Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Here is an example of an XACML policy which addresses the following requirement: a given resource can be accessed only by a user belonging to a particular role, and all requests to access any other resource should fail.

Code Block
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"  PolicyId="urn:sample:xacml:2.0:samplepolicy"
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
 xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">  <Description>Sample XACML Authorization Policy</Description>
 <Target>   <Subjects>
   <AnySubject />
  </Subjects>
  <Actions>
   <AnyAction />
  </Actions>
  <Resources>
   <AnyResource />
  </Resources>
 </Target>
 <Target></Target>
   <Rule Effect="Permit" RuleId="primary-group-rule">
      <Target>
    <Subjects>     <AnySubject<Resources>
/>    </Subjects>    <Resources>    <Resource>
       <ResourceMatch        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue>
      </AttributeValue>      <ResourceAttributeDesignator      <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"       DataType="http://www.w3.org/2001/XMLSchema#string" />></ResourceAttributeDesignator>
               </ResourceMatch>
            </Resource>
         </Resources>
         <Actions>
            <Action>
               <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
      <ActionAttributeDesignator            <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string" />></ActionAttributeDesignator>
               </ActionMatch>
            </Action>
         </Actions>
      </Target>
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
            </Apply>
            <SubjectAttributeDesignator AttributeId="group"
     DataType="http://www.w3.org/2001/XMLSchema#string" />></SubjectAttributeDesignator>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="deny-rule" ></>Rule>
</Policy>

The following are a few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.

...