Google Site Search

Google
 

Saturday, January 5, 2008

XACML PolicySet (Root Policy Set for all Queries)

Authorization Decision

The following scenarios will be made as examples of operation of the Authorization Use Case.
The Authorization Decision scenarios are governed by XACML policies that apply the following rules:
Rule 1: a customer, identified by their customer-id, can only view an account for which they are the owner and for an account that has an active status.
Rule 2: a customer can only make a purchase up to the value of the credit line and the trade limit in their account, or, if the credit line is exceeded then the customer must request a credit extension approval from the account manager, and, if the trade limit is exceeded then the customer must request a trade approval from the account manager.
Rule 3: a customer can only make a sale of quantities of stocks that exist in their account that have no restrictions on sales.
Rule 4: an account manager can only approve a trade on a customer account if the acct manager is the designated manager of that account.
Rule 5: an account manager can only approve trades on the account that the customer has requested, in particular, only the quantities and particular stocks that the customer has designated.
Rule 6: an account manager can make a trade on behalf of a customer only if there is a valid customer-supplied authorization code (such as from a real time smart card password generator that the customer has access to when phoning in the order).




<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:xacml:2.0:interop:example:root-policy-set"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Root PolicySet to begin all queries.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:root01"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policy for evaluating CustomerAccount/ViewAccount requests
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>ViewAccount</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:01"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 01: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:01"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 01: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount is application being accessed -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>ViewAccount</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01"/>
</Condition>
</Rule>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:deny01" Effect="Deny">
<Description>
This Policy is permit-overrides, therefore if a rule above evaluated to
Permit this Rule will be skipped. However, if no Permit was obtained, this
Rule evaluates to true and so produces a Deny. Therefore evaluation of this
Policy results in either a Permit or Deny which is the intended effect.
</Description>
<Target/>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:root02"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policy for evaluating CustomerAccount/Buy requests
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicySetId="urn:xacml:2.0:interop:example:policysetid:01"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policyset to evaluate trade-limit and credit-ext restrictions
</Description>
<Target/>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:02"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 02: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value within credit-line and trade-limit restrictions.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.2">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:02">
<!-- Function to evaluate: -->
<!-- ((buy-num-shares x buy-offer-price) lt -->
<!-- (credit-line - current-credit) ) and -->
<!-- ((buy-num-shares x buy-offer-price) lt trade-limit) -->
<!-- If both the above expressions true, then Request within limits -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId=
"urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId=
"urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:02"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 02: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.2"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:02"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:deny02" Effect="Deny">
<Description>
This Policy is permit-overrides, therefore if a rule above evaluated to
Permit this Rule will be skipped. However, if no Permit was obtained, this
Rule evaluates to true and so produces a Deny. Therefore evaluation of this
Policy results in either a Permit or Deny which is the intended effect.
</Description>
<Target/>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:06"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy for picking up trade-limit or credit-ext obligations
</Description>
<Target/>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:03"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 03: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value exceeding trade-limit
and req-trade-approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.3">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:03">
<!-- TBD: Function to evaluate: -->
<!-- buy-num-shares x buy-offer-price gt trade-limit, -->
<!-- AND req-trade-approval = true -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>true</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:03"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 03: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.3"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:03"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:trade-approval"
FulfillOn="Permit"/>
</Obligations>
</Policy>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:04"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 04: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value exceeding credit-limit
and req-credit-ext-approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.4">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:04">
<!-- TBD: Function to evaluate: -->
<!-- ( buy-num-shares x buy-offer-price ) gt -->
<!-- ( credit-line - current-credit ) ) -->
<!-- AND req-credit-ext-approval = true -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>true</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId=
"urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:04"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 04: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the Buy action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.4"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:04"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:credit-ext-approval"
FulfillOn="Permit"/>
</Obligations>
</Policy>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:05"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
XACML 2.0 Interop Example Policy 05: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Disallow trades that have value exceeding a limit without the associated
Request for approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.5">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:05">
<!-- TBD: Function to evaluate: -->
<!-- ( ( ( buy-num-shares x buy-offer-price ) gt -->
<!-- ( credit-line - current-credit ) ) AND -->
<!-- ( req-credit-ext-approval == false ) ) -->
<!-- OR ( buy-num-shares x buy-offer-price gt trade-limit, -->
<!-- AND req-trade-approval == false ) -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>false</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId=
"urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>false</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:05"
Effect="Deny">
<Description>
XACML 2.0 Interop Example Rule 05: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.5"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:05"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
</Obligations>
</PolicySet>
</PolicySet>
</PolicySet>
</PolicySet>

No comments: