The following scenarios will be made as examples of operation of the Authorization Use Case.
The Authorization Decision scenarios are governed by XACML policies that apply the following rules:
• Rule 1: a customer, identified by their customer-id, can only view an account for which they are the owner and for an account that has an active status.
• Rule 2: a customer can only make a purchase up to the value of the credit line and the trade limit in their account, or, if the credit line is exceeded then the customer must request a credit extension approval from the account manager, and, if the trade limit is exceeded then the customer must request a trade approval from the account manager.
• Rule 3: a customer can only make a sale of quantities of stocks that exist in their account that have no restrictions on sales.
• Rule 4: an account manager can only approve a trade on a customer account if the acct manager is the designated manager of that account.
• Rule 5: an account manager can only approve trades on the account that the customer has requested, in particular, only the quantities and particular stocks that the customer has designated.
• Rule 6: an account manager can make a trade on behalf of a customer only if there is a valid customer-supplied authorization code (such as from a real time smart card password generator that the customer has access to when phoning in the order).
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:xacml:2.0:interop:example:root-policy-set"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Root PolicySet to begin all queries.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:root01"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policy for evaluating CustomerAccount/ViewAccount requests
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>ViewAccount</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:01"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 01: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:01"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 01: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount is application being accessed -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>ViewAccount</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01"/>
</Condition>
</Rule>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:deny01" Effect="Deny">
<Description>
This Policy is permit-overrides, therefore if a rule above evaluated to
Permit this Rule will be skipped. However, if no Permit was obtained, this
Rule evaluates to true and so produces a Deny. Therefore evaluation of this
Policy results in either a Permit or Deny which is the intended effect.
</Description>
<Target/>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:root02"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policy for evaluating CustomerAccount/Buy requests
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicySetId="urn:xacml:2.0:interop:example:policysetid:01"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policyset to evaluate trade-limit and credit-ext restrictions
</Description>
<Target/>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:02"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 02: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value within credit-line and trade-limit restrictions.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.2">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:02">
<!-- Function to evaluate: -->
<!-- ((buy-num-shares x buy-offer-price) lt -->
<!-- (credit-line - current-credit) ) and -->
<!-- ((buy-num-shares x buy-offer-price) lt trade-limit) -->
<!-- If both the above expressions true, then Request within limits -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId=
"urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId=
"urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:02"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 02: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.2"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:02"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:deny02" Effect="Deny">
<Description>
This Policy is permit-overrides, therefore if a rule above evaluated to
Permit this Rule will be skipped. However, if no Permit was obtained, this
Rule evaluates to true and so produces a Deny. Therefore evaluation of this
Policy results in either a Permit or Deny which is the intended effect.
</Description>
<Target/>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:06"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy for picking up trade-limit or credit-ext obligations
</Description>
<Target/>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:03"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 03: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value exceeding trade-limit
and req-trade-approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.3">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:03">
<!-- TBD: Function to evaluate: -->
<!-- buy-num-shares x buy-offer-price gt trade-limit, -->
<!-- AND req-trade-approval = true -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>true</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:03"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 03: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.3"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:03"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:trade-approval"
FulfillOn="Permit"/>
</Obligations>
</Policy>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:04"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 04: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value exceeding credit-limit
and req-credit-ext-approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.4">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:04">
<!-- TBD: Function to evaluate: -->
<!-- ( buy-num-shares x buy-offer-price ) gt -->
<!-- ( credit-line - current-credit ) ) -->
<!-- AND req-credit-ext-approval = true -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>true</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId=
"urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:04"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 04: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the Buy action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.4"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:04"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:credit-ext-approval"
FulfillOn="Permit"/>
</Obligations>
</Policy>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:05"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
XACML 2.0 Interop Example Policy 05: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Disallow trades that have value exceeding a limit without the associated
Request for approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.5">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:05">
<!-- TBD: Function to evaluate: -->
<!-- ( ( ( buy-num-shares x buy-offer-price ) gt -->
<!-- ( credit-line - current-credit ) ) AND -->
<!-- ( req-credit-ext-approval == false ) ) -->
<!-- OR ( buy-num-shares x buy-offer-price gt trade-limit, -->
<!-- AND req-trade-approval == false ) -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>false</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId=
"urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>false</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:05"
Effect="Deny">
<Description>
XACML 2.0 Interop Example Rule 05: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.5"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:05"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
</Obligations>
</PolicySet>
</PolicySet>
</PolicySet>
</PolicySet>
No comments:
Post a Comment