-than function:dayTimeDuration-greater-than function:integer-less-than function:decimal-less-than function:string-less-than function:date-less-than draft-xacml-specification-16a.doc M O O M M O O M M M M M M M M M M M M M M M M O O M M M M M M O O O O O O O O O O O O O O M M M M M M O O O O O O 68 function:time-less-than function:datetime-less-than function:yearMonthDuration-less-than function:dayTimeDuration-less-than function:integer-greater-than-or-equal function:decimal-greater-than-or-equal function:string-greater-than-or-equal function:date-greater-than-or-equal function:time-greater-than-or-equal function:datetime-greater-than-or-equal function:yearMonthDuration-greater-than-or-equal function:dayTimeDuration-greater-than-or-equal function:integer-less-than-or-equal function:decimal-less-than-or-equal function:numeric-less-than-or-equal function:date-less-than-or-equal function:time-less-than-or-equal function:datetime-less-than-or-equal function:yearMonthDuration-less-than-or-equal function:dayTimeDuration-less-than-or-equal function:string-match function:rfc822Name-match function:x500Name-match function:and function:ordered-and function:or function:ordered-or function:n-of function:not function:present X-intersection X-union X-member-of X-first X-rest x-length 2653 Where "X" can be any supported data type. 2654 11. References O O O O M M M M M M O O O O O O O O O O M M M M M M M M M M M M M M M M 2655 2656 2657 [Hinton94] Hinton, H, M, Lee,, E, S, The Compatibility of Policies, Proceedings 2nd ACM Conference on Computer and Communications Security, Nov 1994, Fairfax, Virginia, USA. 2658 2659 [LDAP] RFC2798, Definition of the inetOrgPerson, M. Smith, April 2000 http://www.ietf.org/rfc/rfc2798.txt 2660 2661 2662 [MathML] Mathematical Markup Language (MathML), Version 2.0, W3C Recommendation, 21 February 2001. Available at: http://www.w3.org/TR/MathML2/ 2663 2664 2665 2666 [Perritt93] Perritt, H. Knowbots, Permissions Headers and Contract Law, Conference on Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment, April 1993. Available at: http://www.ifla.org/documents/infopol/copyright/perh2.txt draft-xacml-specification-16a.doc 69 2667 2668 2669 [RBAC] Role-Based Access Controls, David Ferraiolo and Richard Kuhn, 15th National Computer Security Conference, 1992. Available at: http://csrc.nist.gov/rbac 2670 2671 [RegEx] XML Schema Part 0: Primer, W3C Recommendation, 2 May 2001, Appendix D. Available at: http://www.w3.org/TR/xmlschema-0/ 2672 2673 [RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997 2674 2675 [SAML] Security Assertion Markup Language available from http://www.oasisopen.org/committees/security/#documents 2676 2677 2678 [Sloman94] Sloman, M. Policy Driven Management for Distributed Systems. Journal of Network and Systems Management, Volume 2, part 4. Plenum Press. 1994. 2679 2680 [XMLSig] D. Eastlake et al., XML-Signature Syntax and Processing, http://www.w3.org/TR/xmldsig-core/, World Wide Web Consortium. 2681 2682 [XMLSig-XSD] XML Signature Schema available from http://www.w3.org/TR/2000/CRxmldsig-core-20001031/xmldsig-core-schema.xsd. 2683 2684 [XPath] XML Path Language (XPath), Version 1.0, W3C Recommendation 16 November 1999. Available at: http://www.w3.org/TR/xpath 2685 2686 [XSLT] XSL Transformations (XSLT) Version 1.0, W3C Recommendation 16 November 1999. Available at: http://www.w3.org/TR/xslt draft-xacml-specification-16a.doc 70 2688 Appendix A. Function names and legal type combinations 2689 A.1. Functions 2690 2691 The table in this section lists the legal combinations of datatypes for the various functions. For each function name, the table indicates the valid combination of datatypes and the datatype of the result. 2687 Function name Return type First argument Second argument Third and Can be used Can be used subsequent In in <Match> <Condition> arguments string-equal single<xs:boolean> single<xs:string> single<xs:string> yes yes boolean-equal single<xs:boolean> single<xs:boolean> single<xs:boolean > yes yes integer-equal single<xs:boolean> single<xs:integer> single<xs:integer> yes yes decimal-equal single<xs:boolean> single<xs:decimal> single<xs:decimal> yes yes date-equal single<xs:boolean> single<xs:date> single<xs:date> yes yes time-equal single<xs:boolean> single<xs_time> single<xs_time> yes yes datetime-equal single<xs:boolean> single<xs:dateTime> single<xs:dateTim e> yes yes anyURI-equal single<xs:boolean> single<xs:anyURI> single<xs:anyURI> yes yes Qname-equal single<xs:boolean> single<xs:Qname> single<xs:Qname> yes yes single<x500Name > yes yes rfc822Nameequal single<xs:boolean> single<rfc822Name> single<rfc822Nam e> yes yes NOTATIONequal single<xs:boolean> single<xs:NOTATION single<xs:NOTATI > ON> yes yes gregorian-equal single<xs:boolean> single<xs:gregorian> single<rfc822Nam e> yes yes x500Name-equal single<xs:boolean> single<x500Name> hex-binary-equal single<xs:boolean> single<xs:hexbinary> single<xs:hexbinary> yes yes base64-equal single<xs:boolean> single<xs:base64> single<xs:base64> yes yes integer-add single<xs:integer> single<xs:integer> single<xs:int eger> no no decimal-add single<xs:decimal> single<xs:decimal> single<xs:decimal> single<xs:de cimal> no no integer-subtract single<xs:integer> single<xs:integer> no no decimal-subtract single<xs:decimal> single<xs:decimal> single<xs:decimal> no no integer-multiply single<xs:integer> no no decimal-multiply single<xs:decimal> single<xs:decimal> single<xs:decimal> no no integer-divide single<xs:integer> no no single<xs:integer> single<xs:integer> single<xs:integer> single<xs:integer> single<xs:integer> single<xs:integer> draft-xacml-specification-16a.doc 71 decimal-divide single<xs:decimal> single<xs:decimal> single<xs:decimal> no no integer-mod single<xs:integer> single<xs:integer> no no decimal-mod single<xs:decimal> single<xs:decimal> single<xs:decimal> no no round ne_sequence<xs:de ne_sequence<xs:dec cimal> imal> no no floor ne_sequence<xs:de ne_sequence<xs:dec cimal> imal> no no abs ne_sequence<xs:de ne_sequence<xs:dec cimal> imal> no no decimal-tointeger ne_sequence<xs:int ne_sequence<xs:dec eger> imal> no no integer-todecimal ne_sequence<xs:de ne_sequence<xs:inte cimal> ger> no no ordered-or single<xs:boolean> single<xs:boolean> single<xs:boolean > single<xs:bo olean> no yes or single<xs:boolean> single<xs:boolean> single<xs:boolean > single<xs:bo olean> no yes ordered-and single<xs:boolean> single<xs:boolean> single<xs:boolean > single<xs:bo olean> no yes and single<xs:boolean> single<xs:boolean> single<xs:boolean > single<xs:bo olean> no yes not single<xs:boolean> single<xs:boolean> single<xs:boolean > single<xs:bo olean> no yes n-of single<xs:boolean> single<xs:integer> single<xs:boolean > single<xs:bo olean> no yes integer-greaterthen single<xs:boolean> single<xs:integer> single<xs:integer> no yes integer-greaterthen-or-equal single<xs:boolean> single<xs:integer> single<xs:integer> no yes time-greaterthen single<xs:boolean> single<xs:time> single<xs:time> no yes time-greaterthen-or-equal single<xs:boolean> single<xs:time> single<xs:time> no yes date-greaterthen single<xs:boolean> single<xs:date> single<xs:date> no yes date-greaterthen-or-equal single<xs:boolean> single<xs:date> single<xs:date> no yes datetimegreater-then single<xs:boolean> single<xs:datetime> single<xs:datetime > no yes datetimegreater-then-orequal single<xs:boolean> single<xs:datetime> single<xs:datetime > no yes decimal-greater single<xs:boolean> single<xs:decimal> single<xs:decimal> no yes decimal-greater- single<xs:boolean> single<xs:decimal> then-or-equal single<xs:decimal> no yes string-greater single<xs:boolean> single<xs:string> single<xs:string> no yes string-greater- single<xs:boolean> single<xs:string> single<xs:string> no yes single<xs:integer> draft-xacml-specification-16a.doc 72 then-or-equal string-match single<xs:boolean> single<xs:string> single<xs:string> yes yes x500Namematch single<xs:boolean> single<x500Name> single<x500Name > yes yes rfc822Namematch single<xs:boolean> single<rfc822Name> single<rfc822Nam e> yes yes present single<xs:boolean> single<xs:anyURI> no yes string-intesection set<xs:string> set<xs:string> set<xs:string> no no booleanintersection set<xs:boolean> set<xs:boolean> set<xs:boolean> no no integerintersection set<xs:integer> set<xs:integer> set<xs:integer> no no decimalintersection set<xs:decimal> set<xs:decimal> set<xs:decimal> no no date-intersection set<xs:date> set<xs:date> set<xs:date> no no time-intersection set<xs_time> set<xs_time> set<xs_time> no no dateTimeintersection set<xs:dateTime> set<xs:dateTime> set<xs:dateTime> no no anyURIintersection set<xs:anyURI> set<xs:anyURI> set<xs:anyURI> no no Qnameintersection set<xs:Qname> set<xs:Qname> set<xs:Qname> no no x500Nameintersection set<x500Name> set<x500Name> set<x500Name> no no rfc822Nameintersection set<rfc822Name> set<rfc822Name> set<rfc822Name> no no NOTATIONintersection set<xs:NOTATION> set<xs:NOTATION> set<xs:NOTATION > no no gregorianintersection set<xs:gregorian> set<xs:gregorian> set<rfc822Name> no no hex-binaryintersection set<xs:hex-binary> set<xs:hex-binary> set<xs:hex-binary> no no base64intersection set<xs:base64> set<xs:base64> set<xs:base64> no no date-union set<xs:date> set<xs:date> set<xs:date> no no time-union set<xs_time> set<xs_time> set<xs_time> no no dateTime-union set<xs:dateTime> set<xs:dateTime> set<xs:dateTime> no no anyURI-union set<xs:anyURI> set<xs:anyURI> set<xs:anyURI> no no Qname-union set<xs:Qname> set<xs:Qname> set<xs:Qname> no no x500Name-union set<x500Name> set<x500Name> set<x500Name> no no rfc822Nameunion set<rfc822Name> set<rfc822Name> set<rfc822Name> no no NOTATIONunion set<xs:NOTATION> set<xs:NOTATION> set<xs:NOTATION > yes yes gregorian-union set<xs:gregorian> set<rfc822Name> yes yes set<xs:gregorian> draft-xacml-specification-16a.doc 73 hex-binary-union set<xs:hex-binary> set<xs:hex-binary> set<xs:hex-binary> yes yes base64-union set<xs:base64> set<xs:base64> yes yes date-member-of single<xs:boolean> single<xs:date> set<xs:date> yes yes time-member-of single<xs:boolean> single<xs_time> set<xs_time> yes yes set<xs:base64> dateTimemember-of single<xs:boolean> single<xs:dateTime> set<xs:dateTime> yes yes anyURImember-of single<xs:boolean> single<xs:anyURI> set<xs:anyURI> yes yes Qname-member- single<xs:boolean> single<xs:Qname> of set<xs:Qname> yes yes x500Namemember-of single<xs:boolean> single<x500Name> set<x500Name> yes yes rfc822Namemember-of single<xs:boolean> single<rfc822Name> set<rfc822Name> yes yes NOTATIONmember-of single<xs:boolean> single<xs:NOTATION set<xs:NOTATION > > yes yes gregorianmember-of single<xs:boolean> single<xs:gregorian> set<rfc822Name> yes yes hex-binarymember-of single<xs:boolean> single<xs:hexbinary> set<xs:hex-binary> yes yes set<xs:base64> yes yes base64-member- single<xs:boolean> single<xs:base64> of date-first single<xs:date> ne_sequence<xs:dat e> no no time-first single<xs_time> ne_sequence<xs_tim e> no no dateTime-first single<xs:dateTime ne_sequence<xs:dat > eTime> no no anyURI-first single<xs:anyURI> ne_sequence<xs:any URI> no no Qname-first single<xs:Qname> ne_sequence<xs:Qn ame> no no x500Name-first single<x500Name> ne_sequence<x500N ame> no no rfc822Name-first single<rfc822Name ne_sequence<rfc822 > Name> no no NOTATION-first single<xs:NOTATIO ne_sequence<xs:NO N> TATION> no no gregorian-first single<xs:gregorian ne_sequence<xs:gre > gorian> no no hex-binary-first single<xs:hexbinary> ne_sequence<xs:hex -binary> no no base64-first single<xs:base64> ne_sequence<xs:bas e64> no no date-rest sequence<xs:date> ne_sequence<xs:dat e> no no time-rest sequence<xs_time> ne_sequence<xs_tim no no draft-xacml-specification-16a.doc 74 e> dateTime-rest sequence<xs:dateTi ne_sequence<xs:dat me> eTime> no no anyURI-rest sequence<xs:anyU ne_sequence<xs:any RI> URI> no no Qname-rest sequence<xs:Qnam ne_sequence<xs:Qn e> ame> no no x500Name-rest sequence<x500Na me> ne_sequence<x500N ame> no no rfc822Name-rest sequence<rfc822Na ne_sequence<rfc822 me> Name> no no NOTATION-rest sequence<xs:NOTA single<xs:NOTATION TION> > no no gregorian-rest sequence<xs:gregor single<xs:gregorian> ian> no no hex-binary-rest sequence<xs:hexbinary> no no base64-rest sequence<xs:base6 single<xs:base64> 4> no no date-length single<xs:integer> sequence<xs:date> no no time-length single<xs:integer> sequence<xs_time> no no dateTime-length single<xs:integer> sequence<xs:dateTi me> no no anyURI-length single<xs:integer> sequence<xs:anyURI > no no Qname-length single<xs:integer> sequence<xs:Qname > no no x500Namelength single<xs:integer> sequence<x500Nam e> no no rfc822Namelength single<xs:integer> sequence<rfc822Na me> no no NOTATIONlength single<xs:integer> sequence<xs:NOTAT ION> no no gregorian-length single<xs:integer> sequence<xs:gregori an> no no hex-binarylength single<xs:integer> sequence<xs:hexbinary> no no base64-length single<xs:integer> sequence<xs:base64 > no no single<xs:hexbinary> 2692 draft-xacml-specification-16a.doc 75 2693 Appendix B. XACML identifiers (normative) 2694 2695 This section defines standard identifiers for commonly used entities. All XACML-defined identifiers have the common base: 2696 urn:oasis:names:tc:xacml:1.0 2697 B.1. XACML namespaces 2698 There are currently two defined XACML namespaces. 2699 Policies are defined using this identifier. 2700 2701 2702 urn:oasis:names:tc:xacml:1.0:policy Input and output contexts are defined using this identifier. urn:oasis:names:tc:xacml:1.0:context 2703 B.2. Authentication locality 2704 2705 The following identifiers indicate the location where an authentication credentials were activated. They are intended to support the corresponding entities from the SAML authentication statement. 2706 This identifier indicates that the location is expressed as an IP address. 2707 2708 2709 urn:oasis:names:tc:xacml:1.0:authn-locality:ip-address This identifier indicates that the location is expressed as a DNS name. urn:oasis:names:tc:xacml:1.0:authn-locality:dns-name 2710 B.3. Access subject categories 2711 2712 This identifier indicates the system entity that is directly requesting access, that is the final entity in a request chain. If subject category is not specified, this is the default value. 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 urn:oasis:names:tc:xacml:1.0:subjectcategory:access-subject This identifier indicates the system entity that will receive the results of the request. Used when it is distinct from the access-subject. urn:oasis:names:tc:xacml:1.0:subjectcategory:recipient-subject This identifier indicates a system entity through which the request was passed. There may be more than one. No means is provided to specify the order in which they passed the message. urn:oasis:names:tc:xacml:1.0:subjectcategory:intermediary-subject This identifier indicates a system entity associated with a local or remote codebase that generated the request. Corresponding subject attributes might include the URLfrom which it was loaded and/or the identity of the code-signer. There may be more than one. No means is provided to specify the order they passed the message. urn:oasis:names:tc:xacml:1.0:subjectcategory:codebase draft-xacml-specification-16a.doc 76 2725 2726 2727 This identifier indicates a system entity associated with the computer that initiated the request. An example would be an IPsec identity. urn:oasis:names:tc:xacml:1.0:subjectcategory:requesting-machine 2728 B.4. XACML functions 2729 This identifier is the base for all the identifiers in the table of functions. See Appendix A.1. 2730 urn:oasis:names:tc:xacml:1.0:function 2731 B.5. Data types 2732 The following identifiers indicate useful datatypes. 2733 B.5.1. X.500 distinguished name 2734 This identifier indicates an X.500 distinguished name. 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 urn:oasis:names:tc:xacml:1.0:datatype:x500name B.5.2. RFC822 Name This identifier indicates an RFC822-style name. urn:oasis:names:tc:xacml:1.0:datatype:rfc822name B.5.3. Unix file-system path This identifier indicates a UNIX file-system path. urn:oasis:names:tc:xacml:1.0:datatype:ufs-path B.5.4. Numeric This identifier indicates a numeric value. urn:oasis:names:tc:xacml:1.0:datatype:numeric The following date identifiers are defined by XML Schema. http://www.w3.org/2001/XMLSchema:yearMonthDuration 2747 2748 http://www.w3.org/2001/XMLSchema:dayTimeDuration 2749 2750 http://www.w3.org/2001/XMLSchema:Gregorian draft-xacml-specification-16a.doc 77 2751 B.6. Environment attributes 2752 2753 This identifier indicates the current time at the PDP. In practice it is the time the input context was created. 2754 urn:oasis:names:tc:xacml:1.0:environment:current-time 2755 B.7. Subject attributes 2756 2757 2758 These identifiers indicate attributes of a subject. At most one of each of these attributes is associated with each subject. Each attribute associated with authentication relates to the same authentication event. 2759 2760 This identifier indicates the name of the subject. The default format is xs:string. To indicate other formats, use data type attributes listed in B.5 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778 urn:oasis:names:tc:xacml:1.0:subject:subject-id This identifier indicates the subject category. Access-subject is the default. urn:oasis:names:tc:xacml:1.0:subject:subject-category This identifier indicates the security domain of the subject. Identifies the administrator and policy that manages the name-space in which the subject id is administered. urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier This identifier indicates a public key used to confirm the subject’s identity. urn:oasis:names:tc:xacml:1.0:subject:key-info This identifier indicates the time at which the subject was authenticated. urn:oasis:names:tc:xacml:1.0:subject:authentication-time This identifier indicates the method used to authenticate the subject. urn:oasis:names:tc:xacml:1.0:subject:authentication-method This identifier indicates the time at which the subject initiated the access request, according to the PEP. urn:oasis:names:tc:xacml:1.0:subject:request-time This identifier indicates the time at which the subject’s current session began, according to the PEP. urn:oasis:names:tc:xacml:1.0:subject:session-start-time 2779 Add the LDAP attributes. 2780 B.8. Resource attributes 2781 This identifier indicates the entire URI of the resource. 2782 2783 2784 urn:oasis:names:tc:xacml:1.0:resource:resource-uri This identifier indicates the last (rightmost) component of the file name. For example, if the URI is: “file://home/my/status#pointer”, the simple-file-name is "status".) draft-xacml-specification-16a.doc 78 2785 2786 2787 urn:oasis:names:tc:xacml:1.0:resource:simple-file-name This identifier indicates that the resource is specified by an XPath expression. urn:oasis:names:tc:xacml:1.0:resource:xpath 2788 B.9. Status codes 2789 The following status code identifiers are defined. 2790 This identifier indicates success. 2791 2792 2793 2794 2795 2796 2797 2798 2799 urn:oasis:names:tc:xacml:1.0:status:ok This identifier indicates that attributes necessary to make a policy decision where not available. urn:oasis:names:tc:xacml:1.0:status:missing-attribute This identifier indicates that some attribute value contained a syntax error, such as a letter in a numeric field. urn:oasis:names:tc:xacml:1.0:status:syntax-error This identifier indicates that an error occurred during policy evaluation. An example would be division by zero. urn:oasis:names:tc:xacml:1.0:status:processing-error 2800 B.10. 2801 The deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId: 2802 urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides 2803 2804 2805 2806 2807 2808 Combining algorithms The deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId: urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides The permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgId: urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides The permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId: urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides 2809 The first-applicable rule-combining algorithm has the following value for ruleCombiningAlgId: 2810 urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable 2811 2812 The first-applicable policy-combining algorithm has the following value for policyCombiningAlgId: urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable 2814 B.10. Identifiers used only in XACML conformance tests 2815 All identifiers used in conformance tests will use this identifier as a base. 2813 draft-xacml-specification-16a.doc 79 2816 urn:oasis:names:tc:xacml:1.0:conformance-test 2817 B.11. 2818 2819 The following subject attributes are defined for the purpose of giving examples. Application environments are expected to define their own identifiers as needed. 2820 Attributes used in examples urn:oasis:names:tc:xacml:1.0:example:attribute 2821 2822 urn:oasis:names:tc:xacml:1.0:example:attribute:group 2823 2824 urn:oasis:names:tc:xacml:1.0:example:attribute:role 2825 B.12. Actions used in examples 2826 This identifier is used as the base for actions used in examples. 2827 urn:oasis:names:tc:xacml:1.0:example:action 2828 2829 urn:oasis:names:tc:xacml:1.0:example:action:xml-ac draft-xacml-specification-16a.doc 80 2830 Appendix C. Combining algorithms (normative) 2831 2832 This section contains a description of the rule-combining and policy-combining algorithms specified by XACML. 2833 C.1. Deny-overrides 2834 The following specification defines the "Deny Overrides" rule-combining algorithm of a policy. 2835 2836 2837 2838 2839 2840 In the entire set of rules to be evaluated, if any rule evaluates to "Deny", then the result of the rule combination shall be "Deny". If any rule evaluates to "Permit" and all other rules evaluate to "NotApplicable", then the result of the combination shall be "Permit". In other words, "Deny" takes precedence, regardless of the result of evaluating any of the other rules in the combination. If all rules are found to be "NotApplicable" to the decision request, then the rule combination returns "NotApplicable". 2841 2842 2843 If there is any error evaluating the target or condition of a rule that contains an effect of "Deny" then the evaluation continues looking for a result of "Deny". If no other rule evaluates to a "Deny", then the result of the combination is "Indeterminate". 2844 2845 2846 If at least one rule evaluates to "Permit", all other rules that do not have evaluation errors evaluate to "Permit" or "NotApplicable", and all rules that do have evaluation errors contain effects of "Permit", then the result of the combination shall be "Permit". 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876 The following pseudo-code represents the evaluation strategy of this rule-combining algorithm. Decision denyOverridesRuleCombiningAlgorithm(Rule rule[]) { Boolean atLeastOneError = false; Boolean potentialDeny = false; Boolean atLeastOnePermit = false; for( i=0 ; i < lengthOf(rules) ; i++ ) { Decision decision = evaluate(rule[i]); if (decision == Deny) { return Deny; } if (decision == Permit) { atLeastOnePermit = true; continue; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { atLeastOneError = true; if (effect(rule[i]) == Deny) { potentialDeny = true; } draft-xacml-specification-16.doc 81 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 continue; } } if (potentialDeny) { return Indeterminate; } if (atLeastOnePermit) { return Permit; } if (atLeastOneError) { return Indeterminate; } return NotApplicable; } The following specification defines the "Deny Overrides" policy-combining algorithm of a policy set. 2896 2897 2898 2899 2900 In the entire set of policies to be evaluated, if any policy evaluates to "Deny", then the result of the policy combination shall be "Deny". In other words, "Deny" takes precedence, regardless of the result of evaluating any of the other policies in the combination. If all policies are found to be "NotApplicable" to the decision request, the policy combination returns "NotApplicable". 2901 2902 2903 If there is any error evaluating the target of a policy, or a reference to a policy is considered invalid, or the policy evaluation results in "Indeterminate", then the result of the combination shall be "Deny". 2904 The following pseudo-code represents the evaluation strategy of this policy-combining algorithm. 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 Decision denyOverridesPolicyCombiningAlgorithm(Policy policy[]) { Boolean atLeastOnePermit = false; for( i=0 ; i < lengthOf(policy) ; i++ ) { Decision decision = evaluate(policy[i]); if (decision == Deny) { return Deny; } if (decision == Permit) { atLeastOnePermit = true; continue; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { return Deny; } } if (atLeastOnePermit) { return Permit; } return NotApplicable; draft-xacml-specification-16a.doc 82 2934 } 2935 Obligations of the individual policies shall be combined as described in Section 4.3.2.3. 2936 C.2. Permit-overrides 2937 The following specification defines the "Permit Overrides" rule-combining algorithm of a policy. 2938 2939 2940 2941 2942 2943 In the entire set of rules to be evaluated, if any rule evaluates to "Permit", then the result of the rule combination shall be "Permit". If any rule evaluates to "Deny" and all other rules evaluate to "NotApplicable", then the result of the combination shall be "Deny". In other words, "Permit" takes precedence, regardless of the result of evaluating any of the other rules in the combination. If all rules are found to be "NotApplicable" to the decision request, then the rule combination returns "NotApplicable". 2944 2945 2946 If there is any error evaluating the target or condition of a rule that contains an effect of "Permit" then the evaluation continues looking for a result of "Permit". If no other rule evaluates to a "Permit", then the result of the combination is "Indeterminate". 2947 2948 2949 If at least one rule evaluates to "Deny", all other rules that do not have evaluation errors evaluate to "Deny" or "NotApplicable", and all rules that do have evaluation errors contain effects of "Deny", then the result of the combination shall be "Deny". 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983 2984 The following pseudo-code represents the evaluation strategy of this rule-combining algorithm. Decision permitOverridesRuleCombiningAlgorithm(Rule rule[]) { Boolean atLeastOneError = false; Boolean potentialPermit = false; Boolean atLeastOneDeny = false; for( i=0 ; i < lengthOf(rule) ; i++ ) { Decision decision = evaluate(rule[i]); if (decision == Deny) { atLeastOneDeny = true; continue; } if (decision == Permit) { return Permit; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { atLeastOneError = true; if (effect(rule[i]) == Permit) { potentialPermit = true; } continue; } } if (potentialPermit) { draft-xacml-specification-16a.doc 83 2985 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 return Indeterminate; } if (atLeastOneDeny) { return Deny; } if (atLeastOneError) { return Indeterminate; } return NotApplicable; } The following specification defines the "Permit Overrides" policy-combining algorithm of a policy set. 2999 3000 3001 3002 3003 In the entire set of policies to be evaluated, if any policy evaluates to "Permit", then the result of the policy combination shall be "Permit". In other words, "Permit" takes precedence, regardless of the result of evaluating any of the other policies in the combination. If all policies are found to be "NotApplicable" to the decision request, the policy combination returns "NotApplicable". 3004 3005 3006 3007 If there is any error evaluating the target of a policy, a reference to a policy is considered invalid, or the policy evaluation results in "Indeterminate", then the result of the combination shall be "Indeterminate" only if no other policies evaluate to "Permit" or "Deny". 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 The following pseudo-code represents the evaluation strategy of this policy-combining algorithm. Decision permitOverridesPolicyCombiningAlgorithm(Policy policy[]) { Boolean atLeastOneError = false; Boolean atLeastOneDeny = false; for( i=0 ; i < lengthOf(policy) ; i++ ) { Decision decision = evaluate(policy[i]); if (decision == Deny) { atLeastOneDeny = true; continue; } if (decision == Permit) { return Permit; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { atLeastOneError = true; continue; } } if (atLeastOneDeny) { return Deny; } if (atLeastOneError) { return Indeterminate; draft-xacml-specification-16a.doc 84 3042 3043 3044 } return NotApplicable; } 3045 Obligations of the individual policies shall be combined as described in Section 4.3.2.3. 3046 C.3. First-applicable 3047 The following specification defines the "First-Applicable " rule-combining algorithm of a policy. 3048 3049 3050 3051 3052 3053 3054 Each rule is evaluated in the order it is listed in the policy. Of a particular rule, if the target matches and the condition evaluates to "True", the evaluation of the combination shall halt and the corresponding effect of the rule shall be the result of the evaluation of the combination (i.e. "Permit" or "Deny"). Of a particular rule selected in the evaluation, if the target does not matchor the condition evaluates to "False", then the next rule in the order is evaluated. If no further rule in the order exists, then "NotApplicable" shall be the result of the evaluation of the combination. 3055 3056 If there is any error evaluating the target or condition of a rule then the evaluation shall halt, and the result shall be "Indeterminate" with the appropriate error status. 3057 The following pseudo-code represents the evaluation strategy of this rule-combining algorithm. 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 Decision firstApplicableEffectRuleCombiningAlgorithm(Rule rule[]) { for( i = 0 ; i < lengthOf(rule) ; i++ ) { Decision decision = evaluate(rule[i]); if (decision == Deny) { return Deny; } if (decision == Permit) { return Permit; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { return Indeterminate; } } return NotApplicable; } The following specification defines the "First-Appplicable" policy-combining algorithm of a policy set. Each policy is evaluated in the order that it appears in the policy set. Of a particular policy, if the target matches and the policy evaluates to a determinate decision of "Permit" or "Deny", the evaluation shall halt and that effect shall be the result of the evaluation of the combination. Of a particular policy, if the target does not matchor the policy evaluates to "NotApplicable", then the next policy in the order is evaluated. If no further policy exists in the order, then "NotApplicable" shall be the result of the evaluation of the combination. draft-xacml-specification-16a.doc 85 3091 3092 3093 If there is any error evaluating the target or the policy, or a reference to a policy is considered invalid, then the evaluation shall continue looking for an applicable policy, if no applicable policy is found, then the result of the combination is "Indeterminate". 3094 3095 The following pseudo-code represents the evaluation strategy of this policy-combination algorithm. 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policy[]) { Boolean atLeastOneError = false; for( i = 0 ; i < lengthOf(policy) ; i++ ) { Decision decision = evaluate(policy[i]); if(decision == Deny) { return Deny; } if(decision == Permit) { return Permit; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { atLeastOneError = true; continue; } } if (atLeastOneError) { return Indeterminate; } return NotApplicable; } 3127 Obligations of the individual policies shall be combined as described in Section 4.3.2.3 draft-xacml-specification-16a.doc 86 3128 Appendix D. Acknowledgments 3129 3130 The following individuals were voting members of the XACML committee at the time that this version of the specification was issued: 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 Affinitex James MacLean JMaclean@affinitex.com Crosslogix Ken Yagen kyagen@crosslogix.com Crosslogix Daniel Engovatov dengovatov@crosslogix.com Entegrity Hal Lockhart hal.lockhart@entegrity.com Entrust Carlisle Adams carlisle.adams@entrust.com Entrust Tim Moses tim.moses@entrust.com Hitachi Don Flinn Don.Flinn@hitachisoftware.com Hitachi Konstantin Beznosov konstantin.beznosov@quadrasis.com Overxeer Bill Parducci bill.parducci@overxeer.com Overxeer Simon Godik simon.godik@overxeer.com IBM Michiharu Kudoh kudo@jp.ibm.com Self Polar Humenn polar@syr.edu Sterling Commerce Suresh Damodaran Suresh_Damodaran@stercomm.com University of Milan Pierangela Samarati samarati@pinky.crema.unimi.it University of Milan Ernesto Damiani edamiani@crema.unimi.it Sun Microsystems Sekhar Vajjhala sekhar.vajjhala@sun.com Sun Microsystems Anne Anderson Anne.Anderson@Sun.com Xtradyne Gerald Brose Gerald.Brose@xtradyne.com draft-xacml-specification-16a.doc 87 3149 Appendix E. Revision history Rev Date By whom What V14 14 June 2002 Tim Moses Added the XACML context schema. Added the Security and Privacy section. V15 18 July 2002 Tim Moses Changed the representation of <Function> V16 16 Aug 2002 Tim Moses Updated policy schema, identifiers, combining algorithms. Deleted LDAP profile. V16a 10 Sep 2002 Tim Moses Updated Figure 3, updated "Security and privacy" section and created "Functional requirements" section. 3150 draft-xacml-specification-16a.doc 88 3151 Appendix F. Notices 3152 3153 3154 3155 3156 3157 3158 3159 3160 OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director. 3161 3162 OASIS has been notified of intellectual property rights claimed in regard to some or all of the contents of this specification. For more information consult the online list of claimed rights. 3163 3164 3165 OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director. 3166 Copyright (C) OASIS Open 2002. All Rights Reserved. 3167 3168 3169 3170 3171 3172 3173 3174 This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English. 3175 3176 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. 3177 3178 3179 3180 3181 This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. draft-xacml-specification-16a.doc 89

9. XACML extensibility points (non-normative)

Related documents

Products

Support

9. XACML extensibility points (non-normative)

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib