source: TI12-security/trunk/ndg_xacml/ndg/xacml/test/rule3.xml @ 7064

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/ndg_xacml/ndg/xacml/test/rule3.xml@7666
Revision 7064, 5.3 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • added and and function and placeholders fro xpath-node-* functions
  • Property svn:keywords set to Id
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd" xmlns:md="http:www.med.example.com/schemas/record.xsd" PolicyId="urn:oasis:names:tc:xacml:2.0:example:policyid:3" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
3    <Description>
4        Policy for any medical record in the
5        http://www.med.example.com/schemas/record.xsd namespace
6    </Description>
7    <PolicyDefaults>
8        <XPathVersion>http://www.w3.org/TR/1999/Rec-xpath-19991116</XPathVersion>
9    </PolicyDefaults>
10    <Target>
11        <Resources>
12            <Resource>
13                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
14                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
15                        urn:med:example:schemas:record
16                    </AttributeValue>
17                    <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" DataType="http://www.w3.org/2001/XMLSchema#string"/>
18                </ResourceMatch>
19            </Resource>
20        </Resources>
21    </Target>
22    <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:3" Effect="Permit">
23        <Description>
24            A physician may write any medical element in a record
25            for which he or she is the designated primary care
26            physician, provided an email is sent to the patient
27        </Description>
28        <Target>
29            <Subjects>
30                <Subject>
31                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
32                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
33                            physician
34                        </AttributeValue>
35                        <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
36                    </SubjectMatch>
37                </Subject>
38            </Subjects>
39            <Resources>
40                <Resource>
41                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-node-match">
42                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
43                            /md:record/md:medical
44                        </AttributeValue>
45                        <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath" DataType="http://www.w3.org/2001/XMLSchema#string"/>
46                    </ResourceMatch>
47                </Resource>
48            </Resources>
49            <Actions>
50                <Action>
51                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
52                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
53                            write
54                        </AttributeValue>
55                        <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
56                    </ActionMatch>
57                </Action>
58            </Actions>
59        </Target>
60        <Condition>
61            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
62                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
63                    <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:example: attribute:physician-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
64                </Apply>
65                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
66                    <AttributeSelector RequestContextPath="//xacml-context:Resource/xacml-context:ResourceContent/md:record/md:primaryCarePhysician/md:registrationID/text()" DataType="http://www.w3.org/2001/XMLSchema#string"/>
67                </Apply>
68            </Apply>
69        </Condition>
70    </Rule>
71    <Obligations>
72        <Obligation ObligationId="urn:oasis:names:tc:xacml:example:obligation:email" FulfillOn="Permit">
73            <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:mailto" DataType="http://www.w3.org/2001/XMLSchema#string">
74                <AttributeSelector RequestContextPath="//md:/record/md:patient/md:patientContact/md:email" DataType="http://www.w3.org/2001/XMLSchema#string"/>
75            </AttributeAssignment>
76            <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
77                Your medical record has been accessed by:
78            </AttributeAssignment>
79            <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
80                <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
81            </AttributeAssignment>
82        </Obligation>
83    </Obligations>
84</Policy>
Note: See TracBrowser for help on using the repository browser.