eXtensible Access Control Markup Language (XACML) Version 11
Committee Specification 07 August 2003Document identifier cs-xacml-specification-11pdf
Location httpwwwoasis-openorgcommitteesxacmlrepositorycs-xacml-specification-11pdf
Send comments to xacml-commentlistsoasis-openorg
EditorsSimon Godik OverxeerTim Moses Entrust
Committee membersAnne Anderson Sun MicrosystemsAntony Nadalin IBMBill Parducci Overxeer Daniel Engovatov BEA Systems Hal Lockhart BEA Systems Michiharu Kudo IBM Polar Humenn Self Simon Godik Overxeer Steve Anderson OpenNetwork Steve Crocker Pervasive Security Systems Tim Moses Entrust
Abstract
This specification defines an XML schema for an extensible access-control policy language
Status
This version of the specification is a Committee Specification
If you are on the xacmllistsoasis-openorg list for committee members send comments there If you are not on that list subscribe to the xacml-commentlistsoasis-openorg list and send comments there To subscribe send an email message to xacml-comment-requestlistsoasis-openorg with the word subscribe as the body of the message
cs-xacml-specification-11pdf
1
1
1
2
3
4
5
6
7
89
101112131415161718192021222324
2526
2728
29
30313233
2
3
Copyright (C) OASIS Open 2003 All Rights Reserved
oasis--xacml-11pdf 2
4
3435
5
Table of contents
1 Introduction (non-normative)10
11 Glossary10
111 Preferred terms10
112 Related terms11
12 Notation12
13 Schema organization and namespaces12
2 Background (non-normative)13
21 Requirements13
22 Rule and policy combining14
23 Combining algorithms14
24 Multiple subjects15
25 Policies based on subject and resource attributes15
26 Multi-valued attributes15
27 Policies based on resource contents16
28 Operators16
29 Policy distribution17
210 Policy indexing17
211 Abstraction layer17
212 Actions performed in conjunction with enforcement18
3 Models (non-normative)18
31 Data-flow model18
32 XACML context20
33 Policy language model20
331 Rule21
332 Policy 23
333 Policy set24
4 Examples (non-normative)25
41 Example one25
411 Example policy25
412 Example request context27
413 Example response context28
42 Example two28
421 Example medical record instance29
422 Example request context30
423 Example plain-language rules32
424 Example XACML rule instances32
oasis--xacml-11pdf 3
6
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
7
5 Policy syntax (normative with the exception of the schema fragments)46
51 Element ltPolicySetgt46
52 Element ltDescriptiongt47
53 Element ltPolicySetDefaultsgt47
54 Element ltXPathVersiongt48
55 Element ltTargetgt48
56 Element ltSubjectsgt49
57 Element ltSubjectgt49
58 Element ltAnySubjectgt49
59 Element ltSubjectMatchgt49
510 Element ltResourcesgt50
511 Element ltResourcegt50
512 Element ltAnyResourcegt51
513 Element ltResourceMatchgt51
514 Element ltActionsgt52
515 Element ltActiongt52
516 Element ltAnyActiongt52
517 Element ltActionMatchgt52
518 Element ltPolicySetIdReferencegt53
519 Element ltPolicyIdReferencegt53
520 Element ltPolicygt53
521 Element ltPolicyDefaultsgt55
522 Element ltRulegt55
523 Simple type EffectType56
524 Element ltConditiongt56
525 Element ltApplygt56
526 Element ltFunctiongt57
527 Complex type AttributeDesignatorType57
528 Element ltSubjectAttributeDesignatorgt58
529 Element ltResourceAttributeDesignatorgt59
530 Element ltActionAttributeDesignatorgt60
531 Element ltEnvironmentAttributeDesignatorgt60
532 Element ltAttributeSelectorgt61
533 Element ltAttributeValuegt62
534 Element ltObligationsgt63
535 Element ltObligationgt63
536 Element ltAttributeAssignmentgt64
oasis--xacml-11pdf 4
8
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
9
6 Context syntax (normative with the exception of the schema fragments)64
61 Element ltRequestgt64
62 Element ltSubjectgt65
63 Element ltResourcegt66
64 Element ltResourceContentgt66
65 Element ltActiongt67
66 Element ltEnvironmentgt67
67 Element ltAttributegt67
68 Element ltAttributeValuegt68
69 Element ltResponsegt68
610 Element ltResultgt69
611 Element ltDecisiongt70
612 Element ltStatusgt70
613 Element ltStatusCodegt71
614 Element ltStatusMessagegt71
615 Element ltStatusDetailgt71
7 Functional requirements (normative)72
71 Policy enforcement point72
72 Base policy72
73 Target evaluation73
74 Condition evaluation73
75 Rule evaluation73
76 Policy evaluation73
77 Policy Set evaluation74
78 Hierarchical resources75
79 Attributes76
791 Attribute Matching76
792 Attribute Retrieval76
793 Environment Attributes77
710 Authorization decision77
711 Obligations 77
712 Unsupported functionality78
713 Syntax and type errors78
8 XACML extensibility points (non-normative)78
81 Extensible XML attribute types78
82 Structured attributes79
9 Security and privacy considerations (non-normative)79
oasis--xacml-11pdf 5
10
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
11
91 Threat model 79
911 Unauthorized disclosure80
912 Message replay80
913 Message insertion80
914 Message deletion80
915 Message modification80
916 NotApplicable results81
917 Negative rules81
92 Safeguards82
921 Authentication82
922 Policy administration82
923 Confidentiality82
924 Policy integrity83
925 Policy identifiers83
926 Trust model84
927 Privacy 84
10 Conformance (normative)84
101 Introduction84
102 Conformance tables84
1021 Schema elements85
1022 Identifier Prefixes86
1023 Algorithms86
1024 Status Codes86
1025 Attributes87
1026 Identifiers87
1027 Data-types87
1028 Functions88
11 References 92
Appendix A Standard data-types functions and their semantics (normative)94
A1 Introduction 94
A2 Primitive types 94
A3 Structured types 95
A4 Representations 95
A5 Bags 96
A6 Expressions 96
A7 Element ltAttributeValuegt97
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt97
oasis--xacml-11pdf 6
12
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
13
A9 Element ltApplygt97
A10 Element ltConditiongt97
A11 Element ltFunctiongt98
A12 Matching elements98
A13 Arithmetic evaluation99
A14 XACML standard functions100
A141 Equality predicates100
A142 Arithmetic functions102
A143 String conversion functions103
A144 Numeric data-type conversion functions103
A145 Logical functions103
A146 Arithmetic comparison functions104
A147 Date and time arithmetic functions105
A148 Non-numeric comparison functions106
A149 Bag functions108
A1410 Set functions109
A1411 Higher-order bag functions110
A1412 Special match functions117
A1413 XPath-based functions118
A1414 Extension functions and primitive types118
Appendix B XACML identifiers (normative)119
B1 XACML namespaces119
B2 Access subject categories119
B3 XACML functions119
B4 Data-types 119
B5 Subject attributes120
B6 Resource attributes121
B7 Action attributes 121
B8 Environment attributes122
B9 Status codes 122
B10 Combining algorithms122
Appendix C Combining algorithms (normative)124
C1 Deny-overrides124
C2 Ordered-deny-overrides (non-normative)126
C3 Permit-overrides126
C4 Ordered-permit-overrides (non-normative)128
C5 First-applicable128
oasis--xacml-11pdf 7
14
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
15
C6 Only-one-applicable130
Appendix D Acknowledgments132
Appendix E Revision history133
Appendix F Notices134
oasis--xacml-11pdf 8
16
221
222
223
224225
226
17
Errata
Errata can be found at the following location
httpwwwoasis-openorgcommitteesxacmlrepositoryerrata-001pdf
oasis--xacml-11pdf 9
18
227
228
229
19
1 Introduction (non-normative)
11 Glossary
111 Preferred terms
Access - Performing an action
Access control - Controlling access in accordance with a policy
Action - An operation on a resource
Applicable policy - The set of policies and policy sets that governs access for a specific decision request
Attribute - Characteristic of a subject resource action or environment that may be referenced in a predicate or target
Authorization decision - The result of evaluating applicable policy returned by the PDP to the PEP A function that evaluates to Permitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicable and (optionally) a set of obligations
Bag ndash An unordered collection of values in which there may be duplicate values
Condition - An expression of predicates A function that evaluates to True False or ldquoIndeterminaterdquo
Conjunctive sequence - a sequence of boolean elements combined using the logical lsquoANDrsquo operation
Context - The canonical representation of a decision request and an authorization decision
Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format
Decision ndash The result of evaluating a rule policy or policy set
Decision request - The request by a PEP to a PDP to render an authorization decision
Disjunctive sequence - a sequence of boolean elements combined using the logical lsquoORrsquo operation
Effect - The intended consequence of a satisfied rule (either Permit or Deny)
Environment - The set of attributes that are relevant to an authorization decision and are independent of a particular subject resource or action
oasis--xacml-11pdf 10
20
230
231
232
233
234
235
236
237238
239240
241242243
244
245246
247248
249
250251252
253
254
255256
257
258259
21
Obligation - An operation specified in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision
Policy - A set of rules an identifier for the rule-combining algorithm and (optionally) a set of obligations May be a component of a policy set
Policy administration point (PAP) - The system entity that creates a policy or policy set
Policy-combining algorithm - The procedure for combining the decision and obligations from multiple policies
Policy decision point (PDP) - The system entity that evaluates applicable policy and renders an authorization decision
Policy enforcement point (PEP) - The system entity that performs access control by making decision requests and enforcing authorization decisions
Policy information point (PIP) - The system entity that acts as a source of attribute values
Policy set - A set of policies other policy sets a policy-combining algorithm and (optionally) a set of obligations May be a component of another policy set
Predicate - A statement about attributes whose truth can be evaluated
Resource - Data service or system component
Rule - A target an effect and a condition A component of a policy
Rule-combining algorithm - The procedure for combining decisions from multiple rules
Subject - An actor whose attributes may be referenced by a predicate
Target - The set of decision requests identified by definitions for resource subject and action that a rule policy or policy set is intended to evaluate
Type Unification - The method by which two type expressions are unified The type expressions are matched along their structure Where a type variable appears in one expression it is then unified to represent the corresponding structure element of the other expression be it another variable or subexpression All variable assignments must remain consistent in both structures Unification fails if the two expressions cannot be aligned either by having dissimilar structure or by having instance conflicts such as a variable needs to represent both xsstring and xsinteger For a full explanation of type unification please see [Hancock]
112 Related termsIn the field of access control and authorization there are several closely related terms in common use For purposes of precision and clarity certain of these terms are not used in this specification
For instance the term attribute is used in place of the terms group and role
In place of the terms privilege permission authorization entitlement and right we use the term rule
The term object is also in common use but we use the term resource in this specification
Requestors and initiators are covered by the term subject
oasis--xacml-11pdf 11
22
260261
262263
264
265266
267268
269270
271
272273
274
275
276
277
278
279280
281282283284285286287
288
289290
291
292293
294
295
23
12 NotationThis specification contains schema conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded policy statements
The key words MUST MUST NOT REQUIRED SHALL SHALL NOT SHOULD SHOULD NOT RECOMMENDED MAY and OPTIONAL in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119]
they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (eg limiting retransmissions)
These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations When these words are not capitalized they are meant in their natural-language sense
Listings of XACML schemas appear like this
Example code listings appear like this
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows whether or not a namespace declaration is present in the example
The prefix xacml stands for the XACML policy namespace
The prefix xacml-context stands for the XACML context namespace
The prefix ds stands for the W3C XML Signature namespace [DS]
The prefix xs stands for the W3C XML Schema namespace [XS]
The prefix xf stands for the XQuery 10 and XPath 20 Function and Operators specification namespace [XF]
This specification uses the following typographical conventions in text ltXACMLElementgt ltnsForeignElementgt Attribute Datatype OtherCode Terms in italic bold-face are intended to have the meaning defined in the Glossary
13 Schema organization and namespacesThe XACML policy syntax is defined in a schema associated with the following XML namespace
urnoasisnamestcxacml10policy
The XACML context syntax is defined in a schema associated with the following XML namespaceurnoasisnamestcxacml10context
The XML Signature [DS] is imported into the XACML schema and is associated with the following XML namespace
httpwwww3org200009xmldsig
2 Background (non-normative)The economics of scale have driven computing platform vendors to develop products with very generalized functionality so that they can be used in the widest possible range of situations Out
oasis--xacml-11pdf 12
24
296
297298
299300301
302303
304305306307308309310
311312313
314
315
316
317
318319
320321322
323
324325
326327
328329330
331
332333
25
of the box these products have the maximum possible privilege for accessing data and executing software so that they can be used in as many application environments as possible including those with the most permissive security policies In the more common case of a relatively restrictive security policy the platforms inherent privileges must be constrained by configuration
The security policy of a large enterprise has many elements and many points of enforcement Elements of policy may be managed by the Information Systems department by Human Resources by the Legal department and by the Finance department And the policy may be enforced by the extranet mail WAN and remote-access systems platforms which inherently implement a permissive security policy The current practice is to manage the configuration of each point of enforcement independently in order to implement the security policy as accurately as possible Consequently it is an expensive and unreliable proposition to modify the security policy And it is virtually impossible to obtain a consolidated view of the safeguards in effect throughout the enterprise to enforce the policy At the same time there is increasing pressure on corporate and government executives from consumers shareholders and regulators to demonstrate best practice in the protection of the information assets of the enterprise and its customers
For these reasons there is a pressing need for a common language for expressing security policy If implemented throughout an enterprise a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems Managing security policy may include some or all of the following steps writing reviewing testing approving issuing combining analyzing modifying withdrawing retrieving and enforcing policy
XML is a natural choice as the basis for the common security-policy language due to the ease with which its syntax and semantics can be extended to accommodate the unique requirements of this application and the widespread support that it enjoys from all the main platform and tool vendors
21 RequirementsThe basic requirements of a policy language for expressing information system security policy are
To provide a method for combining individual rules and policies into a single policy set that applies to a particular decision request
To provide a method for flexible definition of the procedure by which rules and policies are combined
To provide a method for dealing with multiple subjects acting in different capacities
To provide a method for basing an authorization decision on attributes of the subject and resource
To provide a method for dealing with multi-valued attributes
To provide a method for basing an authorization decision on the contents of an information resource
To provide a set of logical and mathematical operators on attributes of the subject resource and environment
To provide a method for handling a distributed set of policy components while abstracting the method for locating retrieving and authenticating the policy components
To provide a method for rapidly identifying the policy that applies to a given action based upon the values of attributes of the subjects resource and action
oasis--xacml-11pdf 13
26
334335336337
338339340341342343344345346347348
349350351352353354
355356357
358
359
360361
362363
364
365366
367
368369
370371
372373
374375
27
To provide an abstraction-layer that insulates the policy-writer from the details of the application environment
To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement
The motivation behind XACML is to express these well-established ideas in the field of access-control policy using an extension language of XML The XACML solutions for each of these requirements are discussed in the following sections
22 Rule and policy combiningThe complete policy applicable to a particular decision request may be composed of a number of individual rules or policies For instance in a personal privacy application the owner of the personal information may define certain aspects of disclosure policy whereas the enterprise that is the custodian of the information may define certain other aspects In order to render an authorization decision it must be possible to combine the two separate policies to form the single policy applicable to the request
XACML defines three top-level policy elements ltRulegt ltPolicygt and ltPolicySetgt The ltRulegt element contains a boolean expression that can be evaluated in isolation but that is not intended to be accessed in isolation by a PDP So it is not intended to form the basis of an authorization decision by itself It is intended to exist in isolation only within an XACML PAP where it may form the basic unit of management and be re-used in multiple policies
The ltPolicygt element contains a set of ltRulegt elements and a specified procedure for combining the results of their evaluation It is the basic unit of policy used by the PDP and so it is intended to form the basis of an authorization decision
The ltPolicySetgt element contains a set of ltPolicygt or other ltPolicySetgt elements and a specified procedure for combining the results of their evaluation It is the standard means for combining separate policies into a single combined policy
Hinton et al [Hinton94] discuss the question of the compatibility of separate policies applicable to the same decision request
23 Combining algorithmsXACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the ltPolicygt or ltPolicySetgt elements respectively The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules Similarly the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies Standard combining algorithms are defined for
Deny-overrides (Ordered and Unordered)
Permit-overrides (Ordered and Unordered)
First applicable and
Only-one-applicable
oasis--xacml-11pdf 14
28
376377
378379
380381382
383
384385386387388389
390391392393394
395396397
398399400
401402
403
404405406407408409410
411
412
413
414
29
In the first case if a single ltRulegt or ltPolicygt element is encountered that evaluates to Deny then regardless of the evaluation result of the other ltRulegt or ltPolicygt elements in the applicable policy the combined result is Deny Likewise in the second case if a single Permit result is encountered then the combined result is Permit In the case of the ldquoFirst-applicablerdquo combining algorithm the combined result is the same as the result of evaluating the first ltRulegt ltPolicygt or ltPolicySetgt element in the list of rules whose target is applicable to the decision request The Only-one-applicable policy-combining algorithm only applies to policies The result of this combining algorithm ensures that one and only one policy or policy set is applicable by virtue of their targets If no policy or policy set applies then the result is NotApplicable but if more than one policy or policy set is applicable then the result is Indeterminate When exactly one policy or policy set is applicable the result of the combining algorithm is the result of evaluating the single applicable policy or policy set
Users of this specification may if necessary define their own combining algorithms
24 Multiple subjectsAccess-control policies often place requirements on the actions of more than one subject For instance the policy governing the execution of a high-value financial transaction may require the approval of more than one individual acting in different capacities Therefore XACML recognizes that there may be more than one subject relevant to a decision request An attribute called ldquosubject-categoryrdquo is used to differentiate between subjects acting in different capacities Some standard values for this attribute are specified and users may define additional ones
25 Policies based on subject and resource attributesAnother common requirement is to base an authorization decision on some characteristic of the subject other than its identity Perhaps the most common application of this idea is the subjects role [RBAC] XACML provides facilities to support this approach Attributes of subjects may be identified by the ltSubjectAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular subject attribute value by its location in the context (see Section 211 for an explanation of context) XACML provides a standard way to reference the attributes defined in the LDAP series of specifications [LDAP-1 LDAP-2] This is intended to encourage implementers to use standard attribute identifiers for some common subject attributes
Another common requirement is to base an authorization decision on some characteristic of the resource other than its identity XACML provides facilities to support this approach Attributes of resource may be identified by the ltResourceAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular resource attribute value by its location in the context
26 Multi-valued attributesThe most common techniques for communicating attributes (LDAP XPath SAML etc) support multiple values per attribute Therefore when an XACML PDP retrieves the value of a named attribute the result may contain multiple values A collection of such values is called a bag A bag differs from a set in that it may contain duplicate values whereas a set may not Sometimes this situation represents an error Sometimes the XACML rule is satisfied if any one of the attribute values meets the criteria expressed in the rule
oasis--xacml-11pdf 15
30
415416417418
419420421422423424425426
427
428
429430431432433434
435
436437438
439440441442443444445
446447
448449450451
452
453454455456457458
31
XACML provides a set of functions that allow a policy writer to be absolutely clear about how the PDP should handle the case of multiple attribute values These are the ldquohigher-orderrdquo functions
27 Policies based on resource contentsIn many applications it is required to base an authorization decision on data contained in the information resource to which access is requested For instance a common component of privacy policy is that a person should be allowed to read records for which he or she is the subject The corresponding policy must contain a reference to the subject identified in the information resource itself
XACML provides facilities for doing this when the information resource can be represented as an XML document The ltAttributeSelectorgt element may contain an XPath expression over the request context to identify data in the information resource to be used in the policy evaluation
In cases where the information resource is not an XML document specified attributes of the resource can be referenced as described in Section 24
28 OperatorsInformation security policies operate upon attributes of subjects the resource and the action to be performed on the resource in order to arrive at an authorization decision In the process of arriving at the authorization decision attributes of many different types may have to be compared or computed For instance in a financial application a persons available credit may have to be calculated by adding their credit limit to their account balance The result may then have to be compared with the transaction value This sort of situation gives rise to the need for arithmetic operations on attributes of the subject (account balance and credit limit) and the resource (transaction value)
Even more commonly a policy may identify the set of roles that are permitted to perform a particular action The corresponding operation involves checking whether there is a non-empty intersection between the set of roles occupied by the subject and the set of roles identified in the policy Hence the need for set operations
XACML includes a number of built-in functions and a method of adding non-standard functions These functions may be nested to build arbitrarily complex expressions This is achieved with the ltApplygt element The ltApplygt element has an XML attribute called FunctionId that identifies the function to be applied to the contents of the element Each standard function is defined for specific argument data-type combinations and its return data-type is also specified Therefore data-type consistency of the policy can be checked at the time the policy is written or parsed And the types of the data values presented in the request context can be checked against the values expected by the policy to ensure a predictable outcome
In addition to operators on numerical and set arguments operators are defined for date time and duration arguments
Relationship operators (equality and comparison) are also defined for a number of data-types including the RFC822 and X500 name-forms strings URIs etc
Also noteworthy are the operators over boolean data-types which permit the logical combination of predicates in a rule For example a rule may contain the statement that access may be permitted during business hours AND from a terminal on business premises
The XACML method of representing functions borrows from MathML [MathML] and from the XQuery 10 and XPath 20 Functions and Operators specification [XF]
oasis--xacml-11pdf 16
32
459460
461
462463464465466
467468469
470471
472
473474475476477478479480
481482483484
485486
487488489490491492
493494
495496
497498499
500501
33
29 Policy distributionIn a distributed system individual policy statements may be written by several policy writers and enforced at several enforcement points In addition to facilitating the collection and combination of independent policy components this approach allows policies to be updated as required XACML policy statements may be distributed in any one of a number of ways But XACML does not describe any normative way to do this Regardless of the means of distribution PDPs are expected to confirm by examining the policys ltTargetgt element that the policy is applicable to the decision request that it is processing
ltPolicygt elements may be attached to the information resources to which they apply as described by Perritt [Perritt93] Alternatively ltPolicygt elements may be maintained in one or more locations from which they are retrieved for evaluation In such cases the applicable policy may be referenced by an identifier or locator closely associated with the information resource
210 Policy indexingFor efficiency of evaluation and ease of management the overall security policy in force across an enterprise may be expressed as multiple independent policy components In this case it is necessary to identify and retrieve the applicable policy statement and verify that it is the correct one for the requested action before evaluating it This is the purpose of the ltTargetgt element in XACML
Two approaches are supported
1 Policy statements may be stored in a database whose data-model is congruent with that of the ltTargetgt element The PDP should use the contents of the decision request that it is processing to form the database read command by which applicable policy statements are retrieved Nevertheless the PDP should still evaluate the ltTargetgt element of the retrieved policy or policy set statements as defined by the XACML specification
2 Alternatively the PDP may evaluate the ltTargetgt element from each of the policies or policy sets that it has available to it in the context of a particular decision request in order to identify the policies and policy sets that are applicable to that request
The use of constraints limiting the applicability of a policy were described by Sloman [Sloman94]
211 Abstraction layerPEPs come in many forms For instance a PEP may be part of a remote-access gateway part of a Web server or part of an email user-agent etc It is unrealistic to expect that all PEPs in an enterprise do currently or will in the future issue decision requests to a PDP in a common format Nevertheless a particular policy may have to be enforced by multiple PEPs It would be inefficient to force a policy writer to write the same policy several different ways in order to accommodate the format requirements of each PEP Similarly attributes may be contained in various envelope types (eg X509 attribute certificates SAML attribute assertions etc) Therefore there is a need for a canonical form of the request and response handled by an XACML PDP This canonical form is called the XACML Context Its syntax is defined in XML schema
Naturally XACML-conformant PEPs may issue requests and receive responses in the form of an XACML context But where this situation does not exist an intermediate step is required to convert between the requestresponse format understood by the PEP and the XACML context format understood by the PDP
oasis--xacml-11pdf 17
34
502
503504505506507
508509
510511512513
514
515516517
518519
520
521522523
524525
526527528
529
530
531532533534535536537538539
540541542543
35
The benefit of this approach is that policies may be written and analyzed independent of the specific environment in which they are to be enforced
In the case where the native requestresponse format is specified in XML Schema (eg a SAML-conformant PEP) the transformation between the native format and the XACML context may be specified in the form of an Extensible Stylesheet Language Transformation [XSLT]
Similarly in the case where the resource to which access is requested is an XML document the resource itself may be included in or referenced by the request context Then through the use of XPath expressions [XPath] in the policy values in the resource may be included in the policy evaluation
212 Actions performed in conjunction with enforcementIn many applications policies specify actions that MUST be performed either instead of or in addition to actions that MAY be performed This idea was described by Sloman [Sloman94] XACML provides facilities to specify actions that MUST be performed in conjunction with policy evaluation in the ltObligationsgt element This idea was described as a provisional action by Kudo [Kudo00] There are no standard definitions for these actions in version 10 of XACML Therefore bilateral agreement between a PAP and the PEP that will enforce its policies is required for correct interpretation PEPs that conform with v10 of XACML are required to deny access unless they understand all the ltObligationsgt elements associated with the applicable policy ltObligationsgt elements are returned to the PEP for enforcement
3 Models (non-normative)The data-flow model and language model of XACML are described in the following sub-sections
31 Data-flow modelThe major actors in the XACML domain are shown in the data-flow diagram of Figure 1
oasis--xacml-11pdf 18
36
544545
546547548
549550551552
553
554555556
557558559560
561562
563
564
565
566
37
Figure 1 - Data-flow diagram
Note some of the data-flows shown in the diagram may be facilitated by a repository For instance the communications between the context handler and the PIP or the communications between the PDP and the PAP may be facilitated by a repository The XACML specification is not intended to place restrictions on the location of any such repository or indeed to prescribe a particular communication protocol for any of the data-flows
The model operates by the following steps
1 PAPs write policies and policy sets and make them available to the PDP These policies or policy sets represent the complete policy for a specified target
2 The access requester sends a request for access to the PEP
3 The PEP sends the request for access to the context handler in its native request format optionally including attributes of the subjects resource and action The context handler constructs an XACML request context in accordance with steps 456 and 7
4 Subject resource and environment attributes may be requested from a PIP
5 The PIP obtains the requested attributes
6 The PIP returns the requested attributes to the context handler
oasis--xacml-11pdf 19
38
567
568
569570571572573
574
575576
577
578579580
581
582
583
39
7 Optionally the context handler includes the resource in the context
8 The context handler sends a decision request including the target to the PDP The PDP identifies the applicable policy and retrieves the required attributes and (optionally) the resource from the context handler The PDP evaluates the policy
9 The PDP returns the response context (including the authorization decision) to the context handler
10 The context handler translates the response context to the native response format of the PEP The context handler returns the response to the PEP
11 The PEP fulfills the obligations
12 (Not shown) If access is permitted then the PEP permits access to the resource otherwise it denies access
32 XACML contextXACML is intended to be suitable for a variety of application environments The core language is insulated from the application environment by the XACML context as shown in Figure 2 in which the scope of the XACML specification is indicated by the shaded area The XACML context is defined in XML schema describing a canonical representation for the inputs and outputs of the PDP Attributes referenced by an instance of XACML policy may be in the form of XPath expressions on the context or attribute designators that identify the attribute by subject resource action or environment and its identifier Implementations must convert between the attribute representations in the application environment (eg SAML J2SE CORBA and so on) and the attribute representations in the XACML context How this is achieved is outside the scope of the XACML specification In some cases such as SAML this conversion may be accomplished in an automated way through the use of an XSLT transformation
domain-specificinputs
domain-specificoutputs
xacml ContextRequestxml
xacml ContextResponsexmlPDP
xacmlPolicyxml
Figure 2 - XACML context
Note The PDP may be implemented such that it uses a processed form of the XML files
See Section 79 for a more detailed discussion of the request context
33 Policy language modelThe policy language model is shown in Figure 3 The main components of the model are
Rule
Policy and
oasis--xacml-11pdf 20
40
584
585586587
588589
590591
592
593594
595
596597598599600601602603604605606
607
608
609
610
611
612
613
614
41
Policy set
These are described in the following sub-sections
1
1
1
1
1
1
Condition
Target
Rule
1
01
Policy
1
1
Obligations
1
1
1
0
1 01
ActionResourceSubject
PolicySet
1
0
1
1
PolicyCombiningAlogorithm
1
0
RuleCombiningAlgorithm
1
0
1
01
101
Effect
1 1
Figure 3 - Policy language model
331 RuleA rule is the most elementary unit of policy It may exist in isolation only within one of the major actors of the XACML domain In order to exchange rules between major actors they must be encapsulated in a policy A rule can be evaluated on the basis of its contents The main components of a rule are
oasis--xacml-11pdf 21
42
615
616
617
618
619
620621622623
43
a target
an effect and
a condition
These are discussed in the following sub-sections
3311 Rule target
The target defines the set of
resources
subjects and
actions
to which the rule is intended to apply The ltConditiongt element may further refine the applicability established by the target If the rule is intended to apply to all entities of a particular data-type then an empty element named ltAnySubjectgt ltAnyResourcegt or ltAnyActiongt is used An XACML PDP verifies that the subjects resource and action identified in the request context are all present in the target of the rules that it uses to evaluate the decision request Target definitions are discrete in order that applicable rules may be efficiently identified by the PDP
The ltTargetgt element may be absent from a ltRulegt In this case the target of the ltRulegt is the same as that of the parent ltPolicygt element
Certain subject name-forms resource name-forms and certain types of resource are internally structured For instance the X500 directory name-form and RFC 822 name-form are structured subject name-forms whereas an account number commonly has no discernible structure UNIX file-system path-names and URIs are examples of structured resource name-forms And an XML document is an example of a structured resource
Generally the name of a node (other than a leaf node) in a structured name-form is also a legal instance of the name-form So for instance the RFC822 name medicocom is a legal RFC822 name identifying the set of mail addresses hosted by the medicocom mail server And the XPathXPointer value ctxResourceContentmdrecordmdpatient is a legal XPathXPointer value identifying a node-set in an XML document
The question arises how should a name that identifies a set of subjects or resources be interpreted by the PDP whether it appears in a policy or a request context Are they intended to represent just the node explicitly identified by the name or are they intended to represent the entire sub-tree subordinate to that node
In the case of subjects there is no real entity that corresponds to such a node So names of this type always refer to the set of subjects subordinate in the name structure to the identified node Consequently non-leaf subject names should not be used in equality functions only in match functions such as ldquournoasisnamestcxacml10functionrfc822Name-matchrdquo not ldquournoasisnamestcxacml10functionrfc822Name-equalrdquo (see Appendix A)
On the other hand in the case of resource names and resources themselves three options exist The name could refer to
1 the contents of the identified node only
2 the contents of the identified node and the contents of its immediate child nodes or
3 the contents of the identified node and all its descendant nodes
oasis--xacml-11pdf 22
44
624
625
626
627
628
629
630
631
632
633634
635636637638639
640641
642643644645646
647648649
650651
652653654655
656657658659660
661662
663
664
665
45
All three options are supported in XACML
3312 Effect
The effect of the rule indicates the rule-writers intended consequence of a True evaluation for the rule Two values are allowed Permit and Deny
3313 Condition
Condition represents a boolean expression that refines the applicability of the rule beyond the predicates implied by its target Therefore it may be absent
332 Policy From the data-flow model one can see that rules are not exchanged amongst system entities Therefore a PAP combines rules in a policy A policy comprises four main components
a target
a rule-combining algorithm-identifier
a set of rules and
obligations
Rules are described above The remaining components are described in the following sub-sections
3321 Policy target
An XACML ltPolicySetgt ltPolicygt or ltRulegt element contains a ltTargetgt element that specifies the set of subjects resources and actions to which it applies The ltTargetgt of a ltPolicySetgt or ltPolicygt may be declared by the writer of the ltPolicySetgt or ltPolicygt or it may be calculated from the ltTargetgt elements of the ltPolicySetgt ltPolicygt and ltRulegt elements that it contains
A system entity that calculates a ltTargetgt in this way is not defined by XACML but there are two logical methods that might be used In one method the ltTargetgt element of the outer ltPolicySetgt or ltPolicygt (the outer component) is calculated as the union of all the ltTargetgt elements of the referenced ltPolicySetgt ltPolicygt or ltRulegt elements (the inner components) In another method the ltTargetgt element of the outer component is calculated as the intersection of all the ltTargetgt elements of the inner components The results of evaluation in each case will be very different in the first case the ltTargetgt element of the outer component makes it applicable to any decision request that matches the ltTargetgt element of at least one inner component in the second case the ltTargetgt element of the outer component makes it applicable only to decision requests that match the ltTargetgt elements of every inner component Note that computing the intersection of a set of ltTargetgt elements is likely only practical if the target data-model is relatively simple
In cases where the ltTargetgt of a ltPolicygt is declared by the policy writer any component ltRulegt elements in the ltPolicygt that have the same ltTargetgt element as the ltPolicygt element may omit the ltTargetgt element Such ltRulegt elements inherit the ltTargetgt of the ltPolicygt in which they are contained
oasis--xacml-11pdf 23
46
666
667
668669
670
671672
673
674675
676
677
678
679
680681
682
683684685686687
688689690691692693694695696697698699
700701702703
47
3322 Rule-combining algorithm
The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined when evaluating the policy ie the Decision value placed in the response context by the PDP is the value of the policy as defined by the rule-combining algorithm
See Appendix C for definitions of the normative rule-combining algorithms
3323 Obligations
The XACML ltRulegt syntax does not contain an element suitable for carrying obligations therefore if required in a policy obligations must be added by the writer of the policy
When a PDP evaluates a policy containing obligations it returns certain of those obligations to the PEP in the response context Section 711 explains which obligations are to be returned
333 Policy set A policy set comprises four main components
a target
a policy-combining algorithm-identifier
a set of policies and
obligations
The target and policy components are described above The other components are described in the following sub-sections
3331 Policy-combining algorithm
The policy-combining algorithm specifies the procedure by which the results of evaluating the component policies are combined when evaluating the policy set iethe Decision value placed in the response context by the PDP is the result of evaluating the policy set as defined by the policy-combining algorithm
See Appendix C for definitions of the normative policy-combining algorithms
3332 Obligations
The writer of a policy set may add obligations to the policy set in addition to those contained in the component policies and policy sets
When a PDP evaluates a policy set containing obligations it returns certain of those obligations to the PEP in its response context Section 711 explains which obligations are to be returned
oasis--xacml-11pdf 24
48
704
705706707708
709
710
711712
713714
715
716
717
718
719
720
721722
723
724725726727
728
729
730731
732733
734
49
4 Examples (non-normative)This section contains two examples of the use of XACML for illustrative purposes The first example is a relatively simple one to illustrate the use of target context matching functions and subject attributes The second example additionally illustrates the use of the rule-combining algorithm conditions and obligations
41 Example one
411 Example policyAssume that a corporation named Medi Corp (medicocom) has an access control policy that states in English
Any user with an e-mail name in the medicocom namespace is allowed to perform any action on any resource
An XACML policy consists of header information an optional text description of the policy a target one or more rules and an optional set of obligations
The header for this policy is[p01] ltxml version=10 encoding=UTF-8gt[p02] ltPolicy xmlns=urnoasisnamestcxacml10policy[p03] xmlnsxsi=httpwwww3org2001XMLSchema-instance[p04] xsischemaLocation=urnoasisnamestcxacml10policy[p05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-policy-01xsd[p06] PolicyId=identifierexampleSimplePolicy1[p07] RuleCombiningAlgId=identifierrule-combining-algorithmdeny-overridesgt
[p01] is a standard XML document tag indicating which version of XML is being used and what the character encoding is
[p02] introduces the XACML Policy itself
[p03-p05] are XML namespace declarations
[p05] gives a URL to the schema for XACML policies
[p06] assigns a name to this policy instance The name of a policy should be unique for a given PDP so that there is no ambiguity if one policy is referenced from another policy
[p07] specifies the algorithm that will be used to resolve the results of the various rules that may be in the policy The deny-overrides rule-combining algorithm specified here says that if any rule evaluates to ldquoDenyrdquo then that policy must return ldquoDenyrdquo If all rules evaluate to ldquoPermitrdquo then the policy must return ldquoPermitrdquo The rule-combining algorithm which is fully described in Appendix C also says what to do if an error were to occur when evaluating any rule and what to do with rules that do not apply to a particular decision request[p08] ltDescriptiongt[p09] Medi Corp access control policy[p10] ltDescriptiongt
[p08-p10] provide a text description of the policy This description is optional[p11] ltTargetgt[p12] ltSubjectsgt[p13] ltAnySubjectgt[p14] ltSubjectsgt[p15] ltResourcesgt
oasis--xacml-11pdf 25
50
735
736737738739
740
741
742743
744745
746747
748
749750
751
752
753
754755
756757758759760761
762
51
[p16] ltAnyResourcegt[p17] ltResourcesgt[p18] ltActionsgt[p19] ltAnyActiongt[p20] ltActionsgt[p21] ltTargetgt
[p11-p21] describe the decision requests to which this policy applies If the subject resource and action in a decision request do not match the values specified in the target then the remainder of the policy does not need to be evaluated This target section is very useful for creating an index to a set of policies In this simple example the target section says the policy is applicable to any decision request[p22] ltRule[p23] RuleId= urnoasisnamestcxacml10exampleSimpleRule1[p24] Effect=Permitgt
[p22] introduces the one and only rule in this simple policy Just as for a policy each rule must have a unique identifier (at least unique for any PDP that will be using the policy)
[p23] specifies the identifier for this rule
[p24] says what effect this rule has if the rule evaluates to ldquoTruerdquo Rules can have an effect of either ldquoPermitrdquo or ldquoDenyrdquo In this case the rule will evaluate to ldquoPermitrdquo meaning that as far as this one rule is concerned the requested access should be permitted If a rule evaluates to ldquoFalserdquo then it returns a result of ldquoNotApplicablerdquo If an error occurs when evaluating the rule the rule returns a result of ldquoIndeterminaterdquo As mentioned above the rule-combining algorithm for the policy tells how various rule values are combined into a single policy value[p25] ltDescriptiongt[p26] Any subject with an e-mail name in the medicocom domain[p27] can perform any action on any resource[p28] ltDescriptiongt
[p25-p28] provide a text description of this rule This description is optional[p29] ltTargetgt
[p29] introduces the target of the rule As described above for the target of a policy the target of a rule describes the decision requests to which this rule applies If the subject resource and action in a decision request do not match the values specified in the rule target then the remainder of the rule does not need to be evaluated and a value of ldquoNotApplicablerdquo is returned to the policy evaluation[p30] ltSubjectsgt[p31] ltSubjectgt[p32] ltSubjectMatch MatchId=
urnoasisnamestcxacml10functionrfc822Name-matchgt[p33] ltSubjectAttributeDesignator[p34]
AttributeId=urnoasisnamestcxacml10subjectsubject-id[p35] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[p36] ltAttributeValue[p37] DataType=urnoasisnamestcxacml10data-
typerfc822Namegtmedicocom[p38] ltAttributeValuegt[p39] ltSubjectMatchgt[p40] ltSubjectgt[p41] ltSubjectsgt[p42] ltResourcesgt[p43] ltAnyResourcegt[p44] ltResourcesgt[p45] ltActionsgt[p46] ltAnyActiongt[p47] ltActionsgt[p48] ltTargetgt
oasis--xacml-11pdf 26
52
763764765766767
768769
770
771772773774775776
777
778779780781782
53
The rule target is similar to the target of the policy itself but with one important difference [p32-p41] do not say ltAnySubjectgt but instead spell out a specific value that the subject in the decision request must match The ltSubjectMatchgt element specifies a matching function in the MatchId attribute a pointer to a specific subject attribute in the request context by means of the ltSubjectAttributeDesignatorgt element and a literal value of ldquomedicocomrdquo The matching function will be used to compare the value of the subject attribute with the literal value Only if the match returns ldquoTruerdquo will this rule apply to a particular decision request If the match returns ldquoFalserdquo then this rule will return a value of ldquoNotApplicablerdquo[p49] ltRulegt[p50] lt Policygt
[p49] closes the rule we have been examining In this rule all the work is done in the ltTargetgt element In more complex rules the ltTargetgt may have been followed by a ltConditiongt (which could also be a set of conditions to be ANDed or ORed together)
[p50] closes the policy we have been examining As mentioned above this policy has only one rule but more complex policies may have any number of rules
412 Example request contextLets examine a hypothetical decision request that might be submitted to a PDP using the policy above In English the access request that generates the decision request may be stated as follows
Bart Simpson with e-mail name bssimpsonscom wants to read his medical record at Medi Corp
In XACML the information in the decision request is formatted into a request context statement that looks as follows[c01] ltxml version=10 encoding=UTF-8gt[c02] ltRequest xmlns=urnoasisnamestcxacml10context[c03] Xmlnsxsi=httpwwww3org2001XMLSchema-instance[c04] xsischemaLocation=urnoasisnamestcxacml10context[c05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-01xsdgt
[c01-c05] are the header for the request context and are used the same way as the header for the policy explained above[c06] ltSubjectgt[c07] ltAttribute AttributeId=urnoasisnamestcxacml10subjectsubject-
id[c08] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[c09] ltAttributeValuegtbssimpsonscomltAttributeValuegt[c10] ltAttributegt[c11] ltSubjectgt
The ltSubjectgt element contains one or more attributes of the entity making the access request There can be multiple subjects and each subject can have multiple attributes In this case in [c06-c11] there is only one subject and the subject has only one attribute the subjects identity expressed as an e-mail name is ldquobssimpsonscomrdquo[c12] ltResourcegt[c13] ltAttribute AttributeId=urnoasisnamestcxacml10resourceufs-
path[c14] DataType=httpwwww3org2001XMLSchemaanyURIgt[c15] ltAttributeValuegtmedicorecordpatientBartSimpsonltAttributeValuegt[c16] ltAttributegt[c17] ltResourcegtThe ltResourcegt element contains one or more attributes of the resource to which the subject (or subjects) has requested access There can be only one ltResourcegt
oasis--xacml-11pdf 27
54
783784785786787788789790
791792793
794795
796
797798799
800801
802803
804805
806807808809
810811
55
per decision request Lines [c13-c16] contain the one attribute of the resource to which Bart Simpson has requested access the resource unix file-system path-name which is ldquomedicorecordpatientBartSimpsonrdquo[c18] ltActiongt[c19] ltAttribute AttributeId=urnoasisnamestcxacml10actionaction-id[c20] DataType=httpwwww3org2001XMLSchemastringgt[c21] ltAttributeValuegtreadltAttributeValuegt[c22] ltAttributegt[c23] ltActiongt
The ltActiongt element contains one or more attributes of the action that the subject (or subjects) wishes to take on the resource There can be only one action per decision request [c18-c23] describe the identity of the action Bart Simpson wishes to take which is ldquoreadrdquo[c24] ltRequestgt
[c24] closes the request context A more complex request context may have contained some attributes not associated with the subject the resource or the action These would have been placed in an optional ltEnvironmentgt element following the ltActiongt element
The PDP processing this request context locates the policy in its policy repository It compares the subject resource and action in the request context with the subjects resources and actions in the policy target Since the policy target matches the ltAnySubjectgt ltAnyResourcegt and ltAnyActiongt elements the policy matches this context
The PDP now compares the subject resource and action in the request context with the target of the one rule in this policy The requested resource matches the ltAnyResourcegt element and the requested action matches the ltAnyActiongt element but the requesting subject-id attribute does not match medicocom
413 Example response contextAs a result there is no rule in this policy that returns a Permit result for this request The rule-combining algorithm for the policy specifies that in this case a result of NotApplicable should be returned The response context looks as follows[r01] ltxml version=10 encoding=UTF-8gt[r02] ltResponse xmlns=urnoasisnamestcxacml10context[r03] xsischemaLocation=urnoasisnamestcxacml10context[r04] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-
01xsdgt
[r01-r04] contain the same sort of header information for the response as was described above for a policy[r05] ltResultgt[r06] ltDecisiongtNotApplicableltDecisiongt[r07] ltResultgt
The ltResultgt element in lines [r05-r07] contains the result of evaluating the decision request against the policy In this case the result is ldquoNotApplicablerdquo A policy can return ldquoPermitrdquo ldquoDenyrdquo ldquoNotApplicablerdquo or ldquoIndeterminaterdquo[r08] ltResponsegt
[r08] closes the response context
42 Example twoThis section contains an example XML document an example request context and example XACML rules The XML document is a medical record Four separate rules are defined These illustrate a rule-combining algorithm conditions and obligations
oasis--xacml-11pdf 28
56
812813
814
815816817
818819
820
821822
823824
825826827828
829
830831832
833834
835836837
838
839
840841842
57
421 Example medical record instanceThe following is an instance of a medical record to which the example XACML rules can be applied The ltrecordgt schema is defined in the registered namespace administered by medicocom
ltxml version=10 encoding=UTF-8gtltrecord xmlns=httpwwwmedicocomschemasrecordxsd xmlnsxsi=httpwwww3org2001XMLSchema-instancerdquogt
ltpatientgtltpatientNamegt
ltfirstgtBartholomewltfirstgtltlastgtSimpsonltlastgt
ltpatientNamegtltpatientContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgt
ltpatientContactgtltpatientDoBgt1992-03-21ltpatientDoBgtltpatientGendergtmaleltpatientGendergtltpatient-numbergt555555ltpatient-numbergt
ltpatientgtltparentGuardiangt
ltparentGuardianIdgtHS001ltparentGuardianIdgtltparentGuardianNamegt
ltfirstgtHomerltfirstgtltlastgtSimpsonltlastgt
ltparentGuardianNamegtltparentGuardianContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgthomersaolcomltemailgt
ltparentGuardianContactgtltparentGuardiangtltprimaryCarePhysiciangt
ltphysicianNamegtltfirstgtJuliusltfirstgtltlastgtHibbertltlastgt
ltphysicianNamegtltphysicianContactgt
ltstreetgt1 First StltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551239012ltphonegtltfaxgt5551239013ltfaxgtltemailgt
ltphysicianContactgtltregistrationIDgtABC123ltregistrationIDgt
ltprimaryCarePhysiciangtltinsurergt
ltnamegtBlue Crossltnamegtltstreetgt1234 Main StltstreetgtltcitygtSpringfieldltcitygt
oasis--xacml-11pdf 29
58
843
844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903
59
ltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551235678ltphonegtltfaxgt5551235679ltfaxgtltemailgt
ltinsurergtltmedicalgt
lttreatmentgtltdruggt
ltnamegtmethylphenidate hydrochlorideltnamegtltdailyDosagegt30mgsltdailyDosagegtltstartDategt1999-01-12ltstartDategt
ltdruggtltcommentgtpatient exhibits side-effects of skin coloration and carpal
degenerationltcommentgtlttreatmentgtltresultgt
lttestgtblood pressurelttestgtltvaluegt12080ltvaluegtltdategt2001-06-09ltdategtltperformedBygtNurse BettyltperformedBygt
ltresultgtltmedicalgt
ltrecordgt
422 Example request contextThe following example illustrates a request context to which the example rules may be applicable It represents a request by the physician Julius Hibbert to read the patient date of birth in the record of Bartholomew Simpson
[01] ltxml version=10 encoding=UTF-8gt[02] ltRequest xmlns=urnoasisnamestcxacml10context[03] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo [04] ltSubject SubjectCategory=urnoasisnamestcxacml10subject-categoryaccess-subjectgt[05] ltAttribute AttributeId=[06] urnoasisnamestcxacml10subjectsubject-id[07] DataType=[08] rdquournoasisnamestcxacml10data-typex500namerdquo[09] Issuer=wwwmedicocom [10] IssueInstant=2001-12-17T093047-0500gt[11] ltAttributeValuegtCN=Julius HibbertltAttributeValuegt[12] ltAttributegt[13] ltAttribute AttributeId=[14] urnoasisnamestcxacml10exampleattributerole[15] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[16] Issuer=wwwmedicocom [17] IssueInstant=2001-12-17T093047-0500gt[18] ltAttributeValuegtphysicianltAttributeValuegt[19] ltAttributegt[20] ltAttribute AttributeId=[21] urnoasisnamestcxacml10exampleattributephysician-id[22] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[23] Issuer=wwwmedicocom [24] IssueInstant=2001-12-17T093047-0500gt[25] ltAttributeValuegtjh1234ltAttributeValuegt[26] ltAttributegt[27] ltSubjectgt[28] ltResourcegt[29] ltResourceContentgt[30] ltmdrecord[31] xmlnsmd=httpwwwmedicocomschemasrecordxsdgt
oasis--xacml-11pdf 30
60
904905906907908909910911912913914915916917918919920921922923924925926927
928
929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963
61
[32] ltmdpatientgt[33] ltmdpatientDoBgt1992-03-21ltmdpatientDoBgt[34] ltmdpatientgt[35] lt-- other fields --gt[36] ltmdrecordgt[37] ltResourceContentgt[38] ltAttribute AttributeId=[39] urnoasisnamestcxacml10resourceresource-id[40] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[41] ltAttributeValuegt[42] medicocomrecordsbart-simpsonxml[43] xmlns(md=httpwwwmedicocomschemasrecordxsd)[44] xpointer(mdrecordmdpatientmdpatientDoB)[45] ltAttributeValuegt[46] ltAttributegt[47] ltAttribute AttributeId=[48] urnoasisnamestcxacml10resourcexpath[49] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[50] ltAttributeValuegt[51] xmlns(md=httpwwwmedicocomschemasrecordxsd)[52] xpointer(mdrecordmdpatientmdpatientDoB)[53] ltAttributeValuegt[54] ltAttributegt[55] ltAttribute AttributeId=[56] rdquournoasisnamestcxacml10resourcetarget-namespacerdquo[57] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[58] ltAttributeValuegt[59] httpwwwmedicocomschemasrecordxsd[60] ltAttributeValuegt[61] ltAttributegt[62] ltResourcegt[63] ltActiongt[64] ltAttribute AttributeId=[65] urnoasisnamestcxacml10actionaction-id[66] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[67] ltAttributeValuegtreadltAttributeValuegt[68] ltAttributegt[69] ltActiongt[70] ltRequestgt
[02]-[03] Standard namespace declarations
[04]-[27] Subject attributes are placed in the Subject section of the Request Each attribute consists of the attribute meta-data and the attribute value
[04] Each Subject element has SubjectCategory xml attribute The value of this attribute describes the role that the subject plays in making the decision request The value of ldquoaccess-subjectrdquo denotes the identity for which the request was issued
[05]-[12] Subject subject-id attribute
[13]-[19] Subject role attribute
[20]-[26] Subject physician-id attribute
[28]-[62] Resource attributes are placed in the Resource section of the Request Each attribute consists of attribute meta-data and an attribute value
[29]-[36] Resource content The XML document that is being requested is placed here
[38]-[46] Resource identifier
oasis--xacml-11pdf 31
62
964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999
100010011002
1003
10041005
100610071008
1009
1010
1011
10121013
1014
1015
63
[47]-[61] The Resource is identified with an Xpointer expression that names the URI of the file that is accessed the target namespace of the document and the XPath location path to the specific element
[47]-[54] The XPath location path in the ldquoresource-idrdquo attribute is extracted and placed in the xpath attribute
[55]-[61] Resource target-namespace attribute
[63]-[69] Action attributes are placed in the Action section of the Request
[64]-[68] Action identifier
423 Example plain-language rulesThe following plain-language rules are to be enforced
Rule 1 A person identified by his or her patient number may read any record for which he or she is the designated patient
Rule 2 A person may read any record for which he or she is the designated parent or guardian and for which the patient is under 16 years of age
Rule 3 A physician may write to any medical element for which he or she is the designated primary care physician provided an email is sent to the patient
Rule 4 An administrator shall not be permitted to read or write to medical elements of a patient record
These rules may be written by different PAPs operating independently or by a single PAP
424 Example XACML rule instances
4241 Rule 1
Rule 1 illustrates a simple rule with a single ltConditiongt element The following XACML ltRulegt instance expresses Rule 1
[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid1[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomschemasrecordxsd namespace[12] for which he or she is a designated patient[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt
oasis--xacml-11pdf 32
64
101610171018
10191020
1021
1022
1023
1024
1025
10261027
10281029
10301031
10321033
1034
1035
1036
10371038
10391040104110421043104410451046104710481049105010511052105310541055105610571058
65
[22] ltResourceMatch MatchId=urnoasisnamestcxacml10functionstring-equalgt
[23] ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] ltActionMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[40] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[41] ltActionAttributeDesignator AttributeId=[42] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[43] ltActionMatchgt[44] ltActiongt[45] ltActionsgt[46] ltTargetgt[47] lt-- compare policy number in the document with [48] policy-number attribute --gt[49] ltCondition FunctionId=urnoasisnamestcxacml10functionstring-
equalgt[50] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[51] lt-- policy-number attribute --gt[52] ltSubjectAttributeDesignator AttributeId=[53] urnoasisnamestcxacml10examplesattributepolicy-number
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[54] ltApplygt[55] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[56] lt-- policy number in the document --gt[57] ltAttributeSelector RequestContextPath=[58] mdrecordmdpatientmdpatient-numbertext()
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[59] ltAttributeSelectorgt[60] ltApplygt[61] ltConditiongt[62] ltRulegt
[02]-[06] XML namespace declarations
[07] Rule identifier
[08] When a rule evaluates to lsquoTruersquo it emits the value of the Effect attribute This value is combined with the Effect values of other rules according to the rule-combining algorithm
oasis--xacml-11pdf 33
66
10591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114
1115
1116
11171118
67
[09]-[13] Free form description of the rule
[14]-[46] A rule target defines a set of decision requests that are applicable to the rule A decision request such that the value of the ldquournoasisnamestcxacml10resourcetarget-namespacerdquo resource attribute is equal to ldquohttpwwwmedicocomschemarecordsxsdrdquo and the value of the ldquournoasisnamestcxacml10resourcexpathrdquo resource attribute matches the XPath expression ldquomdrecordldquo and the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute is equal to ldquoreadrdquo matches the target of this rule
[15]-[17] The Subjects element may contain either a disjunctive sequence of Subject elements or AnySubject element
[16] The AnySubject element is a special element that matches any subject in the request context
[18]-[36] The Resources element may contain either a disjunctive sequence of Resource elements or AnyResource element
[20]-[35] The Resource element encloses the conjunctive sequence of ResourceMatch elements
[22]-[28] The ResourceMatch element compares its first and second child elements according to the matching function A match is positive if the value of the first argument matches any of the values selected by the second argument This match compares the target namespace of the requested document with the value of ldquohttpwwwmedicocomschemarecordsxsdrdquo
[22] The MatchId attribute names the matching function
[23]-[25] Literal attribute value to match
[26]-[27] The ResourceAttributeDesignator element selects the resource attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values
[30]-[34] The ResourceMatch This match compares the results of two XPath expressions The first XPath expression is mdrecord and the second XPath expression is the location path to the requested xml element The ldquoxpath-node-matchrdquo function evaluates to ldquoTruerdquo if the requested XML element is below the mdrecord element
[30] MatchId attribute names the matching function
[31] The literal XPath expression to match The md prefix is resolved using a standard namespace declaration
[32]-[33] The ResourceAttributeDesignator selects the bag of values for the ldquournoasisnamestcxacml10xpathrdquo resource attribute Here there is just one element in the bag which is the location path for the requested XML element
[37]-[45] The Actions element may contain either a disjunctive sequence of Action elements or an AnyAction element
[38]-[44] The Action element contains a conjunctive sequence of ActionMatch elements
[39]-[43] The ActionMatch element compares its first and second child elements according to the matching function Match is positive if the value of the first argument matches any of the values selected by the second argument In this case the value of the action-id action attribute in the request context is compared with the value ldquoreadrdquo
oasis--xacml-11pdf 34
68
1119
11201121
11221123
1124112511261127
11281129
11301131
11321133
11341135
1136113711381139
1140
1141
114211431144
114511461147
1148
1149
11501151
115211531154
11551156
1157
11581159
11601161
69
[39] The MatchId attribute names the matching function
[40] The Attribute value to match This is an action name
[41]-[42] The ActionAttributeDesignator selects action attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values ldquournoasisnamestcxacml10actionaction-idrdquo is the predefined name for the action identifier
[49]-[61] The ltConditiongt element A condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the patient-number subject attribute is equal to the patient-number in the XML document
[49] The FunctionId attribute of the ltConditiongt element names the function to be used for comparison In this case comparison is done with urnoasisnamestcxacml10functionstring-equal this function takes two arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[50] The first argument to the urnoasisnamestcxacml10functionstring-equal in the Condition Functions can take other functions as arguments The Apply element encodes the function call with the FunctionId attribute naming the function Since urnoasisnamestcxacml10functionstring-equal takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and SubjectAttributeDesignator selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[52]-[53] The SubjectAttributeDesignator selects a bag of values for the policy-number subject attribute in the request context
[55] The second argument to the ldquournoasisnamestcxacml10functionstring-equalrdquo in the Condition Functions can take other functions as arguments The Apply element encodes function call with the FunctionId attribute naming the function Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and the AttributeSelector selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[57] The AttributeSelector element selects a bag of values from the request context The AttributeSelector is a free-form XPath pointing device into the request context The RequestContextPath attribute specifies an XPath expression over the content of the requested XML document selecting the policy number Note that the namespace prefixes in the XPath expression are resolved with the standard XML namespace declarations
4242 Rule 2
Rule 2 illustrates the use of a mathematical function ie the ltApplygt element with functionId urnoasisnamestcxacml10functiondate-add-yearMonthDuration to calculate date It also illustrates the use of predicate expressions with the functionId urnoasisnamestcxacml10functionand
[01] ltxml version=10 encoding=UTF-8gt
oasis--xacml-11pdf 35
70
1162
1163
1164116511661167
116811691170
11711172
11731174
117511761177117811791180118111821183
1184
11851186
11871188118911901191119211931194
1195
11961197119811991200
1201
12021203
120412051206
71
[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid2[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomrecordsxsd namespace[12] for which he or she is the designated parent or guardian [13] and for which the patient is under 16 years of age[14] ltDescriptiongt[15] ltTargetgt[16] ltSubjectsgt[17] ltAnySubjectgt[18] ltSubjectsgt[19] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt[22] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[23] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=rdquournoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] lt-- match read action --gt[40] ltActionMatch
MatchId=rdquournoasisnamestcxacml10functionstring-equalgt[41] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[42] ltActionAttributeDesignator AttributeId=[43] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[44] ltActionMatchgt[45] ltActiongt[46] ltActionsgt[47] ltTargetgt[48] ltCondition FunctionId=ldquournoasisnamestcxacml10functionandgt[49] lt-- compare parent-guardian-id subject attribute with [50] the value in the document --gt[51] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-equalgt[52] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[53] lt-- parent-guardian-id subject attribute --gt
oasis--xacml-11pdf 36
72
120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269
73
[54] ltSubjectAttributeDesignator AttributeId=[55] urnoasisnamestcxacml10examplesattribute[56] parent-guardian-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[57] ltApplygt[58] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[59] lt-- parent-guardian-id element in the document --gt[60] ltAttributeSelector RequestContextPath=[61] mdrecordmdparentGuardianmdparentGuardianIdtext()[62] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[63] ltAttributeSelectorgt[64] ltApplygt[65] ltApplygt[66] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-less-or-
equalrdquogt[67] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-one-
and-onlyrdquogt[68] ltEnvironmentAttributeDesignator AttributeId=[69] rdquournoasisnamestcxacml10environmentcurrent-daterdquo
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[70] ltApplygt[71] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-add-
yearMonthDurationrdquogt[73] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-
one-and-onlyrdquogt[74] lt-- patient dob recorded in the document --gt[75] ltAttributeSelector RequestContextPath=[76] mdrecordmdpatientmdpatientDoBtext()
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[77] ltAttributeSelectorgt[78] ltApplygt[79] ltAttributeValue DataType=rdquohttpwwww3orgTR2002WD-xquery-
operators-20020816yearMonthDurationrdquogt[80] P16Y[81] ltAttributeValuegt[82] ltApplygt[83] ltApplygt[84] ltConditiongt[85] ltRulegt
[02]-[47] Rule declaration and rule target See Rule 1 in Section 4241 for the detailed explanation of these elements
[48]-[82] The Condition element Condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the requestor is the designated parent or guardian and the patient is under 16 years of age
[48] The Condition is using the ldquournoasisnamestcxacml10functionandrdquo function This is a boolean function that takes one or more boolean arguments (2 in this case) and performs the logical ldquoANDrdquo operation to compute the truth value of the expression
[51]-[65] The truth of the first part of the condition is evaluated The requestor is the designated parent or guardian The Apply element contains a function invocation The function name is contained in the FunctionId attribute The comparison is done with ldquournoasisnamestcxacml10functionstring-equalrdquo that takes 2 arguments of ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[52] Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo in
oasis--xacml-11pdf 37
74
1270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309
13101311
131213131314
131513161317
13181319132013211322
1323132413251326
75
the request context contains one and only one value ldquournoasisnamestcxacml10functionstring-equalrdquo takes an argument expression that evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[54] Value of the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo is selected from the request context with the ltSubjectAttributeDesignatorgt element This expression evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[58] ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[60] The value of the mdparentGuardianId element is selected from the resource content with the AttributeSelector element AttributeSelector is a free-form XPath expression pointing into the request context The RequestContextPath XML attribute contains an XPath expression over the request context Note that all namespace prefixes in the XPath expression are resolved with standard namespace declarations The AttributeSelector evaluates to the bag of values of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[66]-[83] The expression ldquothe patient is under 16 years of agerdquo is evaluated The patient is under 16 years of age if the current date is less than the date computed by adding 16 to the patientrsquos date of birth
[66] ldquournoasisnamestcxacml10functiondate-less-or-equalrdquo is used to compute the difference of two dates
[67] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by its argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemadaterdquo
[68]-[69] Current date is evaluated by selecting the ldquournoasisnamestcxacml10environmentcurrent-daterdquo environment attribute
[71] ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo is used to compute the date by adding 16 to the patientrsquos date of birth The first argument is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second argument is an ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo
[73] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type rdquohttpwwww3org2001XMLSchemadaterdquo
[75]-[76] The ltAttributeSelectorgt element selects the patientrsquos date of birth by taking the XPath expression over the document content
[79]-[81] Year Month Duration of 16 years
4243 Rule 3
Rule 3 illustrates the use of an obligation The XACML ltRulegt element syntax does not include an element suitable for carrying an obligation therefore Rule 3 has to be formatted as a ltPolicygt element
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicy
oasis--xacml-11pdf 38
76
1327132813291330
1331133213331334
13351336
1337
1338133913401341
13421343
134413451346
13471348
13491350
1351
13521353
13541355
135613571358
13591360
1361
13621363
1364
1365
13661367
136813691370
77
[03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] PolicyId=urnoasisnamestcxacmlexamplespolicyid3[08] RuleCombiningAlgId=urnoasisnamestcxacml10[09] rule-combining-algorithmdeny-overridesgt[10] ltDescriptiongt[11] Policy for any medical record in the[12] httpwwwmedicocomschemasrecordxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- match document target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomschemasrecordxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltAnyActiongt[32] ltActionsgt[33] ltTargetgt[34] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid3[35] Effect=Permitgt[36] ltDescriptiongt[37] A physician may write any medical element in a record[38] for which he or she is the designated primary care[39] physician provided an email is sent to the patient[40] ltDescriptiongt[41] ltTargetgt[42] ltSubjectsgt[43] ltSubjectgt[44] lt-- match subject group attribute --gt[45] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[46] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtphysicianltAttributeValuegt
[47] ltSubjectAttributeDesignator AttributeId=[48] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[49] ltSubjectMatchgt[50] ltSubjectgt[51] ltSubjectsgt[52] ltResourcesgt[53] ltResourcegt[54] lt-- match requested xml element --gt[55] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[56] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
oasis--xacml-11pdf 39
78
137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433
79
[57] mdrecordmdmedical[58] ltAttributeValuegt[59] ltResourceAttributeDesignator AttributeId=[60] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[61] ltResourceMatchgt[62] ltResourcegt[63] ltResourcesgt[64] ltActionsgt[65] ltActiongt[66] lt-- match action --gt[67] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[68] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwriteltAttributeValuegt[069] ltActionAttributeDesignator AttributeId=[070] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[071] ltActionMatchgt[072] ltActiongt[073] ltActionsgt[074] ltTargetgt[075] ltCondition FunctionId=ldquournoasisnamestcxacml10functionstring-
equalgt[076] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[077] lt-- physician-id subject attribute --gt[078] ltSubjectAttributeDesignator AttributeId=[079] urnoasisnamestcxacml10example[080] attributephysician-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[081] ltApplygt[082] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[083] ltAttributeSelector RequestContextPath=[084] mdrecordmdprimaryCarePhysicianmdregistrationIDtext()[085] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[086] ltApplygt[087] ltConditiongt[089] ltRulegt[090] ltObligationsgt[091] lt-- send e-mail message to the document owner --gt[092] ltObligation ObligationId=[093] urnoasisnamestcxacmlexampleobligationemail[094] FulfillOn=Permitgt[095] ltAttributeAssignment AttributeId=[096] urnoasisnamestcxacml10exampleattributemailto[097] DataType=httpwwww3org2001XMLSchemastringgt[098] ltAttributeSelector RequestContextPath=[099] mdrecordmdpatientmdpatientContactmdemail[100] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[101] ltAttributeAssignmentgt[102] ltAttributeAssignment AttributeId=[103] urnoasisnamestcxacml10exampleattributetext[104] DataType=httpwwww3org2001XMLSchemastringgt[105] ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgt[106] Your medical record has been accessed by[107] ltAttributeValuegt[108] ltAttributeAssignmentgt[109] ltAttributeAssignment AttributeId=[110] urnoasisnamestcxacmlexampleattributetext[111] DataType=httpwwww3org2001XMLSchemastringgt
oasis--xacml-11pdf 40
80
143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496
81
[112] ltSubjectAttributeDesignator AttributeId=[113] urnosasisnamestcxacml10subjectsubject-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[114] ltAttributeAssignmentgt[115] ltObligationgt[116] ltObligationsgt[117] ltPolicygt
[01]-[09] The Policy element includes standard namespace declarations as well as policy specific parameters such as PolicyId and RuleCombiningAlgId
[07] Policy identifier This parameter is used for the inclusion of the Policy in the PolicySet element
[08]-[09] Rule combining algorithm identifier This parameter is used to compute the combined outcome of rule effects for rules that are applicable to the decision request
[10-13] Free-form description of the policy
[14]-[33] Policy target The policy target defines a set of applicable decision requests The structure of the Target element in the Policy is identical to the structure of the Target element in the Rule In this case the policy target is a set of all XML documents conforming to the ldquohttpwwwmedicocomschemasrecordxsdrdquo target namespace For the detailed description of the Target element see Rule 1 Section 4241
[34]-[89] The only Rule element included in this Policy Two parameters are specified in the rule header RuleId and Effect For the detailed description of the Rule structure see Rule 1 Section 4241
[41]-[74] A rule target narrows down a policy target Decision requests with the value of ldquournoasisnamestcxacml10exampeattributerolerdquo subject attribute equal to ldquophysicianrdquo [42]-[51] and that access elements of the medical record that ldquoxpath-node-matchrdquo the ldquomdrecordmdmedicalrdquo XPath expression [52]-[63] and that have the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute equal to ldquoreadrdquo
[65]-[73] match the target of this rule For a detailed description of the rule target see example 1 Section 4241
[75]-[87] The Condition element For the rule to be applicable to the authorization request condition must evaluate to True This rule condition compares the value of the ldquournoasisnamestcxacml10examplesattributephysician-idrdquo subject attribute with the value of the physician id element in the medical record that is being accessed For a detailed explanation of rule condition see Rule 1 Section 4241
[90]-[116] The Obligations element Obligations are a set of operations that must be performed by the PEP in conjunction with an authorization decision An obligation may be associated with a positive or negative authorization decision
[92]-[115] The Obligation element consists of the ObligationId the authorization decision value for which it must fulfill and a set of attribute assignments
[92]-[93] ObligationId identifies an obligation Obligation names are not interpreted by the PDP
[94] FulfillOn attribute defines an authorization decision value for which this obligation must be fulfilled
[95]-[101] Obligation may have one or more parameters The obligation parameter ldquournoasisnamestcxacml10examplesattributemailtordquo is assigned the value from the content of the xml document
oasis--xacml-11pdf 41
82
1497149814991500150115021503
15041505
15061507
15081509
1510
1511151215131514
1515
151615171518
15191520152115221523
15241525
15261527
152815291530
153115321533
15341535
15361537
15381539
154015411542
83
[95-96] AttributeId declares ldquournoasisnamestcxacml10examplesattributemailtordquo obligation parameter
[97] The obligation parameter data-type is defined
[98]-[100] The obligation parameter value is selected from the content of the XML document that is being accessed with the XPath expression over request context
[102]-[108] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of data-type ldquohttpwwww3org2001XMLSchemastringrdquo is assigned the literal value ldquoYour medical record has been accessed byrdquo
[109]-[114] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type is assigned the value of the ldquournoasisnamestcxacml10subjectsubject-idrdquo subject attribute
4244 Rule 4
Rule 4 illustrates the use of the Deny Effect value and a Rule with no Condition element[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexampleruleid4 [08] Effect=Denygt[09] ltDescriptiongt[10] An Administrator shall not be permitted to read or write [11] medical elements of a patient record in the[12] httpwwwmedicocomrecordsxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltSubjectgt[17] lt-- match role subject attribute --gt[18] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[19] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtadministratorltAttributeValuegt
[20] ltSubjectAttributeDesignator AttributeId=[21] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[22] ltSubjectMatchgt[23] ltSubjectgt[24] ltSubjectsgt[25] ltResourcesgt[26] ltResourcegt[27] lt-- match document target namespace --gt[28] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[29] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[30] httpwwwmedicocomschemasrecordxsd[31] ltAttributeValuegt[32] ltResourceAttributeDesignator AttributeId=
oasis--xacml-11pdf 42
84
15431544
1545
15461547
1548154915501551
155215531554
1555
1556
155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595
85
[33] urnoasisnamestcxacml10resourcetarget-namespace DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[34] ltResourceMatchgt[35] lt-- match requested xml element --gt[36] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[37] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[38] mdrecordmdmedical[39] ltAttributeValuegt[40] ltResourceAttributeDesignator AttributeId=[41] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[42] ltResourceMatchgt[43] ltResourcegt[44] ltResourcesgt[45] ltActionsgt[46] ltActiongt[47] lt-- match read action --gt[48] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[49] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtread
ltAttributeValuegt[50] ltActionAttributeDesignator AttributeId=[51] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[52] ltActionMatchgt[53] ltActiongt[54] ltActiongt[55] lt-- match write action --gt[56] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[57] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwrite
ltAttributeValuegt[58] ltActionAttributeDesignator AttributeId=[59] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[60] ltActionMatchgt[61] ltActiongt[62] ltActionsgt[63] ltTargetgt[64] ltRulegt
[01]-[08] The Rule element declaration The most important parameter here is Effect See Rule 1 Section 4241 for a detailed explanation of the Rule structure
[08] Rule Effect Every rule that evaluates to ldquoTruerdquo emits rule effect as its value that will be combined later on with other rule effects according to the rule combining algorithm This rule Effect is ldquoDenyrdquo meaning that according to this rule access must be denied
[09]-[13] Free form description of the rule
[14]-[63] Rule target The Rule target defines a set of decision requests that are applicable to the rule This rule is matched by
a decision request with subject attribute ldquournoasisnamestcxacml10examplesattributerolerdquo equal to ldquoadministratorrdquo
oasis--xacml-11pdf 43
86
1596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641
16421643
16441645
1646
1647
16481649
165016511652
87
the value of resource attribute ldquournoasisnamestcxacml10resourcetarget-namespacerdquo is equal to ldquohttpwwwmedicocomschemasrecordxsdrdquo
the value of the requested XML element matches the XPath expression ldquomdrecordmdmedicalrdquo
the value of action attribute ldquournoasisnamestcxacml10actionaction-idrdquo is equal to ldquoreadrdquo
See Rule 1 Section 4241 for the detailed explanation of the Target element
This rule does not have a Condition element
4245 Example PolicySet
This section uses the examples of the previous sections to illustrate the process of combining policies The policy governing read access to medical elements of a record is formed from each of the four rules described in Section 423 In plain language the combined rule is
Either the requestor is the patient or
the requestor is the parent or guardian and the patient is under 16 or
the requestor is the primary care physician and a notification is sent to the patient and
the requestor is not an administrator
The following XACML ltPolicySetgt illustrates the combined policies Policy 3 is included by reference and policy 2 is explicitly included
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicySet [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] PolicySetId=[06] urnoasisnamestcxacml10examplespolicysetid1[07] PolicyCombiningAlgId=rdquournoasisnamestcxacml10[071] policy-combining-algorithmdeny-overridesrdquogt[08] ltDescriptiongt[09] Example policy set[10] ltDescriptiongt[11] ltTargetgt[12] ltSubjectsgt[13] ltSubjectgt[14] lt-- any subject --gt[15] ltAnySubjectgt[16] ltSubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- any resource in the target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomrecordsxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt
oasis--xacml-11pdf 44
88
165316541655
16561657
16581659
1660
1661
1662
166316641665
1666
1667
1668
1669
167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702
89
[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltActiongt[32] lt-- any action --gt[33] ltAnyActiongt[34] ltActiongt[35] ltActionsgt[36] ltTargetgt[37] lt-- include policy from the example 3 by reference --gt[38] ltPolicyIdReferencegt[39] urnoasisnamestcxacml10examplespolicyid3[40] ltPolicyIdReferencegt[41] lt-- policy 2 combines rules from the examples 1 2 [42] and 4 is included by value --gt[43] ltPolicy [44] PolicyId=urnoasisnamestcxacmlexamplespolicyid2[45] RuleCombiningAlgId=[46] urnoasisnamestcxacml10rule-combining-algorithmdeny-overridesgt[47] ltDescriptiongt[48] Policy for any medical record in the[49] httpwwwmedicocomschemasrecordxsd namespace[50] ltDescriptiongt[51] ltTargetgt ltTargetgt[52] ltRule [53] RuleId=urnoasisnamestcxacmlexamplesruleid1[54] Effect=Permitgt ltRulegt[55] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid2 [56] Effect=Permitgt ltRulegt[57] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid4[58] Effect=Denygt ltRulegt[59] ltObligationsgt ltObligationsgt[60] ltPolicygt[61] ltPolicySetgt
[02]-[07] PolicySet declaration Standard XML namespace declarations are included as well as PolicySetId and policy combining algorithm identifier
[05]-[06] PolicySetId is used for identifying this policy set and for possible inclusion of this policy set into another policy set
[07] Policy combining algorithm identifier Policies in the policy set are combined according to the specified policy combining algorithm identifier when the authorization decision is computed
[08]-[10] Free form description of the policy set
[11]-[36] PolicySet Target element defines a set of decision requests that are applicable to this PolicySet
[38]-[40] PolicyIdReference includes policy by id
[43]-[60] Policy 2 is explicitly included in this policy set
oasis--xacml-11pdf 45
90
17031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737
17381739
17401741
174217431744
1745
17461747
1748
1749
91
5 Policy syntax (normative with the exception of the schema fragments)
51 Element ltPolicySetgtThe ltPolicySetgt element is a top-level element in the XACML policy schema ltPolicySetgt is an aggregation of other policy sets and policies Policy sets MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicySetgt element or indirectly using the ltPolicySetIdReferencegt element Policies MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicygt element or indirectly using the ltPolicyIdReferencegt element
If a ltPolicySetgt element contains references to other policy sets or policies in the form of URLs then these references MAY be resolvable
Policies included in the ltPolicySetgt element MUST be combined using the algorithm specified by the PolicyCombiningAlgId attribute ltPolicySetgt is treated exactly like a ltPolicygt in all the policy combining algorithms
The ltTargetgt element defines the applicability of the ltPolicySetgt to a set of decision requests If the ltTargetgt element within ltPolicySetgt matches the request context then the ltPolicySetgt element MAY be used by the PDP in making its authorization decision
The ltObligationsgt element contains a set of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision If the PEP does not understand any of the obligations then it MUST act as if the PDP had returned a ldquoDenyrdquo authorization decision value
ltxselement name=PolicySet type=xacmlPolicySetTypegtltxscomplexType name=PolicySetTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicySetDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxschoice minOccurs=0 maxOccurs=unboundedgt
ltxselement ref=xacmlPolicySetgtltxselement ref=xacmlPolicygtltxselement ref=xacmlPolicySetIdReferencegtltxselement ref=xacmlPolicyIdReferencegt
ltxschoicegtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicySetId type=xsanyURI use=requiredgtltxsattribute name=PolicyCombiningAlgId type=rdquoxsanyURI
use=requiredgtltxscomplexTypegt
The ltPolicySetgt element is of PolicySetType complex type
The ltPolicySetgt element contains the following attributes and elements
PolicySetId [Required]
Policy set identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy set identifier is in the form of a URL then it MAY be resolvable
oasis--xacml-11pdf 46
92
1750
1751
1752
17531754
1755175617571758
17591760
176117621763
176417651766
176717681769177017711772177317741775177617771778177917801781178217831784178517861787
1788
1789
1790
1791179217931794
1795
93
PolicyCombiningAlgId [Required]
The identifier of the policy-combining algorithm by which the ltPolicySetgt components MUST be combined Standard policy-combining algorithms are listed in Appendix C Standard policy-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the ltPolicySetgt
ltPolicySetDefaultsgt [Optional]
A set of default values applicable to the ltPolicySetgt The scope of the ltPolicySetDefaultsgt element SHALL be the enclosing policy set
ltTargetgt [Required]
The ltTargetgt element defines the applicability of a ltPolicySetgt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicySetgt or it MAY be computed from the ltTargetgt elements of the referenced ltPolicygt elements either as an intersection or as a union
ltPolicySetgt [Any Number]
A policy set component that is included in this policy set
ltPolicygt [Any Number]
A policy component that is included in this policy set
ltPolicySetIdReferencegt [Any Number]
A reference to a ltPolicySetgt component that MUST be included in this policy set If ltPolicySetIdReferencegt is a URL then it MAY be resolvable
ltPolicyIdReferencegt [Any Number]
A reference to a ltPolicygt component that MUST be included in this policy set If the ltPolicyIdReferencegt is a URL then it MAY be resolvable
ltObligationsgt [Optional]
Contains the set of ltObligationgt elements See Section 711 for a description of how the set of obligations to be returned by the PDP shall be determined
52 Element ltDescriptiongtThe ltDescriptiongt element is used for a free-form description of the ltPolicySetgt element ltPolicygt element and ltRulegt element The ltDescriptiongt element is of xsstring simple type
ltxselement name=Description type=xsstringgt
53 Element ltPolicySetDefaultsgtThe ltPolicySetDefaultsgt element SHALL specify default values that apply to the ltPolicySetgt element
oasis--xacml-11pdf 47
94
1796
179717981799
1800
1801
1802
18031804
1805
18061807
180818091810
1811
1812
1813
1814
1815
18161817
1818
18191820
1821
18221823
1824
1825182618271828
1829
18301831
95
ltxselement name=PolicySetDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicySetDefaultsgt element is of DefaultsType complex type
The ltPolicySetDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
54 Element ltXPathVersiongtThe ltXPathVersiongt element SHALL specify the version of the XPath specification to be used by ltAttributeSelectorgt elements
ltxselement name=XPathVersion type=xsanyURIgt
The URI for the XPath 10 specification is ldquohttpwwww3orgTR1999Rec-xpath-19991116rdquo The ltXPathVersiongt element is REQUIRED if the XACML enclosing policy set or policy contains ltAttributeSelectorgt elements or XPath-based functions
55 Element ltTargetgtThe ltTargetgt element identifies the set of decision requests that the parent element is intended to evaluate The ltTargetgt element SHALL appear as a child of ltPolicySetgt ltPolicygt and ltRulegt elements It contains definitions for subjects resources and actions
The ltTargetgt element SHALL contain a conjunctive sequence of ltSubjectsgt ltResourcesgt and ltActionsgt elements For the parent of the ltTargetgt element to be applicable to the decision request there MUST be at least one positive match between each section of the ltTargetgt element and the corresponding section of the ltxacml-contextRequestgt element
ltxselement name=Target type=xacmlTargetTypegtltxscomplexType name=TargetTypegt
ltxssequencegtltxselement ref=xacmlSubjectsgtltxselement ref=xacmlResourcesgtltxselement ref=xacmlActionsgt
ltxssequencegtltxscomplexTypegt
The ltTargetgt element is of TargetType complex type
The ltTargetgt element contains the following elements
ltSubjectsgt [Required]
Matching specification for the subject attributes in the context
ltResourcesgt [Required]
Matching specification for the resource attributes in the context
oasis--xacml-11pdf 48
96
18321833183418351836183718381839
1840
1841
1842
1843
1844
18451846
1847
184818491850
1851
185218531854
185518561857
185818591860186118621863186418651866
1867
1868
1869
1870
1871
1872
1873
97
ltActionsgt [Required]
Matching specification for the action attributes in the context
56 Element ltSubjectsgtThe ltSubjectsgt element SHALL contains a disjunctive sequence of ltSubjectgt elements
ltxselement name=Subjects type=xacmlSubjectsTypegtltxscomplexType name=SubjectsTypegt
ltxschoicegtltxselement ref=xacmlSubject maxOccurs=unboundedgtltxselement ref=xacmlAnySubjectgt
ltxschoicegtltxscomplexTypegt
The ltSubjectsgt element is of SubjectsType complex type
The ltSubjectsgt element contains the following elements
ltSubjectgt [One To Many Required Choice]
See Section 57
ltAnySubjectgt [Required Choice]
See Section 58
57 Element ltSubjectgtThe ltSubjectgt element SHALL contain a conjunctive sequence of ltSubjectMatchgt elements
ltxselement name=Subject type=xacmlSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacmlSubjectMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
ltSubjectMatchgt [One to Many]
A conjunctive sequence of individual matches of the subject attributes in the context and the embedded attribute values
58 Element ltAnySubjectgtThe ltAnySubjectgt element SHALL match any subject attribute in the context
ltxselement name=AnySubjectgt
59 Element ltSubjectMatchgtThe ltSubjectMatchgt element SHALL identify a set of subject-related entities by matching attribute values in a ltxacml-contextSubjectgt element of the context with the embedded attribute value
oasis--xacml-11pdf 49
98
1874
1875
1876
18771878187918801881188218831884
1885
1886
1887
1888
1889
1890
1891
18921893189418951896189718981899
1900
1901
1902
19031904
1905
19061907
1908
190919101911
99
ltxselement name=SubjectMatch type=xacmlSubjectMatchTypegtltxscomplexType name=SubjectMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltSubjectMatchgt element is of SubjectMatchType complex type
The ltSubjectMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltSubjectAttributeDesignatorgt [Required choice]
Identifies one or more attribute values in a ltSubjectgt element of the context
ltAttributeSelectorgt [Required choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in a ltSubjectgt element of the context
510 Element ltResourcesgtThe ltResourcesgt element SHALL contain a disjunctive sequence of ltResourcegt elements
ltxselement name=Resources type=xacmlResourcesTypegtltxscomplexType name=ResourcesTypegt
ltxschoicegtltxselement ref=xacmlResource maxOccurs=unboundedgtltxselement ref=xacmlAnyResourcegt
ltxschoicegtltxscomplexTypegt
The ltResourcesgt element is of ResourcesType complex type
The ltResourcesgt element contains the following elements
ltResourcegt [One To Many Required Choice]
See Section 511
ltAnyResourcegt [Required Choice]
See Section 512
511 Element ltResourcegtThe ltResourcegt element SHALL contain a conjunctive sequence of ltResourceMatchgt elements
oasis--xacml-11pdf 50
100
19121913191419151916191719181919192019211922
1923
1924
1925
19261927
1928
1929
1930
1931
1932
19331934
1935
19361937193819391940194119421943
1944
1945
1946
1947
1948
1949
1950
19511952
101
ltxselement name=Resource type=xacmlResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacmlResourceMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceMatchgt [One to Many]
A conjunctive sequence of individual matches of the resource attributes in the context and the embedded attribute values
512 Element ltAnyResourcegtThe ltAnyResourcegt element SHALL match any resource attribute in the context
ltxselement name=AnyResourcegt
513 Element ltResourceMatchgtThe ltResourceMatchgt element SHALL identify a set of resource-related entities by matching attribute values in the ltxacml-contextResourcegt element of the context with the embedded attribute value
ltxselement name=ResourceMatch type=xacmlResourceMatchTypegtltxscomplexType name=ResourceMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyMatch use=requiredgt
ltxscomplexTypegt
The ltResourceMatchgt element is of ResourceMatchType complex type
The ltResourceMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function Values of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltResourceAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltResourcegt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltResourcegt element of the context
oasis--xacml-11pdf 51
102
195319541955195619571958
1959
1960
1961
19621963
1964
19651966
1967
19681969197019711972197319741975197619771978197919801981
1982
1983
1984
19851986
1987
1988
1989
1990
1991
19921993
103
514 Element ltActionsgtThe ltActionsgt element SHALL contain a disjunctive sequence of ltActiongt elements
ltxselement name=Actions type=xacmlActionsTypegtltxscomplexType name=ActionsTypegt
ltxschoicegtltxselement ref=xacmlAction maxOccurs=unboundedgtltxselement ref=xacmlAnyActiongt
ltxschoicegtltxscomplexTypegt
The ltActionsgt element is of ActionsType complex type
The ltActionsgt element contains the following elements
ltActiongt [One To Many Required Choice]
See Section 515
ltAnyActiongt [Required Choice]
See Section 516
515 Element ltActiongtThe ltActiongt element SHALL contain a conjunctive sequence of ltActionMatchgt elements
ltxselement name=Action type=xacmlActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacmlActionMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltActionMatchgt [One to Many]
A conjunctive sequence of individual matches of the action attributes in the context and the embedded attribute values
516 Element ltAnyActiongtThe ltAnyActiongt element SHALL match any action attribute in the context
ltxselement name=AnyActiongt
517 Element ltActionMatchgtThe ltActionMatchgt element SHALL identify a set of action-related entities by matching attribute values in the ltxacml-contextActiongt element of the context with the embedded attribute value
ltxselement name=ActionMatch type=xacmlActionMatchTypegtltxscomplexType name=ActionMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegt
oasis--xacml-11pdf 52
104
1994
19951996199719981999200020012002
2003
2004
2005
2006
2007
2008
2009
2010201120122013201420152016
2017
2018
2019
20202021
2022
20232024
2025
2026
2027202820292030203120322033
105
ltxschoicegtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltActionMatchgt element is of ActionMatchType complex type
The ltActionMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltActionAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltActiongt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltActiongt element of the context
518 Element ltPolicySetIdReferencegtThe ltPolicySetIdReferencegt element SHALL be used to reference a ltPolicySetgt element by id If ltPolicySetIdReferencegt is a URL then it MAY be resolvable to the ltPolicySetgt The mechanism for resolving a policy set reference to the corresponding policy set is outside the scope of this specification
ltxselement name=PolicySetIdReference type=xsanyURIgt
Element ltPolicySetIdReferencegt is of xsanyURI simple type
519 Element ltPolicyIdReferencegtThe ltxacmlPolicyIdReferencegt element SHALL be used to reference a ltPolicygt element by id If ltPolicyIdReferencegt is a URL then it MAY be resolvable to the ltPolicygt The mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification
ltxselement name=PolicyIdReference type=xsanyURIgt
Element ltPolicyIdReferencegt is of xsanyURI simple type
520 Element ltPolicygtThe ltPolicygt element is the smallest entity that SHALL be presented to the PDP for evaluation
The main components of this element are the ltTargetgt ltRulegt and ltObligationsgt elements and the RuleCombiningAlgId attribute
oasis--xacml-11pdf 53
106
2034203520362037203820392040
2041
2042
2043
20442045
2046
2047
2048
2049
2050
20512052
2053
20542055205620572058
2059
2060
20612062206320642065
2066
2067
2068
20692070
107
The ltTargetgt element SHALL define the applicability of the ltPolicygt to a set of decision requests
Rules included in the ltPolicygt element MUST be combined by the algorithm specified by the RuleCombiningAlgId attribute
The ltObligationsgt element SHALL contain a set of obligations that MUST be fulfilled by the PDP in conjunction with the authorization decision
ltxselement name=Policy type=xacmlPolicyTypegtltxscomplexType name=PolicyTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicyDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxselement ref=xacmlRule minOccurs=0 maxOccurs=unboundedgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicyId type=xsanyURI use=requiredgtltxsattribute name=RuleCombiningAlgId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltPolicygt element is of PolicyType complex type
The ltPolicygt element contains the following attributes and elements
PolicyId [Required]
Policy identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy identifier is in the form of a URL then it MAY be resolvable
RuleCombiningAlgId [Required]
The identifier of the rule-combining algorithm by which the ltPolicygt components MUST be combined Standard rule-combining algorithms are listed in Appendix C Standard rule-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the policy See Section 52 Element ltDescriptiongt
ltPolicyDefaultsgt [Optional]
Defines a set of default values applicable to the policy The scope of the ltPolicyDefaultsgt element SHALL be the enclosing policy
ltTargetgt [Required]
The ltTargetgt element SHALL define the applicability of a ltPolicygt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicygt element or it MAY be computed from the ltTargetgt elements of the referenced ltRulegt elements either as an intersection or as a union
ltRulegt [Any Number]
A sequence of authorizations that MUST be combined according to the RuleCombiningAlgId attribute Rules whose ltTargetgt elements match the decision request MUST be considered Rules whose ltTargetgt elements do not match the decision request SHALL be ignored
oasis--xacml-11pdf 54
108
20712072
20732074
20752076207720782079208020812082208320842085208620872088
2089
2090
2091
209220932094
2095
209620972098
2099
2100
2101
21022103
2104
21052106
210721082109
2110
2111211221132114
109
ltObligationsgt [Optional]
A conjunctive sequence of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision See Section 711 for a description of how the set of obligations to be returned by the PDP SHALL be determined
521 Element ltPolicyDefaultsgtThe ltPolicyDefaultsgt element SHALL specify default values that apply to the ltPolicygt element
ltxselement name=PolicyDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicyDefaultsgt element is of DefaultsType complex type
The ltPolicyDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
522 Element ltRulegtThe ltRulegt element SHALL define the individual rules in the policy The main components of this element are the ltTargetgt and ltConditiongt elements and the Effect attribute
ltxselement name=Rule type=xacmlRuleTypegtltxscomplexType name=RuleTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlTarget minOccurs=0gtltxselement ref=xacmlCondition minOccurs=0gt
ltxssequencegtltxsattribute name=RuleId type=xsanyURI use=requiredgtltxsattribute name=Effect type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltRulegt element is of RuleType complex type
The ltRulegt element contains the following attributes and elements
RuleId [Required]
A URN identifying this rule
Effect [Required]
Rule effect Values of this attribute are either ldquoPermitrdquo or ldquoDenyrdquo
ltDescriptiongt [Optional]
A free-form description of the rule
oasis--xacml-11pdf 55
110
2115
211621172118
2119
2120212121222123212421252126212721282129
2130
2131
2132
2133
2134
21352136
2137213821392140214121422143214421452146
2147
2148
2149
2150
2151
2152
2153
2154
2155
111
ltTargetgt [Optional]
Identifies the set of decision requests that the ltRulegt element is intended to evaluate If this element is omitted then the target for the ltRulegt SHALL be defined by the ltTargetgt element of the enclosing ltPolicygt element See Section 55 for details
ltConditiongt [Optional]
A predicate that MUST be satisfied for the rule to be assigned its Effect value A condition is a boolean function over a combination of subject resource action and environment attributes or other functions
523 Simple type EffectTypeThe EffectType simple type defines the values allowed for the Effect attribute of the ltRulegt element and for the FulfillOn attribute of the ltObligationgt element
ltxssimpleType name=EffectTypegtltxsrestriction base=xsstringgt
ltxsenumeration value=Permitgtltxsenumeration value=Denygt
ltxsrestrictiongtltxssimpleTypegt
524 Element ltConditiongtThe ltConditiongt element is a boolean function over subject resource action and environment attributes or functions of attributes If the ltConditiongt element evaluates to True then the enclosing ltRulegt element is assigned its Effect value
ltxselement name=Condition type=xacmlApplyTypegt
The ltConditiongt element is of ApplyType complex type
525 Element ltApplygtThe ltApplygt element denotes application of a function to its arguments thus encoding a function call The ltApplygt element can be applied to any combination of ltApplygt ltAttributeValuegt ltSubjectAttributeDesignatorgt ltResourceAttributeDesignatorgt ltActionAttributeDesignatorgt ltEnvironmentAttributeDesignatorgt and ltAttributeSelectorgt arguments
ltxselement name=Apply type=xacmlApplyTypegtltxscomplexType name=ApplyTypegt
ltxschoice minOccurs=0 maxOccurs=unboundedgtltxselement ref=rdquoxacmlFunctionrdquogt ltxselement ref=xacmlApplygtltxselement ref=xacmlAttributeValuegtltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlEnvironmentAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxsattribute name=FunctionId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltApplygt element is of ApplyType complex type
The ltApplygt element contains the following attributes and elements
oasis--xacml-11pdf 56
112
2156
215721582159
2160
216121622163
2164
21652166
216721682169217021712172
2173
217421752176
2177
2178
2179
2180218121822183
218421852186218721882189219021912192219321942195219621972198
2199
2200
113
FunctionId [Required]
The URN of a function XACML-defined functions are described in Appendix A
ltFunctiongt [Optional]
The name of a function that is applied to the elements of a bag See Section A1411
ltApplygt [Optional]
A nested function-call argument
ltAttributeValuegt [Optional]
A literal value argument
ltSubjectAttributeDesignatorgt [Optional]
A subject attribute argument
ltResourceAttributeDesignatorgt [Optional]
A resource attribute argument
ltActionAttributeDesignatorgt [Optional]
An action attribute argument
ltEnvironmentAttributeDesignatorgt [Optional]
An environment attribute argument
ltAttributeSelectorgt [Optional]
An attribute selector argument
526 Element ltFunctiongtThe Function element SHALL be used to name a function that is applied by the higher-order bag functions to every element of a bag The higher-order bag functions are described in Section A1411
ltxselement name=rdquoFunctionrdquo type=rdquoxacmlFunctionTyperdquogtltxscomplexType name=rdquoFunctionTyperdquogt
ltxsattribute name=rdquoFunctionIdrdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxscomplexTypegt
The Function element is of FunctionType complex type
The Function element contains the following attributes
FunctionId [Required]
The identifier for the function that is applied to the elements of a bag by the higher-order bag functions
527 Complex type AttributeDesignatorTypeThe AttributeDesignatorType complex type is the type for elements and extensions that identify attributes An element of this type contains properties by which it MAY be matched to attributes in the request context
oasis--xacml-11pdf 57
114
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220222122222223222422252226
2227
2228
2229
22302231
2232
223322342235
115
In addition elements of this type MAY control behaviour in the event that no matching attribute is present in the context
Elements of this type SHALL NOT alter the match semantics of named attributes but MAY narrow the search space
ltxscomplexType name=AttributeDesignatorTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsattribute name=Issuer type=xsstring use=optionalgtltxsattribute name=MustBePresent type=xsboolean use=optional
default=falsegtltxscomplexTypegt
A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and Issuer attributes match The attribute designatorrsquos AttributeId MUST match by URI equality the AttributeId of the attribute The attribute designatorrsquos DataType MUST match by URI equality the DataType of the same attribute
If the Issuer attribute is present in the attribute designator then it MUST match by string equality the Issuer of the same attribute If the Issuer is not present in the attribute designator then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone
The ltAttributeDesignatorTypegt contains the following attributes
AttributeId [Required]
This attribute SHALL specify the AttributeId with which to match the attribute
DataType [Required]
This attribute SHALL specify the data-type with which to match the attribute
Issuer [Optional]
This attribute if supplied SHALL specify the Issuer with which to match the attribute
MustBePresent [Optional]
This attribute governs whether the element returns ldquoIndeterminaterdquo in the case where the named attribute is absent If the named attribute is absent and MustBePresent is ldquoTruerdquo then this element SHALL result in ldquoIndeterminaterdquo The default value SHALL be ldquoFalserdquo
528 Element ltSubjectAttributeDesignatorgtThe ltSubjectAttributeDesignatorgt element is of the SubjectAttributeDesignatorType The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType complex type It is the base type for elements and extensions that refer to named categorized subject attributes A named categorized subject attribute is defined as follows
A subject is represented by a ltSubjectgt element in the ltxacml-contextRequestgt element Each ltSubjectgt element SHALL contain the XML attribute SubjectCategory This attribute is called the subject category attribute
A categorized subject is a subject that is identified by a particular subject category attribute
A subject attribute is an attribute of a particular subject ie contained within a ltSubjectgt element
oasis--xacml-11pdf 58
116
22362237
223822392240224122422243224422452246
2247224822492250
225122522253
2254
2255
2256
2257
2258
2259
2260
2261
2262
226322642265
2266
2267226822692270
227122722273
2274
22752276
117
A named subject attribute is a named attribute for a subject
A named categorized subject attribute is a named subject attribute for a particular categorized subject
The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType with a SubjectCategory attribute The SubjectAttributeDesignatorType extends the match semantics of the AttributeDesignatorType such that it narrows the attribute search space to the specific categorized subject such that the value of this elementrsquos SubjectCategory attribute matches by URI equality the value of the ltRequestgt elementrsquos subject category attribute
If there are multiple subjects with the same SubjectCategory xml attribute then they SHALL be treated as if they were one categorized subject
Elements and extensions of the SubjectAttributeDesignatorType complex type determine the presence of select attribute values associated with named categorized subject attributes Elements and extensions of the SubjectAttributeDesignatorType SHALL NOT alter the match semantics of named categorized subject attributes but MAY narrow the search space
ltxscomplexType name=SubjectAttributeDesignatorTypegtltxscomplexContentgt
ltxsextension base=xacmlAttributeDesignatorTypegt ltxsattribute name=SubjectCategory type=xsanyURI use=optional default= urnoasisnamestcxacml10subject-categoryaccess-subjectgt ltxsextensiongt ltxscomplexContentgtltxscomplexTypegt
The ltSubjectAttributeDesignatorTypegt complex type contains the following attribute in addition to the attributes of the AttributeDesignatorType complex type
SubjectCategory [Optional]
This attribute SHALL specify the categorized subject from which to match named subject attributes If SubjectCategory is not present then its default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used
529 Element ltResourceAttributeDesignatorgtThe ltResourceAttributeDesignatorgt element retrieves a bag of values for a named resource attribute A resource attribute is an attribute contained within the ltResourcegt element of the ltxacml-contextRequestgt element A named resource attribute is a named attribute that matches a resource attribute A named resource attribute SHALL be considered present if there is at least one resource attribute that matches the criteria set out below A resource attribute value is an attribute value that is contained within a resource attribute
The ltResourceAttributeDesignatorgt element SHALL return a bag containing all the resource attribute values that are matched by the named resource attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named resource attribute is absent If the named resource attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named resource attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named
oasis--xacml-11pdf 59
118
2277
22782279
228022812282
22832284
22852286
2287228822892290229122922293229422952296229722982299230023012302
23032304
2305
2306230723082309
2310
231123122313231423152316
23172318
23192320
23212322
23232324
119
resource attribute is present or not in the request context or the value of the named resource attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named resource attribute SHALL match a resource attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltResourceAttributeDesignatorgt MAY appear in the ltResourceMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ResourceAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltResourceAttributeDesignatorgt element is of the AttributeDesignatorType complex type
530 Element ltActionAttributeDesignatorgtThe ltActionAttributeDesignatorgt element retrieves a bag of values for a named action attribute An action attribute is an attribute contained within the ltActiongt element of the ltxacml-contextRequestgt element A named action attribute has specific criteria (described below) with which to match an action attribute A named action attribute SHALL be considered present if there is at least one action attribute that matches the criteria An action attribute value is an attribute value that is contained within an action attribute
The ltActionAttributeDesignatorgt element SHALL return a bag of all the action attribute values that are matched by the named action attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named action attribute is absent If the named action attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named action attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named action attribute is present or not present in the request context or the value of the named action attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named action attribute SHALL match an action attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltActionAttributeDesignatorgt MAY appear in the ltActionMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ActionAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltActionAttributeDesignatorgt element is of the AttributeDesignatorType complex type
531 Element ltEnvironmentAttributeDesignatorgtThe ltEnvironmentAttributeDesignatorgt element retrieves a bag of values for a named environment attribute An environment attribute is an attribute contained within the ltEnvironmentgt element of the ltxacml-contextRequestgt element A named environment attribute has specific criteria (described below) with which to match an environment attribute A named environment attribute SHALL be considered present if there is at least one environment attribute that matches the criteria An environment attribute value is an attribute value that is contained within an environment attribute
oasis--xacml-11pdf 60
120
23252326
23272328
23292330
23312332
23332334
2335
233623372338233923402341
234223432344
23452346
23472348234923502351
23522353
23542355
23562357
23582359
2360
23612362
23632364236523662367
121
The ltEnvironmentAttributeDesignatorgt element SHALL evaluate to a bag of all the environment attribute values that are matched by the named environment attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named environment attribute is absent If the named environment attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named environment attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named environment attribute is present or not present in the request context or the value of the named environment attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named environment attribute SHALL match an environment attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltEnvironmentAttributeDesignatorgt MAY be passed to the ltApplygt element as an argument
ltxselement name=EnvironmentAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltEnvironmentAttributeDesignatorgt element is of the AttributeDesignatorType complex type
532 Element ltAttributeSelectorgtThe AttributeSelector elements RequestContextPath XML attribute SHALL contain a legal XPath expression whose context node is the ltxacml-contextRequestgt element The AttributeSelector element SHALL evaluate to a bag of values whose data-type is specified by the elementrsquos DataType attribute If the DataType specified in the AttributeSelector is a primitive data type defined in [XF] or [XS] then the value returned by the XPath expression SHALL be converted to the DataType specified in the AttributeSelector using the constructor function below [XF Section 4] that corresponds to the DataType If an error results from using the constructor function then the value of the AttributeSelector SHALL be Indeterminate
xsstring() xsboolean() xsinteger() xsdouble() xsdateTime() xsdate() xstime() xshexBinary() xsbase64Binary() xsanyURI() xfyearMonthDuration() xfdayTimeDuration()
If the DataType specified in the AttributeSelector is not one of the preceding primitive DataTypes then the AttributeSelector SHALL return a bag of instances of the specified DataType If there are errors encountered in converting the values returned by the XPath expression to the specified DataType then the result of the AttributeSelector SHALL be Indeterminate
Each selected node by the specified XPath expression MUST be either a text node an attribute node a processing instruction node or a comment node The string representation of the value of each selected node MUST be converted to an attribute value of the specified data type and the
oasis--xacml-11pdf 61
122
23682369
23702371
23722373
2374237523762377
23782379
2380238123822383
23842385
238623872388238923902391
23922393239423952396239723982399240024012402240324042405240624072408
240924102411241224132414241524162417
123
result of the AttributeSelector is the bag of the attribute values generated from all the selected nodes
If the selected node is different from the node types listed above (a text node an attribute node a processing instruction node or a comment node) then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
Support for the ltAttributeSelectorgt element is OPTIONAL
ltxselement name=AttributeSelector type=xacmlAttributeSelectorTypegtltxscomplexType name=AttributeSelectorTypegt
ltxsattribute name=RequestContextPath type=xsstring use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=rdquoMustBePresentrdquo type=rdquoxsbooleanrdquo use=rdquooptionalrdquo
default=rdquofalserdquolt xscomplexTypegt
The ltAttributeSelectorgt element is of AttributeSelectorType complex type
The ltAttributeSelectorgt element has the following attributes
RequestContextPath [Required]
An XPath expression whose context node is the ltxacml-contextRequestgt element There SHALL be no restriction on the XPath syntax
DataType [Required]
The bag of values returned by the AttributeSelector SHALL be of this data type
MustBePresent [Optional]
Whether or not the designated attribute must be present in the context If the XPath expression selects no node and the MustBePresent attribute is TRUE then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusmissing-attribute If the XPath expression selects no node and the MustBePresent attribute is missing or FALSE then the result SHALL be an empty bag If the XPath expression selects at least one node and the selected node(s) could be successfully converted to a bag of values of the specified data-type then the result SHALL be the bag regardless of the value of the MustBePresent attribute If the XPath expression selects at least one node but there is an error in converting one or more of the nodes to values of the specified data-type then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusprocessing-error regardless of the value of the MustBePresent attribute
533 Element ltAttributeValuegtThe ltAttributeValuegt element SHALL contain a literal attribute value
ltxselement name=AttributeValue type=xacmlAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
oasis--xacml-11pdf 62
124
24182419242024212422
242324242425
24262427242824292430243124322433
2434
2435
2436
24372438
2439
2440
2441
244224432444
2445244624472448
244924502451
24522453
2454
2455245624572458245924602461246224632464
125
The ltAttributeValuegt element is of AttributeValueType complex type
The ltAttributeValuegt element has the following attributes
DataType [Required]
The data-type of the attribute value
534 Element ltObligationsgtThe ltObligationsgt element SHALL contain a set of ltObligationgt elements
Support for the ltObligationsgt element is OPTIONALltxselement name=Obligations type=xacmlObligationsTypegtltxscomplexType name=ObligationsTypegt
ltxssequencegtltxselement ref=xacmlObligation maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltObligationsgt element is of ObligationsType complexType
The ltObligationsgt element contains the following element
ltObligationgt [One to Many]
A sequence of obligations
535 Element ltObligationgtThe ltObligationgt element SHALL contain an identifier for the obligation and a set of attributes that form arguments of the action defined by the obligation The FulfillOn attribute SHALL indicate the effect for which this obligation applies
ltxselement name=Obligation type=xacmlObligationTypegtltxscomplexType name=ObligationTypegt
ltxssequencegtltxselement ref=xacmlAttributeAssignment maxOccurs=unboundedgt
ltxssequencegtltxsattribute name=ObligationId type=xsanyURI use=requiredgtltxsattribute name=FulfillOn type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltObligationgt element is of ObligationType complexType See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
The ltObligationgt element contains the following elements and attributes
ObligationId [Required]
Obligation identifier The value of the obligation identifier SHALL be interpreted by the PEP
FulfillOn [Required]
The effect for which this obligation applies
ltAttributeAssignmentgt [One To Many]
Obligation arguments assignment The values of the obligation arguments SHALL be interpreted by the PEP
oasis--xacml-11pdf 63
126
2465
2466
2467
2468
2469
2470
2471247224732474247524762477
2478
2479
2480
2481
2482
24832484248524862487248824892490249124922493
24942495
2496
2497
24982499
2500
2501
2502
25032504
127
536 Element ltAttributeAssignmentgtThe ltAttributeAssignmentgt element SHALL contain an AttributeId and the corresponding attribute value The AttributeId is part of attribute meta-data and is used when the attribute cannot be referenced by its location in the ltxacml-contextRequestgt This situation may arise in an ltObligationgt element if the obligation includes parameters The ltAttributeAssignmentgt element MAY be used in any way consistent with the schema syntax which is a sequence of ldquoanyrdquo The value specified SHALL be understood by the PEP but it is not further specified by XACML See section 711 ldquoObligationsrdquo
ltxselement name=AttributeAssignment type=xacmlAttributeAssignmentTypegt
ltxscomplexType name=AttributeAssignmentType mixed=truegtltxscomplexContentgt
ltxsextension base=xacmlAttributeValueTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgt
ltxsextensiongtltxscomplexContentgt
ltxscomplexTypegt
The ltAttributeAssignmentgt element is of AttributeAssignmentType complex type
The ltAttributeAssignmentgt element contains the following attributes
AttributeId [Required]
The attribute Identifier
6 Context syntax (normative with the exception of the schema fragments)
61 Element ltRequestgtThe ltRequestgt element is a top-level element in the XACML context schema The ltRequestgt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform its decision request into the form of an XACML context ltRequestgt
The ltRequestgt element contains ltSubjectgt ltResourcegt ltActiongt and ltEnvironmentgt elements There may be multiple ltSubjectgt elements Each child element contains a sequence of ltxacml-contextAttributegt elements associated with the subject resource action and environment respectively
ltxselement name=Request type=xacml-contextRequestTypegtltxscomplexType name=RequestTypegt
ltxssequencegtltxselement ref=xacml-contextSubject maxOccurs=unboundedgtltxselement ref=xacml-contextResourcegtltxselement ref=xacml-contextActiongtltxselement ref=xacml-contextEnvironment minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltRequestgt element is of RequestType complex type
The ltRequestgt element contains the following elements
oasis--xacml-11pdf 64
128
2505
2506250725082509251025112512251325142515251625172518251925202521
2522
2523
2524
2525
2526
2527
2528
252925302531
2532
2533253425352536253725382539254025412542254325442545
2546
2547
129
ltSubjectgt [One to Many]
Specifies information about a subject of the request context by listing a sequence of ltAttributegt elements associated with the subject One or more ltSubjectgt elements are allowed A subject is an entity associated with the access request One subject might represent the human user that initiated the application from which the request was issued Another subject might represent the applicationrsquos executable code that created the request Another subject might represent the machine on which the application was executing Another subject might represent the entity that is to be the recipient of the resource Attributes of each of these entities MUST be enclosed in a separate ltSubjectgt element
ltResourcegt [Required]
Specifies information about the resource for which access is being requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include a ltResourceContentgt element
ltActiongt [Required]
Specifies the requested action to be performed on the resource by listing a set of ltAttributegt elements associated with the action
ltEnvironmentgt [Optional]
Contains a set of ltAttributegt elements of the environment These ltAttributegt elements MAY form a part of policy evaluation
62 Element ltSubjectgtThe ltSubjectgt element specifies a subject by listing a sequence of ltAttributegt elements associated with the subject
ltxselement name=Subject type=xacml-contextSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=SubjectCategory type=xsanyURI use=optional
default=urnoasisnamestcxacml10subject-categoryaccess-subjectgtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
SubjectCategory [Optional]
This attribute indicates the role that the parent ltSubjectgt played in the formation of the access request If this attribute is not present in a given ltSubjectgt element then the default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used indicating that the parent ltSubjectgt element represents the entity ultimately responsible for initiating the access request
If more than one ltSubjectgt element contains a urnoasisnamestcxacml10subject-category attribute with the same value then the PDP SHALL treat the contents of those elements as if they were contained in the same ltSubjectgt element
ltAttributegt [Any Number]
oasis--xacml-11pdf 65
130
2548
25492550255125522553255425552556
2557
2558
255925602561
2562
25632564
2565
25662567
2568
25692570257125722573257425752576257725782579
2580
2581
2582
258325842585
25862587
25882589
2590
2591
131
A sequence of attributes that apply to the subject
Typically a ltSubjectgt element will contain an ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10subjectsubject-idrdquo containing the identity of the subject
A ltSubjectgt element MAY contain additional ltAttributegt elements
63 Element ltResourcegtThe ltResourcegt element specifies information about the resource to which access is requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include the resource content
ltxselement name=Resource type=xacml-contextResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacml-contextResourceContent minOccurs=0gtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceContentgt [Optional]
The resource content
ltAttributegt [Any Number]
A sequence of resource attributes The ltResourcegt element MUST contain one and only one ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10resourceresource-idrdquo This attribute specifies the identity of the resource to which access is requested
A ltResourcegt element MAY contain additional ltAttributegt elements
64 Element ltResourceContentgtThe ltResourceContentgt element is a notional placeholder for the resource content If an XACML policy references the contents of the resource then the ltResourceContentgt element SHALL be used as the reference point
ltxscomplexType name=ResourceContentType mixed=rdquotruerdquogtltxssequencegt
ltxsany namespace=any processContents=lax minOccurs=0 maxOccurs=unboundedgt
ltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltResourceContentgt element is of ResourceContentType complex type
The ltResourceContentgt element allows arbitrary elements and attributes
oasis--xacml-11pdf 66
132
2592
25932594
2595
2596
25972598259926002601260226032604260526062607
2608
2609
2610
2611
2612
2613261426152616
2617
2618
2619262026212622262326242625262626272628
2629
2630
133
65 Element ltActiongtThe ltActiongt element specifies the requested action on the resource by listing a set of ltAttributegt elements associated with the action
ltxselement name=Action type=xacml-contextActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltAttributegt [Any Number]
List of attributes of the action to be performed on the resource
66 Element ltEnvironmentgtThe ltEnvironmentgt element contains a set of attributes of the environment These attributes MAY form part of the policy evaluation
ltxselement name=Environment type=xacml-contextEnvironmentTypegtltxscomplexType name=EnvironmentTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltEnvironmentgt element is of EnvironmentType complex type
The ltEnvironmentgt element contains the following elements
ltAttributegt [Any Number]
A list of environment attributes Environment attributes are attributes that are not associated with either the resource the action or any of the subjects of the access request
67 Element ltAttributegtThe ltAttributegt element is the central abstraction of the request context It contains an attribute value and attribute meta-data The attribute meta-data comprises the attribute identifier the attribute issuer and the attribute issue instant Attribute designators and attribute selectors in the policy MAY refer to attributes by means of this meta-data
ltxselement name=Attribute type=xacml-contextAttributeTypegtltxscomplexType name=AttributeTypegt
ltxssequencegtltxselement ref=xacml-contextAttributeValuegt
ltxssequencegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=Issuer type=xsstring use=optionalgt
oasis--xacml-11pdf 67
134
2631
26322633
2634263526362637263826392640
2641
2642
2643
2644
2645
26462647
26482649265026512652265326542655
2656
2657
2658
265926602661
2662
266326642665266626672668266926702671267226732674
135
ltxsattribute name=IssueInstant type=xsdateTime use=optionalgtltxscomplexTypegt
The ltAttributegt element is of AttributeType complex type
The ltAttributegt element contains the following attributes and elements
AttributeId [Required]
Attribute identifier A number of identifiers are reserved by XACML to denote commonly used attributes
DataType [Required]
The data-type of the contents of the ltAttributeValuegt element This SHALL be either a primitive type defined by the XACML 10 specification or a type defined in a namespace declared in the ltxacml-contextgt element
Issuer [Optional]
Attribute issuer This attribute value MAY be an x500Name that binds to a public key or it may be some other identifier exchanged out-of-band by issuing and relying parties
IssueInstant [Optional]
The date and time at which the attribute was issued
ltAttributeValuegt [Required]
Exactly one attribute value The mandatory attribute value MAY have contents that are empty occur once or occur multiple times
68 Element ltAttributeValuegtThe ltAttributeValuegt element contains the value of an attribute
ltxselement name=AttributeValue type=xacml-contextAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltAttributeValuegt element is of AttributeValueType type
The data-type of the ltAttributeValuegt MAY be specified by using the DataType attribute of the parent ltAttributegt element
69 Element ltResponsegtThe ltResponsegt element is a top-level element in the XACML context schema The ltResponsegt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform an XACML context ltResponsegt into the form of its authorization decision
oasis--xacml-11pdf 68
136
26752676
2677
2678
2679
26802681
2682
26832684
2685
2686
26872688
2689
2690
2691
2692
26932694
2695
269626972698269927002701270227032704
2705
27062707
2708
2709271027112712
137
The ltResponsegt element encapsulates the authorization decision produced by the PDP It includes a sequence of one or more results with one ltResultgt element per requested resource Multiple results MAY be returned when the value of the ldquournoasisxacml10resourcescoperdquo resource attribute in the request context is ldquoDescendantsrdquo or ldquoChildrenrdquo Support for multiple results is OPTIONAL
ltxselement name=Response type=xacml-contextResponseTypegtltxscomplexType name=ResponseTypegt
ltxssequencegtltxselement ref=xacml-contextResult maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResponsegt element is of ResponseType complex type
The ltResponsegt element contains the following elements
ltResultgt [One to Many]
An authorization decision result
610 Element ltResultgtThe ltResultgt element represents an authorization decision result for the resource specified by the ResourceId attribute It MAY include a set of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource
ltxselement name=Result type=xacml-contextResultTypegtltxscomplexType name=ResultTypegt
ltxssequencegtltxselement ref=xacml-contextDecisiongtltxselement ref=xacml-contextStatusgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=ResourceId type=xsstring use=optionalgt
ltxscomplexTypegt
The ltResultgt element is of ResultType complex type
The ltResultgt element contains the following attributes and elements
ResourceId [Optional]
The identifier of the requested resource If this attribute is omitted then the resource identity is specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo resource attribute in the corresponding ltRequestgt element
ltDecisiongt [Required]
The authorization decision ldquoPermitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicablerdquo
ltStatusgt [Required]
Indicates whether errors occurred during evaluation of the decision request and optionally information about those errors
ltxacmlObligationsgt [Optional]
oasis--xacml-11pdf 69
138
27132714271527162717271827192720272127222723
2724
2725
2726
2727
2728
2729273027312732
2733273427352736273727382739274027412742
2743
2744
2745
274627472748
2749
2750
2751
27522753
2754
139
A list of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
611 Element ltDecisiongtThe ltDecisiongt element contains the result of policy evaluation
ltxselement name=Decision type=xacml-contextDecisionTypegtltxssimpleType name=DecisionTypegt
ltxsrestriction base=xsstringgtltxsenumeration value=Permitgtltxsenumeration value=Denygtltxsenumeration value=Indeterminategtltxsenumeration value=NotApplicablegt
ltxsrestrictiongtltxssimpleTypegt
The ltDecisiongt element is of DecisionType simple type
The values of the ltDecisiongt element have the following meanings
ldquoPermitrdquo the requested access is permitted
ldquoDenyrdquo the requested access is denied
ldquoIndeterminaterdquo the PDP is unable to evaluate the requested access Reasons for such inability include missing attributes network errors while retrieving policies division by zero during policy evaluation syntax errors in the decision request or in the policy etc
ldquoNotApplicablerdquo the PDP does not have any policy that applies to this decision request
612 Element ltStatusgtThe ltStatusgt element represents the status of the authorization decision result
ltxselement name=Status type=xacml-contextStatusTypegtltxscomplexType name=StatusTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCodegtltxselement ref=xacml-contextStatusMessage minOccurs=0gtltxselement ref=xacml-contextStatusDetail minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltStatusgt element is of StatusType complex type
The ltStatusgt element contains the following elements
ltStatusCodegt [Required]
Status code
ltStatusMessagegt [Optional]
A status message describing the status code
ltStatusDetailgt [Optional]
Additional status information
oasis--xacml-11pdf 70
140
2755275627572758
2759
2760276127622763276427652766276727682769
2770
2771
2772
2773
277427752776
2777
2778
277927802781278227832784278527862787
2788
2789
2790
2791
2792
2793
2794
2795
141
613 Element ltStatusCodegtThe ltStatusCodegt element contains a major status code value and an optional sequence of minor status codes
ltxselement name=StatusCode type=xacml-contextStatusCodeTypegtltxscomplexType name=StatusCodeTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCode minOccurs=0gt
ltxssequencegtltxsattribute name=Value type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltStatusCodegt element is of StatusCodeType complex type
The ltStatusCodegt element contains the following attributes and elements
Value [Required]
See Section B9 for a list of values
ltStatusCodegt [Any Number]
Minor status code This status code qualifies its parent status code
614 Element ltStatusMessagegtThe ltStatusMessagegt element is a free-form description of the status code
ltxselement name=StatusMessage type=xsstringgt
The ltStatusMessagegt element is of xsstring type
615 Element ltStatusDetailgtThe ltStatusDetailgt element qualifies the ltStatusgt element with additional information
ltxselement name=StatusDetail type=xacml-contextStatusDetailTypegtltxscomplexType name=StatusDetailTypegt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltStatusDetailgt element is of StatusDetailType complex type
The ltStatusDetailgt element allows arbitrary XML content
Inclusion of a ltStatusDetailgt element is optional However if a PDP returns one of the following XACML-defined ltStatusCodegt values and includes a ltStatusDetailgt element then the following rules apply
urnoasisnamestcxacml10statusok
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquookrdquo status value
urnoasisnamestcxacml10statusmissing-attribute
A PDP MAY choose not to return any ltStatusDetailgt information or MAY choose to return a ltStatusDetailgt element containing one or more ltxacml-contextAttributegt elements If the PDP includes ltAttributeValuegt elements in the ltAttributegt element then this indicates
oasis--xacml-11pdf 71
142
2796
279727982799280028012802280328042805
2806
2807
2808
2809
2810
2811
2812
28132814
2815
2816
28172818281928202821282228232824
2825
2826
282728282829
2830
2831
2832
283328342835
143
the acceptable values for that attribute If no ltAttributeValuegt elements are included then this indicates the names of attributes that the PDP failed to resolve during its evaluation The list of attributes may be partial or complete There is no guarantee by the PDP that supplying the missing values or attributes will be sufficient to satisfy the policy
urnoasisnamestcxacml10statussyntax-error
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquosyntax-errorrdquo status value A syntax error may represent either a problem with the policy being used or with the request context The PDP MAY return a ltStatusMessagegt describing the problem
urnoasisnamestcxacml10statusprocessing-error
A PDP MUST NOT return ltStatusDetailgt element in conjunction with the ldquoprocessing-errorrdquo status value This status code indicates an internal problem in the PDP For security reasons the PDP MAY choose to return no further information to the PEP In the case of a divide-by-zero error or other computational error the PDP MAY return a ltStatusMessagegt describing the nature of the error
7 Functional requirements (normative)This section specifies certain functional requirements that are not directly associated with the production or consumption of a particular XACML element
71 Policy enforcement pointThis section describes the requirements for the PEPAn application functions in the role of the PEP if it guards access to a set of resources and asks the PDP for an authorization decision The PEP MUST abide by the authorization decision in the following way
A PEP SHALL allow access to the resource only if a valid XACML response of Permit is returned by the PDP The PEP SHALL deny access to the resource in all other cases An XACML response of Permit SHALL be considered valid only if the PEP understands all of the obligations contained in the response
72 Base policyA PDP SHALL represent one policy or policy set called its base policy This base policy MAY be a ltPolicygt element containing a ltTargetgt element that matches every possible decision request or (for instance) it MAY be a ltPolicygt element containing a ltTargetgt element that matches only a specific subject In such cases the base policy SHALL form the root-node of a tree of policies connected by ltPolicyIdReferencegt and ltPolicySetIdReferencegt elements to all the rules that may be applicable to any decision request that the PDP is capable of evaluating
In the case of a PDP that retrieves policies according to the decision request that it is processing the base policy SHALL contain a ltPolicygt element containing a ltTargetgt element that matches every possible decision request and a PolicyCombiningAlgId attribute with the value ldquoOnly-one-applicable In other words the PDP SHALL return an error if it retrieves policies that do not form a single tree
oasis--xacml-11pdf 72
144
2836283728382839
2840
28412842
2843
2844
284528462847
28482849
2850
28512852
28532854285528562857
2858285928602861
2862
2863286428652866
286728682869
28702871287228732874
145
73 Target evaluationThe target value SHALL be Match if the subject resource and action specified in the target all match values in the request context The target value SHALL be No-match if one or more of the subject resource and action specified in the target do not match values in the request context The value of a ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element in which a referenced attribute value cannot be obtained depends on the value of the MustBePresent attribute of the ltAttributeDesignatorgt or ltAttributeSelectorgt element If the MustBePresent attribute is True then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be Indeterminate in this case If the MustBePresent attribute is False or missing then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be No-match
74 Condition evaluationThe condition value SHALL be True if the ltConditiongt element is absent or if it evaluates to True for the attribute values supplied in the request context Its value is False if the ltConditiongt element evaluates to False for the attribute values supplied in the request context If any attribute value referenced in the condition cannot be obtained then the condition SHALL evaluate to Indeterminate
75 Rule evaluationA rule has a value that can be calculated by evaluating its contents Rule evaluation involves separate evaluation of the rules target and condition The rule truth table is shown in Table 1
Target Condition Rule Value
ldquoMatchrdquo ldquoTruerdquo Effect
ldquoMatchrdquo ldquoFalserdquo ldquoNotApplicablerdquo
ldquoMatchrdquo ldquoIndeterminaterdquo ldquoIndeterminaterdquo
ldquoNo-matchrdquo Donrsquot care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot care ldquoIndeterminaterdquo
Table 1 - Rule truth table
If the target value is No-match or ldquoIndeterminaterdquo then the rule value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the condition For these cases therefore the condition need not be evaluated in order to determine the rule value
If the target value is ldquoMatchrdquo and the condition value is ldquoTruerdquo then the effect specified in the rule SHALL determine the rule value
76 Policy evaluationThe value of a policy SHALL be determined only by its contents considered in relation to the contents of the request context A policys value SHALL be determined by evaluation of the policys target and rules according to the specified rule-combining algorithm
oasis--xacml-11pdf 73
146
2875287628772878
2879288028812882288328842885
2886
28872888
288928902891
2892
28932894
2895
2896
2897
289828992900
29012902
2903
290429052906
147
The policys target SHALL be evaluated to determine the applicability of the policy If the target evaluates to Match then the value of the policy SHALL be determined by evaluation of the policys rules according to the specified rule-combining algorithm If the target evaluates to No-match then the value of the policy SHALL be NotApplicable If the target evaluates to Indeterminate then the value of the policy SHALL be Indeterminate
The policy truth table is shown in Table 2
Target Rule values Policy Value
ldquoMatchrdquo At least one rule value is its Effect
Specified by the rule-combining algorithm
ldquoMatchrdquo All rule values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
ldquoMatchrdquo At least one rule value is ldquoIndeterminaterdquo
Specified by the rule-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot-care ldquoIndeterminaterdquo
Table 2 - Policy truth table
A rules value of At least one rule value is its Effect SHALL be used if the ltRulegt element is absent or if one or more of the rules contained in the policy is applicable to the decision request (ie returns a value of ldquoEffectrdquo see Section 75) A rules value of ldquoAll rule values are lsquoNotApplicablersquordquo SHALL be used if no rule contained in the policy is applicable to the request and if no rule contained in the policy returns a value of ldquoIndeterminaterdquo If no rule contained in the policy is applicable to the request but one or more rule returns a value of ldquoIndeterminaterdquo then rules value SHALL evaluate to At least one rule value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the rules For these cases therefore the rules need not be evaluated in order to determine the policy value
If the target value is ldquoMatchrdquo and the rules value is ldquoAt least one rule value is itrsquos Effectrdquo or ldquoAt least one rule value is lsquoIndeterminatersquordquo then the rule-combining algorithm specified in the policy SHALL determine the policy value
77 Policy Set evaluationThe value of a policy set SHALL be determined by its contents considered in relation to the contents of the request context A policy sets value SHALL be determined by evaluation of the policy sets target policies and policy sets according to the specified policy-combining algorithm
The policy sets target SHALL be evaluated to determine the applicability of the policy set If the target evaluates to Match then the value of the policy set SHALL be determined by evaluation of the policy sets policies and policy sets according to the specified policy-combining algorithm If the target evaluates to No-match then the value of the policy set shall be NotApplicable If the target evaluates to Indeterminate then the value of the policy set SHALL be Indeterminate
The policy set truth table is shown in Table 3
Target Policy values Policy Set Value
oasis--xacml-11pdf 74
148
29072908290929102911
2912
2913
2914291529162917291829192920
292129222923
292429252926
2927
2928292929302931
29322933293429352936
2937
149
Match At least one policy value is its Decision
Specified by the policy-combining algorithm
Match All policy values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
Match At least one policy value is ldquoIndeterminaterdquo
Specified by the policy-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
Indeterminate Donrsquot-care ldquoIndeterminaterdquo
Table 3 ndash Policy set truth table
A policies value of At least one policy value is its Decision SHALL be used if there are no contained or referenced policies or policy sets or if one or more of the policies or policy sets contained in or referenced by the policy set is applicable to the decision request (ie returns a value determined by its rule-combining algorithm see Section 76) A policies value of ldquoAll policy values are lsquoNotApplicablersquordquo SHALL be used if no policy or policy set contained in or referenced by the policy set is applicable to the request and if no policy or policy set contained in or referenced by the policy set returns a value of ldquoIndeterminaterdquo If no policy or policy set contained in or referenced by the policy set is applicable to the request but one or more policy or policy set returns a value of ldquoIndeterminaterdquo then policies SHALL evaluate to At least one policy value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy set value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the policies For these cases therefore the policies need not be evaluated in order to determine the policy set value
If the target value is ldquoMatchrdquo and the policies value is ldquoAt least one policy value is itrsquos Decisionrdquo or ldquoAt least one policy value is lsquoIndeterminatersquordquo then the policy-combining algorithm specified in the policy set SHALL determine the policy set value
78 Hierarchical resourcesIt is often the case that a resource is organized as a hierarchy (eg file system XML document) Some access requesters may request access to an entire subtree of a resource specified by a node XACML allows the PEP (or context handler) to specify whether the decision request is just for a single resource or for a subtree below the specified resource The latter is equivalent to repeating a single request for each node in the entire subtree When a request context contains a resource attribute of type
urnoasisnamestcxacml10resourcescope
with a value of Immediate or if it does not contain that attribute then the decision request SHALL be interpreted to apply to just the single resource specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo attribute
When the
urnoasisnamestcxacml10resourcescope
oasis--xacml-11pdf 75
150
2938
2939294029412942294329442945294629472948
294929502951
295229532954
2955
295629572958295929602961
2962
29632964
2965
2966
2967
151
attribute has the value Children the decision request SHALL be interpreted to apply to the specified resource and its immediate children resources
When the
urnoasisnamestcxacml10resourcescope
attribute has the value Descendants the decision request SHALL be interpreted to apply to both the specified resource and all its descendant resources
In the case of Children and Descendants the authorization decision MAY include multiple results for the multiple sub-nodes in the resource sub-tree
An XACML authorization response MAY contain multiple ltResultgt elements
Note that the method by which the PDP discovers whether the resource is hierarchically organized or not is outside the scope of XACML
In the case where a child or descendant resource cannot be accessed the ltResultgt element associated with the parent element SHALL contain a ltStatusCodegt Value of ldquournoasisnamestcxacml10statusprocessing-errorrdquo
79 AttributesAttributes are specified in the request context regardless of whether or not they appeared in the original decision request and are referred to in the policy by subject resource action and environment attribute designators and attribute selectors A named attribute is the term used for the criteria that the specific subject resource action and environment attribute designators and selectors use to refer to attributes in the subject resource action and environment elements of the request context respectively
791 Attribute MatchingA named attribute has specific criteria with which to match attributes in the context An attribute specifies AttributeId DataType and Issuer attributes and each named attribute also specifies AttributeId DataType and optional Issuer attributes A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and optional Issuer attributes match within their particular element eg subject resource action or environment of the context The AttributeId of the named attribute MUST match by URI equality the AttributeId of the context attribute The DataType of the named attribute MUST match by URI equality the DataType of the same context attribute If Issuer is supplied in the named attribute then it MUST match by string equality the Issuer of the same context attribute If Issuer is not supplied in the named attribute then the matching of the context attribute to the named attribute SHALL be governed by AttributeId and DataType alone regardless of the presence absence or actual value of Issuer In the case of an attribute selector the matching of the attribute to the named attribute SHALL be governed by the XPath expression and DataType
792 Attribute RetrievalThe PDP SHALL request the values of attributes in the request context from the context handler The PDP SHALL reference the attributes as if they were in a physical request context document but the context handler is responsible for obtaining and supplying the requested values The context handler SHALL return the values of attributes that match the attribute designator or attribute selector and form them into a bag of values with the specified data-type If no attributes
oasis--xacml-11pdf 76
152
29682969
2970
2971
29722973
29742975
2976
29772978
297929802981
2982
298329842985298629872988
2989
29902991299229932994
29952996299729982999300030013002
3003
3004
30053006300730083009
153
from the request context match then the attribute SHALL be considered missing If the attribute is missing then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an ldquoIndeterminaterdquo result If MustBePresent is ldquoFalserdquo (default value) then a missing attribute SHALL result in an empty bag If MustBePresent is ldquoTruerdquo then a missing attribute SHALL result in ldquoIndeterminaterdquo This ldquoIndeterminaterdquo result SHALL be handled in accordance with the specification of the encompassing expressions rules policies and policy sets If the result is ldquoIndeterminaterdquo then the AttributeId DataType and Issuer of the attribute MAY be listed in the authorization decision as described in Section 710 However a PDP MAY choose not to return such information for security reasons
793 Environment AttributesEnvironment attributes are listed in Section B8 If a value for one of these attributes is supplied in the decision request then the context handler SHALL use that value Otherwise the context handler SHALL supply a value For the date and time attributes the supplied value SHALL have the semantics of date and time that apply to the decision request
710 Authorization decisionGiven a valid XACML policy or policy set a compliant XACML PDP MUST evaluate the policy as specified in Sections 5 and 42 The PDP MUST return a response context with one ltDecisiongt element of value Permit Deny Indeterminate or NotApplicable
If the PDP cannot make a decision then an Indeterminate ltDecisiongt element contents SHALL be returned The PDP MAY return a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
signifying that more information is needed In this case the ltStatusgt element MAY list the names and data-types of any attributes of the subjectsresource action or environment that are needed by the PDP to refine its decision A PEP MAY resubmit a refined request context in response to a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
by adding attribute values for the attribute names that were listed in the previous response When the PDP returns a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
it MUST NOT list the names and data-types of any attribute of the subjectresource action or environment for which values were supplied in the original request Note this requirement forces the PDP to eventually return an authorization decision of Permit Deny or Indeterminate with some other status code in response to successively-refined requests
711 ObligationsA policy or policy set may contain one or more obligations When such a policy or policy set is evaluated an obligation SHALL be passed up to the next level of evaluation (the enclosing or referencing policy set or authorization decision) only if the effect of the policy or policy set being evaluated matches the value of the xacmlFulfillOn attribute of the obligation
As a consequence of this procedure no obligations SHALL be returned to the PEP if the policies or policy sets from which they are drawn are not evaluated or if their evaluated result is
oasis--xacml-11pdf 77
154
301030113012301330143015
301630173018
3019
3020302130223023
3024
30253026
3027
302830293030
3031
303230333034
3035
3036
30373038
3039
3040304130423043
3044304530463047
3048304930503051
155
Indeterminate or NotApplicable or if the decision resulting from evaluating the policy or policy set does not match the decision resulting from evaluating an enclosing policy set
If the PDPs evaluation is viewed as a tree of policy sets and policies each of which returns Permit or Deny then the set of obligations returned by the PDP to the PEP will include only the obligations associated with those paths where the effect at each level of evaluation is the same as the effect being returned by the PDPA PEP that receives a valid XACML response of Permit with obligations SHALL be responsible for fulfilling all of those obligations A PEP that receives an XACML response of Deny with obligations SHALL be responsible for fulfilling all of the obligations that it understands
712 Unsupported functionalityIf the PDP attempts to evaluate a policy set or policy that contains an optional element type or feature that the PDP does not support then the PDP SHALL return a ltDecisiongt value of Indeterminate If a ltStatusCodegt element is also returned then its value SHALL be urnoasisnamestcxacml10statussyntax-error in the case of an unsupported element type and urnoasisnamestcxacml10statusprocessing-error in the case of an unsupported feature
713 Syntax and type errorsIf a policy that contains invalid syntax is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
If a policy that contains invalid static data-types is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statusprocessing-error
8 XACML extensibility points (non-normative)This section describes the points within the XACML model and schema where extensions can be added
81 Extensible XML attribute typesThe following XML attributes have values that are URIs These may be extended by the creation of new URIs associated with new semantics for these attributes
AttributeId
AttributeValue
DataType
FunctionId
MatchId
ObligationId
PolicyCombiningAlgId
RuleCombiningAlgId
oasis--xacml-11pdf 78
156
3052305330543055305630573058305930603061
3062
30633064306530663067
3068
306930703071
307230733074
3075
30763077
3078
30793080
3081
3082
3083
3084
3085
3086
3087
3088
157
StatusCode
SubjectCategory
See Section 5 for definitions of these attribute types
82 Structured attributesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type Section A3 describes a number of standard techniques to identify data items within such a structured attribute Listed here are some additional techniques that require XACML extensions
1 For a given structured data-type a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types Using these new attribute identifiers the PEPs or context handlers used by that community of users can flatten instances of the structured data-type into a sequence of individual ltAttributegt elements Each such ltAttributegt element can be compared using the XACML-defined functions Using this method the structured data-type itself never appears in an ltAttributeValuegt element
2 A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value This method may only be used by PDPs that support the new function
9 Security and privacy considerations (non-normative)
This section identifies possible security and privacy compromise scenarios that should be considered when implementing an XACML-based system The section is informative only It is left to the implementer to decide whether these compromise scenarios are practical in their environment and to select appropriate safeguards
91 Threat modelWe assume here that the adversary has access to the communication channel between the XACML actors and is able to interpret insert delete and modify messages or parts of messages
Additionally an actor may use information from a former transaction maliciously in subsequent transactions It is further assumed that rules and policies are only as reliable as the actors that create and use them Thus it is incumbent on each actor to establish appropriate trust in the other actors upon which it relies Mechanisms for trust establishment are outside the scope of this specification
The messages that are transmitted between the actors in the XACML model are susceptible to attack by malicious third parties Other points of vulnerability include the PEP the PDP and the PAP While some of these entities are not strictly within the scope of this specification their compromise could lead to the compromise of access control enforced by the PEP
It should be noted that there are other components of a distributed system that may be compromised such as an operating system and the domain-name system (DNS) that are outside the scope of this discussion of threat models Compromise in these components may also lead to a policy violation
oasis--xacml-11pdf 79
158
3089
3090
3091
3092
309330943095
3096309730983099
310031013102
310331043105
3106
3107
3108310931103111
3112
31133114
31153116311731183119
3120312131223123
3124312531263127
159
The following sections detail specific compromise scenarios that may be relevant to an XACML system
911 Unauthorized disclosureXACML does not specify any inherent mechanisms for confidentiality of the messages exchanged between actors Therefore an adversary could observe the messages in transit Under certain security policies disclosure of this information is a violation Disclosure of attributes or the types of decision requests that a subject submits may be a breach of privacy policy In the commercial sector the consequences of unauthorized disclosure of personal data may range from embarrassment to the custodian to imprisonment and large fines in the case of medical or financial data
Unauthorized disclosure is addressed by confidentiality mechanisms
912 Message replayA message replay attack is one in which the adversary records and replays legitimate messages between XACML actors This attack may lead to denial of service the use of out-of-date information or impersonation
Prevention of replay attacks requires the use of message freshness mechanisms
Note that encryption of the message does not mitigate a replay attack since the message is just replayed and does not have to be understood by the adversary
913 Message insertionA message insertion attack is one in which the adversary inserts messages in the sequence of messages between XACML actors
The solution to a message insertion attack is to use mutual authentication and a message sequence integrity mechanism between the actors It should be noted that just using SSL mutual authentication is not sufficient This only proves that the other party is the one identified by the subject of the X509 certificate In order to be effective it is necessary to confirm that the certificate subject is authorized to send the message
914 Message deletionA message deletion attack is one in which the adversary deletes messages in the sequence of messages between XACML actors Message deletion may lead to denial of service However a properly designed XACML system should not render an incorrect authorization decision as a result of a message deletion attack
The solution to a message deletion attack is to use a message integrity mechanism between the actors
915 Message modificationIf an adversary can intercept a message and change its contents then they may be able to alter an authorization decision Message integrity mechanisms can prevent a successful message modification attack
oasis--xacml-11pdf 80
160
31283129
3130
3131313231333134313531363137
3138
3139
314031413142
3143
31443145
3146
31473148
31493150315131523153
3154
3155315631573158
31593160
3161316231633164
161
916 NotApplicable resultsA result of NotApplicable means that the PDP did not have a policy whose target matched the information in the decision request In general we highly recommend using a default-deny policy so that when a PDP would have returned NotApplicable a result of Deny is returned instead
In some security models however such as is common in many Web Servers a result of NotApplicable is treated as equivalent to Permit There are particular security considerations that must be taken into account for this to be safe These are explained in the following paragraphs
If NotApplicable is to be treated as Permit it is vital that the matching algorithms used by the policy to match elements in the decision request are closely aligned with the data syntax used by the applications that will be submitting the decision request A failure to match will be treated as Permit so an unintended failure to match may allow unintended access
A common example of this is a Web Server Commercial http responders allow a variety of syntaxes to be treated equivalently The can be used to represent characters by hex value The URL path provides multiple ways of specifying the same value Multiple character sets may be permitted and in some cases the same printed character can be represented by different binary values Unless the matching algorithm used by the policy is sophisticated enough to catch these variations unintended access may be permitted
It is safe to treat NotApplicable as Permit only in a closed environment where all applications that formulate a decision request can be guaranteed to use the exact syntax expected by the policies used by the PDP In a more open environment where decision requests may be received from applications that may use any legal syntax it is strongly recommended that NotApplicable NOT be treated as Permit unless matching rules have been very carefully designed to match all possible applicable inputs regardless of syntax or type variations
917 Negative rulesA negative rule is one that is based on a predicate not being True If not used with care negative rules can lead to policy violation therefore some authorities recommend that they not be used However negative rules can be extremely efficient in certain cases so XACML has chosen to include them Nevertheless it is recommended that they be used with care and avoided if possible
A common use for negative rules is to deny access to an individual or subgroup when their membership in a larger group would otherwise permit them access For example we might want to write a rule that allows all Vice Presidents to see the unpublished financial data except for Joe who is only a Ceremonial Vice President and can be indiscreet in his communications If we have complete control of the administration of subject attributes a superior approach would be to define ldquoVice Presidentrdquo and ldquoCeremonial Vice Presidentrdquo as distinct groups and then define rules accordingly However in some environments this approach may not be feasible (It is worth noting in passing that generally speaking referring to individuals in rules does not scale well Generally shared attributes are preferred)
If not used with care negative rules can lead to policy violation in two common cases They are when attributes are suppressed and when the base group changes An example of suppressed attributes would be if we have a policy that access should be permitted unless the subject is a credit risk If it is possible that the attribute of being a credit risk may be unknown to the PDP for some reason then unauthorized access may be permitted In some environments the subject may be able to suppress the publication of attributes by the application of privacy controls or the server or repository that contains the information may be unavailable for accidental or intentional reasons
oasis--xacml-11pdf 81
162
3165
3166316731683169
3170317131723173
3174317531763177
317831793180318131823183
318431853186318731883189
3190
31913192319331943195
319631973198319932003201320232033204
32053206320732083209321032113212
163
An example of a changing base group would be if there is a policy that everyone in the engineering department may change software source code except for secretaries Suppose now that the department was to merge with another engineering department and the intent is to maintain the same policy However the new department also includes individuals identified as administrative assistants who ought to be treated in the same way as secretaries Unless the policy is altered they will unintentionally be permitted to change software source code Problems of this type are easy to avoid when one individual administers all policies but when administration is distributed as XACML allows this type of situation must be explicitly guarded against
92 Safeguards
921 Authentication Authentication provides the means for one party in a transaction to determine the identity of the other party in the transaction Authentication may be in one direction or it may be bilateral
Given the sensitive nature of access control systems it is important for a PEP to authenticate the identity of the PDP to which it sends decision requests Otherwise there is a risk that an adversary could provide false or invalid authorization decisions leading to a policy violation
It is equally important for a PDP to authenticate the identity of the PEP and assess the level of trust to determine what if any sensitive data should be passed One should keep in mind that even simple Permit or Deny responses could be exploited if an adversary were allowed to make unlimited requests to a PDP
Many different techniques may be used to provide authentication such as co-located code a private network a VPN or digital signatures Authentication may also be performed as part of the communication protocol used to exchange the contexts In this case authentication may be performed at the message level or at the session level
922 Policy administrationIf the contents of policies are exposed outside of the access control system potential subjects may use this information to determine how to gain unauthorized access
To prevent this threat the repository used for the storage of policies may itself require access control In addition the ltStatusgt element should be used to return values of missing attributes only when exposure of the identities of those attributes will not compromise security
923 Confidentiality Confidentiality mechanisms ensure that the contents of a message can be read only by the desired recipients and not by anyone else who encounters the message while it is in transit There are two areas in which confidentiality should be considered one is confidentiality during transmission the other is confidentiality within a ltPolicygt element
9231 Communication confidentiality
In some environments it is deemed good practice to treat all data within an access control system as confidential In other environments policies may be made freely available for distribution inspection and audit The idea behind keeping policy information secret is to make it more difficult for an adversary to know what steps might be sufficient to obtain unauthorized access Regardless of the approach chosen the security of the access control system should not depend on the secrecy of the policy
oasis--xacml-11pdf 82
164
32133214321532163217321832193220
3221
3222
32233224
322532263227
3228322932303231
3232323332343235
3236
32373238
323932403241
3242
324332443245
3246
3247
324832493250325132523253
165
Any security concerns or requirements related to transmitting or exchanging XACML ltPolicygt elements are outside the scope of the XACML standard While it is often important to ensure that the integrity and confidentiality of ltPolicygt elements is maintained when they are exchanged between two parties it is left to the implementers to determine the appropriate mechanisms for their environment
Communications confidentiality can be provided by a confidentiality mechanism such as SSL Using a point-to-point scheme like SSL may lead to other vulnerabilities when one of the end-points is compromised
9232 Statement level confidentiality
In some cases an implementation may want to encrypt only parts of an XACML ltPolicygt element
The XML Encryption Syntax and Processing Candidate Recommendation from W3C can be used to encrypt all or parts of an XML document This specification is recommended for use with XACML
It should go without saying that if a repository is used to facilitate the communication of cleartext (ie unencrypted) policy between the PAP and PDP then a secure repository should be used to store this sensitive data
924 Policy integrityThe XACML policy used by the PDP to evaluate the request context is the heart of the system Therefore maintaining its integrity is essential There are two aspects to maintaining the integrity of the policy One is to ensure that ltPolicygt elements have not been altered since they were originally created by the PAP The other is to ensure that ltPolicygt elements have not been inserted or deleted from the set of policies
In many cases both aspects can be achieved by ensuring the integrity of the actors and implementing session-level mechanisms to secure the communication between actors The selection of the appropriate mechanisms is left to the implementers However when policy is distributed between organizations to be acted on at a later time or when the policy travels with the protected resource it would be useful to sign the policy In these cases the XML Signature Syntax and Processing standard from W3C is recommended to be used with XACML
Digital signatures should only be used to ensure the integrity of the statements Digital signatures should not be used as a method of selecting or evaluating policy That is the PDP should not request a policy based on who signed it or whether or not it has been signed (as such a basis for selection would itself be a matter of policy) However the PDP must verify that the key used to sign the policy is one controlled by the purported issuer of the policy The means to do this are dependent on the specific signature technology chosen and are outside the scope of this document
925 Policy identifiersSince policies can be referenced by their identifiers it is the responsibility of the PAP to ensure that these are unique Confusion between identifiers could lead to misidentification of the applicable policy This specification is silent on whether a PAP must generate a new identifier when a policy is modified or may use the same identifier in the modified policy This is a matter of administrative practice However care must be taken in either case If the identifier is reused there is a danger that other policies or policy sets that reference it may be adversely affected Conversely if a new identifier is used these other policies may continue to use the prior policy unless it is deleted In either case the results may not be what the policy administrator intends
oasis--xacml-11pdf 83
166
32543255
325632573258
325932603261
3262
32633264
326532663267
326832693270
3271
32723273
327432753276
327732783279328032813282
328332843285328632873288
3289
32903291329232933294329532963297
167
926 Trust modelDiscussions of authentication integrity and confidentiality mechanisms necessarily assume an underlying trust model how can one actor come to believe that a given key is uniquely associated with a specific identified actor so that the key can be used to encrypt data for that actor or verify signatures (or other integrity structures) from that actor Many different types of trust model exist including strict hierarchies distributed authorities the Web the bridge and so on
It is worth considering the relationships between the various actors of the access control system in terms of the interdependencies that do and do not exist
None of the entities of the authorization system are dependent on the PEP They may collect data from it for example authentication but are responsible for verifying it
The correct operation of the system depends on the ability of the PEP to actually enforce policy decisions
The PEP depends on the PDP to correctly evaluate policies This in turn implies that the PDP is supplied with the correct inputs Other than that the PDP does not depend on the PEP
The PDP depends on the PAP to supply appropriate policies The PAP is not dependent on other components
927 PrivacyIt is important to be aware that any transactions that occur with respect to access control may reveal private information about the actors For example if an XACML policy states that certain data may only be read by subjects with ldquoGold Card Memberrdquo status then any transaction in which a subject is permitted access to that data leaks information to an adversary about the subjects status Privacy considerations may therefore lead to encryption andor to access control policies surrounding the enforcement of XACML policy instances themselves confidentiality-protected channels for the requestresponse protocol messages protection of subject attributes in storage and in transit and so on
Selection and use of privacy mechanisms appropriate to a given environment are outside the scope of XACML The decision regarding whether how and when to deploy such mechanisms is left to the implementers associated with the environment
10 Conformance (normative)
101 IntroductionThe XACML specification addresses the following aspect of conformance
The XACML specification defines a number of functions etc that have somewhat specialist application therefore they are not required to be implemented in an implementation that claims to conform with the OASIS standard
102Conformance tablesThis section lists those portions of the specification that MUST be included in an implementation of a PDP that claims to conform with XACML v10 A set of test cases has been created to assist in this process These test cases are hosted by Sun Microsystems and can be located from the
oasis--xacml-11pdf 84
168
3298
32993300330133023303
33043305
33063307
33083309
331033113312
33133314
3315
33163317331833193320332133223323
332433253326
3327
3328
3329
333033313332
3333
333433353336
169
XACML Web page The site hosting the test cases contains a full description of the test cases and how to execute them
Note M means mandatory-to-implement O means optional
1021 Schema elementsThe implementation MUST support those schema elements that are marked ldquoMrdquoElement name MOxacml-contextAction Mxacml-contextAttribute Mxacml-contextAttributeValue Mxacml-contextDecision Mxacml-contextEnvironment Mxacml-contextObligations Oxacml-contextRequest Mxacml-contextResource Mxacml-contextResourceContent Oxacml-contextResponse Mxacml-contextResult Mxacml-contextStatus Mxacml-contextStatusCode Mxacml-contextStatusDetail Oxacml-contextStatusMessage Oxacml-contextSubject MxacmlAction MxacmlActionAttributeDesignator MxacmlActionMatch MxacmlActions MxacmlAnyAction MxacmlAnyResource MxacmlAnySubject MxacmlApply MxacmlAttributeAssignment OxacmlAttributeSelector OxacmlAttributeValue MxacmlCondition MxacmlDescription MxacmlEnvironmentAttributeDesignator MxacmlFunction MxacmlObligation OxacmlObligations OxacmlPolicy MxacmlPolicyDefaults OxacmlPolicyIdReference MxacmlPolicySet MxacmlPolicySetDefaults OxacmlPolicySetIdReference MxacmlResource MxacmlResourceAttributeDesignator MxacmlResourceMatch MxacmlResources MxacmlRule MxacmlSubject MxacmlSubjectMatch MxacmlSubjects M
oasis--xacml-11pdf 85
170
33373338
3339
3340
3341
171
xacmlTarget MxacmlXPathVersion O
1022 Identifier PrefixesThe following identifier prefixes are reserved by XACML
Identifierurnoasisnamestcxacml10urnoasisnamestcxacml10conformance-testurnoasisnamestcxacml10contexturnoasisnamestcxacml10exampleurnoasisnamestcxacml10functionurnoasisnamestcxacml10policyurnoasisnamestcxacml10subjecturnoasisnamestcxacml10resourceurnoasisnamestcxacml10action
1023 AlgorithmsThe implementation MUST include the rule- and policy-combining algorithms associated with the following identifiers that are marked M
Algorithm MOurnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
M
urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11rule-combining-algorithmordered-permit-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
1024 Status CodesImplementation support for the urnoasisnamestcxacml10contextstatus element is optional but if the element is supported then the following status codes must be supported and must be used in the way XACML has specified
Identifier MOurnoasisnamestcxacml10statusmissing-attribute Murnoasisnamestcxacml10statusok Murnoasisnamestcxacml10statusprocessing-error M
oasis--xacml-11pdf 86
172
3342
3343
3344
33453346
3347
334833493350
173
urnoasisnamestcxacml10statussyntax-error M
1025 AttributesThe implementation MUST support the attributes associated with the following attribute identifiers as specified by XACML If values for these attributes are not present in the decision request then their values MUST be supplied by the PDP So unlike most other attributes their semantics are not transparent to the PDP
Identifier MOurnoasisnamestcxacml10environmentcurrent-time Murnoasisnamestcxacml10environmentcurrent-date Murnoasisnamestcxacml10environmentcurrent-dateTime M
1026 IdentifiersThe implementation MUST use the attributes associated with the following identifiers in the way XACML has defined This requirement pertains primarily to implementations of a PAP or PEP that use XACML since the semantics of the attributes are transparent to the PDP
Identifier MOurnoasisnamestcxacml10subjectauthn-localitydns-name Ournoasisnamestcxacml10subjectauthn-localityip-address Ournoasisnamestcxacml10subjectauthentication-method Ournoasisnamestcxacml10subjectauthentication-time Ournoasisnamestcxacml10subjectkey-info Ournoasisnamestcxacml10subjectrequest-time Ournoasisnamestcxacml10subjectsession-start-time Ournoasisnamestcxacml10subjectsubject-id Ournoasisnamestcxacml10subjectsubject-id-qualifier Ournoasisnamestcxacml10subject-categoryaccess-subject Murnoasisnamestcxacml10subject-categorycodebase Ournoasisnamestcxacml10subject-categoryintermediary-subject Ournoasisnamestcxacml10subject-categoryrecipient-subject Ournoasisnamestcxacml10subject-categoryrequesting-machine Ournoasisnamestcxacml10resourceresource-location Ournoasisnamestcxacml10resourceresource-id Murnoasisnamestcxacml10resourcescope Ournoasisnamestcxacml10resourcesimple-file-name Ournoasisnamestcxacml10actionaction-id Murnoasisnamestcxacml10actionimplied-action M
1027 Data-typesThe implementation MUST support the data-types associated with the following identifiers marked M
Data-type MOhttpwwww3org2001XMLSchemastring Mhttpwwww3org2001XMLSchemaboolean Mhttpwwww3org2001XMLSchemainteger Mhttpwwww3org2001XMLSchemadouble Mhttpwwww3org2001XMLSchematime Mhttpwwww3org2001XMLSchemadate Mhttpwwww3org2001XMLSchemadateTime Mhttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
M
oasis--xacml-11pdf 87
174
3351
3352335333543355
3356
335733583359
3360
33613362
175
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
M
httpwwww3org2001XMLSchemaanyURI Mhttpwwww3org2001XMLSchemahexBinary Mhttpwwww3org2001XMLSchemabase64Binary Murnoasisnamestcxacml10data-typerfc822Name Murnoasisnamestcxacml10data-typex500Name M
1028 FunctionsThe implementation MUST properly process those functions associated with the identifiers marked with an M
Function MOurnoasisnamestcxacml10functionstring-equal Murnoasisnamestcxacml10functionboolean-equal Murnoasisnamestcxacml10functioninteger-equal Murnoasisnamestcxacml10functiondouble-equal Murnoasisnamestcxacml10functiondate-equal Murnoasisnamestcxacml10functiontime-equal Murnoasisnamestcxacml10functiondateTime-equal Murnoasisnamestcxacml10functiondayTimeDuration-equal Murnoasisnamestcxacml10functionyearMonthDuration-equal Murnoasisnamestcxacml10functionanyURI-equal Murnoasisnamestcxacml10functionx500Name-equal Murnoasisnamestcxacml10functionrfc822Name-equal Murnoasisnamestcxacml10functionhexBinary-equal Murnoasisnamestcxacml10functionbase64Binary-equal Murnoasisnamestcxacml10functioninteger-add Murnoasisnamestcxacml10functiondouble-add Murnoasisnamestcxacml10functioninteger-subtract Murnoasisnamestcxacml10functiondouble-subtract Murnoasisnamestcxacml10functioninteger-multiply Murnoasisnamestcxacml10functiondouble-multiply Murnoasisnamestcxacml10functioninteger-divide Murnoasisnamestcxacml10functiondouble-divide Murnoasisnamestcxacml10functioninteger-mod Murnoasisnamestcxacml10functioninteger-abs Murnoasisnamestcxacml10functiondouble-abs Murnoasisnamestcxacml10functionround Murnoasisnamestcxacml10functionfloor Murnoasisnamestcxacml10functionstring-normalize-space Murnoasisnamestcxacml10functionstring-normalize-to-lower-case Murnoasisnamestcxacml10functiondouble-to-integer Murnoasisnamestcxacml10functioninteger-to-double Murnoasisnamestcxacml10functionor Murnoasisnamestcxacml10functionand Murnoasisnamestcxacml10functionn-of Murnoasisnamestcxacml10functionnot Murnoasisnamestcxacml10functionpresent Murnoasisnamestcxacml10functioninteger-greater-than Murnoasisnamestcxacml10functioninteger-greater-than-or-equal Murnoasisnamestcxacml10functioninteger-less-than Murnoasisnamestcxacml10functioninteger-less-than-or-equal Murnoasisnamestcxacml10functiondouble-greater-than Murnoasisnamestcxacml10functiondouble-greater-than-or-equal Murnoasisnamestcxacml10functiondouble-less-than M
oasis--xacml-11pdf 88
176
3363
33643365
177
urnoasisnamestcxacml10functiondouble-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-add-dayTimeDuration Murnoasisnamestcxacml10functiondateTime-add-yearMonthDuration Murnoasisnamestcxacml10functiondateTime-subtract-dayTimeDuration
M
urnoasisnamestcxacml10functiondateTime-subtract-yearMonthDuration
M
urnoasisnamestcxacml10functiondate-add-yearMonthDuration Murnoasisnamestcxacml10functiondate-subtract-yearMonthDuration Murnoasisnamestcxacml10functionstring-greater-than Murnoasisnamestcxacml10functionstring-greater-than-or-equal Murnoasisnamestcxacml10functionstring-less-than Murnoasisnamestcxacml10functionstring-less-than-or-equal Murnoasisnamestcxacml10functiontime-greater-than Murnoasisnamestcxacml10functiontime-greater-than-or-equal Murnoasisnamestcxacml10functiontime-less-than Murnoasisnamestcxacml10functiontime-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-greater-than Murnoasisnamestcxacml10functiondateTime-greater-than-or-equal Murnoasisnamestcxacml10functiondateTime-less-than Murnoasisnamestcxacml10functiondateTime-less-than-or-equal Murnoasisnamestcxacml10functiondate-greater-than Murnoasisnamestcxacml10functiondate-greater-than-or-equal Murnoasisnamestcxacml10functiondate-less-than Murnoasisnamestcxacml10functiondate-less-than-or-equal Murnoasisnamestcxacml10functionstring-one-and-only Murnoasisnamestcxacml10functionstring-bag-size Murnoasisnamestcxacml10functionstring-is-in Murnoasisnamestcxacml10functionstring-bag Murnoasisnamestcxacml10functionboolean-one-and-only Murnoasisnamestcxacml10functionboolean-bag-size Murnoasisnamestcxacml10functionboolean-is-in Murnoasisnamestcxacml10functionboolean-bag Murnoasisnamestcxacml10functioninteger-one-and-only Murnoasisnamestcxacml10functioninteger-bag-size Murnoasisnamestcxacml10functioninteger-is-in Murnoasisnamestcxacml10functioninteger-bag Murnoasisnamestcxacml10functiondouble-one-and-only Murnoasisnamestcxacml10functiondouble-bag-size Murnoasisnamestcxacml10functiondouble-is-in Murnoasisnamestcxacml10functiondouble-bag Murnoasisnamestcxacml10functiontime-one-and-only Murnoasisnamestcxacml10functiontime-bag-size Murnoasisnamestcxacml10functiontime-is-in Murnoasisnamestcxacml10functiontime-bag Murnoasisnamestcxacml10functiondate-one-and-only Murnoasisnamestcxacml10functiondate-bag-size Murnoasisnamestcxacml10functiondate-is-in Murnoasisnamestcxacml10functiondate-bag Murnoasisnamestcxacml10functiondateTime-one-and-only Murnoasisnamestcxacml10functiondateTime-bag-size Murnoasisnamestcxacml10functiondateTime-is-in Murnoasisnamestcxacml10functiondateTime-bag Murnoasisnamestcxacml10functionanyURI-one-and-only Murnoasisnamestcxacml10functionanyURI-bag-size Murnoasisnamestcxacml10functionanyURI-is-in Murnoasisnamestcxacml10functionanyURI-bag M
oasis--xacml-11pdf 89
178
179
urnoasisnamestcxacml10functionhexBinary-one-and-only Murnoasisnamestcxacml10functionhexBinary-bag-size Murnoasisnamestcxacml10functionhexBinary-is-in Murnoasisnamestcxacml10functionhexBinary-bag Murnoasisnamestcxacml10functionbase64Binary-one-and-only Murnoasisnamestcxacml10functionbase64Binary-bag-size Murnoasisnamestcxacml10functionbase64Binary-is-in Murnoasisnamestcxacml10functionbase64Binary-bag Murnoasisnamestcxacml10functiondayTimeDuration-one-and-only Murnoasisnamestcxacml10functiondayTimeDuration-bag-size Murnoasisnamestcxacml10functiondayTimeDuration-is-in Murnoasisnamestcxacml10functiondayTimeDuration-bag Murnoasisnamestcxacml10functionyearMonthDuration-one-and-only Murnoasisnamestcxacml10functionyearMonthDuration-bag-size Murnoasisnamestcxacml10functionyearMonthDuration-is-in Murnoasisnamestcxacml10functionyearMonthDuration-bag Murnoasisnamestcxacml10functionx500Name-one-and-only Murnoasisnamestcxacml10functionx500Name-bag-size Murnoasisnamestcxacml10functionx500Name-is-in Murnoasisnamestcxacml10functionx500Name-bag Murnoasisnamestcxacml10functionrfc822Name-one-and-only Murnoasisnamestcxacml10functionrfc822Name-bag-size Murnoasisnamestcxacml10functionrfc822Name-is-in Murnoasisnamestcxacml10functionrfc822Name-bag Murnoasisnamestcxacml10functionany-of Murnoasisnamestcxacml10functionall-of Murnoasisnamestcxacml10functionany-of-any Murnoasisnamestcxacml10functionall-of-any Murnoasisnamestcxacml10functionany-of-all Murnoasisnamestcxacml10functionall-of-all Murnoasisnamestcxacml10functionmap Murnoasisnamestcxacml10functionx500Name-match Murnoasisnamestcxacml10functionrfc822Name-match Murnoasisnamestcxacml10functionregexp-string-match Murnoasisnamestcxacml10functionxpath-node-count Ournoasisnamestcxacml10functionxpath-node-equal Ournoasisnamestcxacml10functionxpath-node-match Ournoasisnamestcxacml10functionstring-intersection Murnoasisnamestcxacml10functionstring-at-least-one-member-of Murnoasisnamestcxacml10functionstring-union Murnoasisnamestcxacml10functionstring-subset Murnoasisnamestcxacml10functionstring-set-equals Murnoasisnamestcxacml10functionboolean-intersection Murnoasisnamestcxacml10functionboolean-at-least-one-member-of Murnoasisnamestcxacml10functionboolean-union Murnoasisnamestcxacml10functionboolean-subset Murnoasisnamestcxacml10functionboolean-set-equals Murnoasisnamestcxacml10functioninteger-intersection Murnoasisnamestcxacml10functioninteger-at-least-one-member-of Murnoasisnamestcxacml10functioninteger-union Murnoasisnamestcxacml10functioninteger-subset Murnoasisnamestcxacml10functioninteger-set-equals Murnoasisnamestcxacml10functiondouble-intersection Murnoasisnamestcxacml10functiondouble-at-least-one-member-of Murnoasisnamestcxacml10functiondouble-union Murnoasisnamestcxacml10functiondouble-subset Murnoasisnamestcxacml10functiondouble-set-equals M
oasis--xacml-11pdf 90
180
181
urnoasisnamestcxacml10functiontime-intersection Murnoasisnamestcxacml10functiontime-at-least-one-member-of Murnoasisnamestcxacml10functiontime-union Murnoasisnamestcxacml10functiontime-subset Murnoasisnamestcxacml10functiontime-set-equals Murnoasisnamestcxacml10functiondate-intersection Murnoasisnamestcxacml10functiondate-at-least-one-member-of Murnoasisnamestcxacml10functiondate-union Murnoasisnamestcxacml10functiondate-subset Murnoasisnamestcxacml10functiondate-set-equals Murnoasisnamestcxacml10functiondateTime-intersection Murnoasisnamestcxacml10functiondateTime-at-least-one-member-of Murnoasisnamestcxacml10functiondateTime-union Murnoasisnamestcxacml10functiondateTime-subset Murnoasisnamestcxacml10functiondateTime-set-equals Murnoasisnamestcxacml10functionanyURI-intersection Murnoasisnamestcxacml10functionanyURI-at-least-one-member-of Murnoasisnamestcxacml10functionanyURI-union Murnoasisnamestcxacml10functionanyURI-subset Murnoasisnamestcxacml10functionanyURI-set-equals Murnoasisnamestcxacml10functionhexBinary-intersection Murnoasisnamestcxacml10functionhexBinary-at-least-one-member-of Murnoasisnamestcxacml10functionhexBinary-union Murnoasisnamestcxacml10functionhexBinary-subset Murnoasisnamestcxacml10functionhexBinary-set-equals Murnoasisnamestcxacml10functionbase64Binary-intersection Murnoasisnamestcxacml10functionbase64Binary-at-least-one-member-of
M
urnoasisnamestcxacml10functionbase64Binary-union Murnoasisnamestcxacml10functionbase64Binary-subset Murnoasisnamestcxacml10functionbase64Binary-set-equals Murnoasisnamestcxacml10functiondayTimeDuration-intersection Murnoasisnamestcxacml10functiondayTimeDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functiondayTimeDuration-union Murnoasisnamestcxacml10functiondayTimeDuration-subset Murnoasisnamestcxacml10functiondayTimeDuration-set-equals Murnoasisnamestcxacml10functionyearMonthDuration-intersection Murnoasisnamestcxacml10functionyearMonthDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functionyearMonthDuration-union Murnoasisnamestcxacml10functionyearMonthDuration-subset Murnoasisnamestcxacml10functionyearMonthDuration-set-equals Murnoasisnamestcxacml10functionx500Name-intersection Murnoasisnamestcxacml10functionx500Name-at-least-one-member-of Murnoasisnamestcxacml10functionx500Name-union Murnoasisnamestcxacml10functionx500Name-subset Murnoasisnamestcxacml10functionx500Name-set-equals Murnoasisnamestcxacml10functionrfc822Name-intersection Murnoasisnamestcxacml10functionrfc822Name-at-least-one-member-of
M
urnoasisnamestcxacml10functionrfc822Name-union Murnoasisnamestcxacml10functionrfc822Name-subset Murnoasisnamestcxacml10functionrfc822Name-set-equals M
oasis--xacml-11pdf 91
182
3366
183
11 References[DS] D Eastlake et al XML-Signature Syntax and Processing
httpwwww3orgTRxmldsig-core World Wide Web Consortium[Hancock] Hancock Polymorphic Type Checking in Simon L Peyton Jones
Implementation of Functional Programming Languages Section 8 Prentice-Hall International 1987
[Haskell] Haskell a purely functional language Available at httpwwwhaskellorg
[Hinton94] Hinton H M Lee E S The Compatibility of Policies Proceedings 2nd ACM Conference on Computer and Communications Security Nov 1994 Fairfax Virginia USA
[IEEE754] IEEE Standard for Binary Floating-Point Arithmetic 1985 ISBN 1-5593-7653-8 IEEE Product No SH10116-TBR
[Kudo00] Kudo M and Hada S XML document security based on provisional authorization Proceedings of the Seventh ACM Conference on Computer and Communications Security Nov 2000 Athens Greece pp 87-96
[LDAP-1] RFC2256 A summary of the X500(96) User Schema for use with LDAPv3 Section 5 M Wahl December 1997 httpwwwietforgrfcrfc2798txt
[LDAP-2] RFC2798 Definition of the inetOrgPerson M Smith April 2000 httpwwwietforgrfcrfc2798txt
[MathML] Mathematical Markup Language (MathML) Version 20 W3C Recommendation 21 February 2001 Available at httpwwww3orgTRMathML2
[Perritt93] Perritt H Knowbots Permissions Headers and Contract Law Conference on Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment April 1993 Available at httpwwwiflaorgdocumentsinfopolcopyrightperh2txt
[RBAC] Role-Based Access Controls David Ferraiolo and Richard Kuhn 15th National Computer Security Conference 1992 Available at httpcsrcnistgovrbac
[RegEx] XML Schema Part 0 Primer W3C Recommendation 2 May 2001 Appendix D Available at httpwwww3orgTRxmlschema-0
[RFC2119] S Bradner Key words for use in RFCs to Indicate Requirement Levels httpwwwietforgrfcrfc2119txt IETF RFC 2119 March 1997
[SAML] Security Assertion Markup Language available from httpwwwoasis-openorgcommitteessecuritydocuments
[Sloman94] Sloman M Policy Driven Management for Distributed Systems Journal of Network and Systems Management Volume 2 part 4 Plenum Press 1994
[XF] XQuery 10 and XPath 20 Functions and Operators W3C Working Draft 16 August 2002 Available at httpwwww3orgTR2002WD-xquery-operators-20020816
[XS] XML Schema parts 1 and 2 Available at httpwwww3orgTRxmlschema-1 and httpwwww3orgTRxmlschema-2
[XPath] XML Path Language (XPath) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxpath
oasis--xacml-11pdf 92
184
336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396
33973398
3399340034013402340334043405
340634073408
34093410341134123413
185
[XSLT] XSL Transformations (XSLT) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxslt
oasis--xacml-11pdf 93
186
341434153416
187
Appendix A Standard data-types functions and their semantics (normative)
A1 IntroductionThis section contains a specification of the data-types and functions used in XACML to create predicates for a rulersquos condition and target matches
This specification combines the various standards set forth by IEEE and ANSI for string representation of numeric values as well as the evaluation of arithmetic functions
This section describes the primitive data-types bags and construction of expressions using XACML constructs Finally each standard function is named and its operational semantics are described
A2 Primitive typesAlthough XML instances represent all data-types as strings an XACML PDP must reason about types of data that while they have string representations are not just strings Types such as boolean integer and double MUST be converted from their XML string representations to values that can be compared with values in their domain of discourse such as numbers The following primitive data-types are specified for use with XACML and have explicit data representations
httpwwww3org2001XMLSchemastring
httpwwww3org2001XMLSchemaboolean
httpwwww3org2001XMLSchemainteger
httpwwww3org2001XMLSchemadouble
httpwwww3org2001XMLSchematime
httpwwww3org2001XMLSchemadate
httpwwww3org2001XMLSchemadateTime
httpwwww3org2001XMLSchemaanyURI
httpwwww3org2001XMLSchemahexBinary
httpwwww3org2001XMLSchemabase64Binary
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
urnoasisnamestcxacml10data-typex500Name
urnoasisnamestcxacml10data-typerfc822Name
oasis--xacml-11pdf 94
188
3417
3418
3419
34203421
34223423
342434253426
3427
34283429343034313432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
189
A3 Structured typesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type for example ltdsKeyInfogt XACML 10 supports several ways for comparing such ltAttributeValuegt elements
1 In some cases such an ltAttributeValuegt element MAY be compared using one of the XACML string functions such as ldquoregexp-string-matchrdquo described below This requires that the structured data ltAttributeValuegt be given the DataType=httpwwww3org2001XMLSchemastring For example a structured data-type that is actually a dsKeyInfoKeyName would appear in the Context as
ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgtampltdsKeyNameampgtjhibbert-keyampltdsKeyNameampgt
ltAttributeValuegt
In general this method will not be adequate unless the structured data-type is quite simple
2 An ltAttributeSelectorgt element MAY be used to select the value of a leaf sub-element of the structured data-type by means of an XPath expression That value MAY then be compared using one of the supported XACML functions appropriate for its primitive data-type This method requires support by the PDP for the optional XPath expressions feature
3 An ltAttributeSelectorgt element MAY be used to select the value of any node in the structured data-type by means of an XPath expression This node MAY then be compared using one of the XPath-based functions described in Section A1413 This method requires support by the PDP for the optional XPath expressions and XPath functions features
A4 RepresentationsAn XACML PDP SHALL be capable of converting string representations into various primitive data-types For integers and doubles XACML SHALL use the conversions described in [IEEE754]
This document combines the various standards set forth by IEEE and ANSI for string representation of numeric values
XACML defines two additional data-types these are ldquournoasisnamestcxacml10data-typex500Namerdquo and ldquournoasisnamestcxacml10data-typerfc822Namerdquo These types represent identifiers for subjects and appear in several standard applications such as TLSSSL and electronic mail
The ldquournoasisnamestcxacml10data-typex500Namerdquo primitive type represents an X500 Distinguished Name The string representation of an X500 distinguished name is specified in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names1
The ldquournoasisnamestcxacml10data-typerfc822Namerdquo primitive type represents electronic mail addresses and its string representation is specified by RFC 822
1 An earlier RFC RFC 1779 A String Representation of Distinguished Names is less restrictive so urnoasisnamestcxacml10data-typex500Name uses the syntax in RFC 2253 for better interoperability
oasis--xacml-11pdf 95
190
3447
344834493450
34513452
345334543455345634573458
3459
34603461346234633464
3465346634673468
3469
34703471
34723473
3474347534763477
3478347934803481
34823483
191192193
194
An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive2
A5 BagsXACML defines implicit collections of its primitive types XACML refers to a collection of values that are of a single primitive type as a bag Bags of primitive types are needed because selections of nodes from an XML resource or XACML request context may return more than one value
The ltAttributeSelectorgt element uses an XPath expression to specify the selection of data from an XML resource The result of an XPath expression is termed a node-set which contains all the leaf nodes from the XML resource that match the predicate in the XPath expression Based on the various indexing functions provided in the XPath specification it SHALL be implied that a resultant node-set is the collection of the matching nodes XACML also defines the ltAttributeDesignatorgt element to have the same matching methodology for attributes in the XACML request context
The values in a bag are not ordered and some of the values may be duplicates There SHALL be no notion of a bag containing bags or a bag containing values of differing types Ie a bag in XACML SHALL contain only values that are of the same primitive type
A6 ExpressionsXACML specifies expressions in terms of the following elements of which the ltApplygt and ltConditiongt elements recursively compose greater expressions Valid expressions shall be type correct which means that the types of each of the elements contained within ltApplygt and ltConditiongt elements shall agree with the respective argument types of the function that is named by the FunctionId attribute The resultant type of the ltApplygt or ltConditiongt element shall be the resultant type of the function which may be narrowed to a primitive data-type or a bag of a primitive data-type by type-unification XACML defines an evaluation result of Indeterminate which is said to be the result of an invalid expression or an operational error occurring during the evaluation of the expression
XACML defines the following elements to be legal XACML expressions
ltAttributeValuegt
ltSubjectAttributeDesignatorgt
ltSubjectAttributeSelectorgt
ltResourceAttributeDesignatorgt
ltActionAttributeDesignatorgt
ltEnvironmentAttributeDesignatorgt
ltAttributeSelectorgt
ltApplygt
2 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part However many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This is considered an error by mail-system designers and is not encouraged
oasis--xacml-11pdf 96
195
348434853486
3487
348834893490
34913492349334943495
34963497
349834993500
3501
350235033504350535063507350835093510
3511
3512
3513
3514
3515
3516
3517
3518
3519
196197198
199
ltConditiongt
ltFunctiongt
A7 Element ltAttributeValuegt The ltAttributeValuegt element SHALL represent an explicit value of a primitive type For example
ltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltApplygt
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt
The ltAttributeDesignatorgt and ltAttributeSelectorgt elements SHALL evaluate to a bag of a specific primitive type The type SHALL be inferred from the function in which it appears Each element SHALL contain a URI or XPath expression respectively to identify the required attribute values If an operational error were to occur while finding the values the value of the element SHALL be set to Indeterminate If the required attribute cannot be located then the value of the element SHALL be set to an empty bag of the inferred primitive type
A9 Element ltApplygt XACML function calls are represented by the ltApplygt element The function to be applied is named in the FunctionId attribute of this element The value of the ltApplygt element SHALL be set to either a primitive data-type or a bag of a primitive type whose data-type SHALL be inferred from the FunctionId The arguments of a function SHALL be the values of the XACML expressions that are contained as ordered elements in an ltApplygt element The legal number of arguments within an ltApplygt element SHALL depend upon the functionId
A10Element ltConditiongt The ltConditiongt element MAY appear in the ltRulegt element as the premise for emitting the corresponding effect of the rule The ltConditiongt element has the same structure as the ltApplygt element with the restriction that its result SHALL be of data-type ldquohttpwwww3org2001XMLSchemabooleanrdquo The evaluation of the ltConditiongt element SHALL follow the same evaluation semantics as those of the ltApplygt element
oasis--xacml-11pdf 97
200
3520
3521
3522
35233524352535263527352835293530
3531
3532
353335343535353635373538
3539
354035413542
354335443545
3546
35473548354935503551
201
A11Element ltFunctiongt The ltFunctiongt element names a standard XACML function or an extension function in its FunctionId attribute The ltFunctiongt element MAY be used as an argument in functions that take a function as an argument
A12Matching elementsMatching elements appear in the ltTargetgt element of rules policies and policy sets They are the following
ltSubjectMatchgt
ltResourceMatchgt
ltActionMatchgt
These elements represent boolean expressions over attributes of the subject resource and action respectively A matching element contains a MatchId attribute that specifies the function to be used in performing the match evaluation an attribute value and an ltAttributeDesignatorgt or ltAttributeSelectorgt element that specifies the attribute in the context that is to be matched against the specified value
The MatchId attribute SHALL specify a function that compares two arguments returning a result type of httpwwww3org2001XMLSchemaboolean The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument An element of the bag returned by the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL be supplied to the MatchId function as its second argument The data-type of the attribute value SHALL match the data-type of the first argument expected by the MatchId function The data-type of the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL match the data-type of the second argument expected by the MatchId function
The XACML standard functions that meet the requirements for use as a MatchId attribute value are
urnoasisnamestcxacml10function-type-equal
urnoasisnamestcxacml10function-type-greater-than
urnoasisnamestcxacml10function-type-greater-than-or-equal
urnoasisnamestcxacml10function-type-less-than
urnoasisnamestcxacml10function-type-less-than-or-equal
urnoasisnamestcxacml10function-type-match
In addition functions that are strictly within an extension to XACML MAY appear as a value for the MatchId attribute and those functions MAY use data-types that are also extensions so long as the extension function returns a boolean result and takes an attribute value as its first argument and an ltAttributeDesignatorgt or ltAttributeSelectorgt as its second argument The function used as the value for the MatchId attribute SHOULD be easily indexable Use of non-indexable or complex functions may prevent efficient evaluation of decision requests
The evaluation semantics for a matching element is as follows If an operational error were to occur while evaluating the ltAttributeDesignatorgt or ltAttributeSelectorgt element then
oasis--xacml-11pdf 98
202
3552
355335543555
3556
35573558
3559
3560
3561
35623563356435653566
35673568
356935703571357235733574
35753576
3577
3578
3579
3580
3581
3582
358335843585
358635873588
35893590
203
the result of the entire expression SHALL be Indeterminate If the ltAttributeDesignatorgt or ltAttributeSelectorgt element were to evaluate to an empty bag then the result of the expression SHALL be False Otherwise the MatchId function SHALL be applied between the explicit attribute value and each element of the bag returned from the ltAttributeDesignatorgt or ltAttributeSelectorgt element If at least one of those function applications were to evaluate to True then the result of the entire expression SHALL be True Otherwise if at least one of the function applications results in Indeterminate then the result SHALL be Indeterminate Finally only if all function applications evaluate to False the result of the entire expression SHALL be False
It is possible to express the semantics of a target matching element in a condition For instance the target match expression that compares a ldquosubject-namerdquo starting with the name ldquoJohnrdquo can be expressed as follows
ltSubjectMatch MatchId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegtltSubjectMatchgt
Alternatively the same match semantics can be expressed as an ltApplygt element in a condition by using the ldquournoasisnamestcxacml10functionany-ofrdquo function as follows
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt ltFunctionFunctionId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtltApplygt
This expression of the semantics is NOT normative
A13Arithmetic evaluationIEEE 754 [IEEE 754] specifies how to evaluate arithmetic functions in a context which specifies defaults for precision rounding etc XACML SHALL use this specification for the evaluation of all integer and double functions relying on the Extended Default Context enhanced with double precision
flags - all set to 0
trap-enablers - all set to 0 (IEEE 854 sect7) with the exception of the ldquodivision-by-zerordquo trap enabler which SHALL be set to 1
precision - is set to the designated double precision
rounding - is set to round-half-even (IEEE 854 sect41)
oasis--xacml-11pdf 99
204
359135923593359435953596359735983599
36003601360236033604360536063607360836093610
36113612361336143615361636173618361936203621
3622
3623
3624
3625362636273628
3629
36303631
3632
3633
205
A14XACML standard functionsXACML specifies the following functions that are prefixed with the ldquournoasisnamestcxacml10functionrdquo relative name space identifier
A141Equality predicatesThe following functions are the equality functions for the various primitive types Each function for a particular data-type follows a specified standard convention for that data-type If an argument of one of these functions were to evaluate to Indeterminate then the function SHALL be set to Indeterminate
string-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if and only if the value of both of its arguments are of equal length and each string is determined to be equal byte-by-byte according to the function ldquointeger-equalrdquo
boolean-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemabooleanrdquo and SHALL return True if and only if both values are equal
integer-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on integers according to IEEE 754 [IEEE 754]
double-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on doubles according to IEEE 754 [IEEE 754]
date-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdate-equalrdquo function [XF Section 8311]
time-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquooptime-equalrdquo function [XF Section 8314]
dateTime-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdateTime-equalrdquo function [XF Section 838]
oasis--xacml-11pdf 100
206
3634
36353636
3637
3638363936403641
3642
3643364436453646
3647
364836493650
3651
3652365336543655
3656
3657365836593660
3661
3662366336643665
3666
3667366836693670
3671
3672367336743675
207
dayTimeDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opdayTimeDuration-equal function [XF Section 835] Note that the lexical representation of each argument MUST be converted to a value expressed in fractional seconds [XF Section 822]
yearMonthDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opyearMonthDuration-equal function [XF Section 832] Note that the lexical representation of each argument MUST be converted to a value expressed in integer months [XF Section 821]
anyURI-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaanyURIrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopanyURI-equalrdquo function [XF Section 1021]
x500Name-equal
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if each Relative Distinguished Name (RDN) in the two arguments matches Two RDNs shall be said to match if and only if the result of the following operations is ldquoTruerdquo3
1 Normalize the two arguments according to IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
2 If any RDN contains multiple attributeTypeAndValue pairs re-order the Attribute ValuePairs in that RDN in ascending order when compared as octet strings (described in ITU-T Rec X690 (1997 E) Section 116 Set-of components)
3 Compare RDNs using the rules in IETF RFC 3280 Internet X509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Section 4124 Issuer
rfc822Name-equal
This function SHALL take two arguments of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL determine whether two ldquournoasisnamestcxacml10data-typerfc822Namerdquo arguments are equal An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive Perform the following operations
1 Normalize the domain-part of each argument to lower case
2 Compare the expressions by applying the function ldquournoasisnamestcxacml10functionstring-equalrdquo to the normalized arguments
3 ITU-T Rec X520 contains rules for matching X500 names but these are very complex and require knowledge of the syntax of various AttributeTypes IETF RFC 3280 contains simplified matching rules that the XACML x500Name-equal function uses
oasis--xacml-11pdf 101
208
367636773678367936803681368236833684368536863687368836893690
3691369236933694
3695
36963697369836993700
37013702
370337043705
370637073708
3709
3710371137123713371437153716
3717
37183719
209210211
212
hexBinary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemahexBinaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8215]
base64Binary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemabase64Binaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8216]
A142Arithmetic functionsAll of the following functions SHALL take two arguments of the specified data-type integer or double and SHALL return an element of integer or double data-type respectively However the ldquoaddrdquo functions MAY take more than two arguments Each function evaluation SHALL proceed as specified by their logical counterparts in IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate In the case of the divide functions if the divisor is zero then the function SHALL evaluate to ldquoIndeterminaterdquo
integer-add
This function MAY have two or more arguments
double-add
This function MAY have two or more arguments
integer-subtract
double-subtract
integer-multiply
double-multiply
integer-divide
double-divide
integer-mod
The following functions SHALL take a single argument of the specified data-type The round and floor functions SHALL take a single argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and return data-type ldquohttpwwww3org2001XMLSchemadoublerdquo In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-abs
oasis--xacml-11pdf 102
213
3720
3721372237233724372537263727
3728
3729373037313732373337343735
3736
3737373837393740374137423743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
375537563757375837593760
3761
214
double-abs
round
floor
A143String conversion functionsThe following functions convert between values of the XACML ldquohttpwwww3org2001XMLSchemastringrdquo primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-normalize-space
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by stripping off all leading and trailing whitespace characters
string-normalize-to-lower-case
This function SHALL take one argument of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by converting each upper case character to its lower case equivalent
A144Numeric data-type conversion functionsThe following functions convert between the XACML ldquohttpwwww3org2001XMLSchemaintegerrdquo andrdquo httpwwww3org2001XMLSchemadoublerdquo primitive types In any expression in which the functions defined below are applied if any argument while being evaluated results in Indeterminate the expression SHALL return Indeterminate
double-to-integer
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL truncate its numeric value to a whole number and return an element of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo
integer-to-double
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL promote its value to an element of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo of the same numeric value
A145Logical functionsThis section contains the specification for logical functions that operate on arguments of the ldquohttpwwww3org2001XMLSchemabooleanrdquo data-type
or
This function SHALL return False if it has no arguments and SHALL return True if one of its arguments evaluates to True The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of True if any argument evaluates to True leaving the rest of the arguments unevaluated In an expression that contains any of these
oasis--xacml-11pdf 103
215
3762
3763
3764
3765
3766376737683769
3770
377137723773
3774
377537763777
3778
3779378037813782
3783
3784378537863787
3788
378937903791
3792
37933794
3795
3796
3797379837993800
216
functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
and
This function SHALL return True if it has no arguments and SHALL return False if one of its arguments evaluates to False The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of False if any argument evaluates to False leaving the rest of the arguments unevaluated In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
n-of
The first argument to this function SHALL be of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo specifying the number of the remaining arguments that MUST evaluate to True for the expression to be considered True If the first argument is 0 the result SHALL be True If the number of arguments after the first one is less than the value of the first argument then the expression SHALL result in Indeterminate The order of evaluation SHALL be first evaluate the integer value then evaluate each subsequent argument The evaluation SHALL stop and return True if the specified number of arguments evaluate to True The evaluation of arguments SHALL stop if it is determined that evaluating the remaining arguments will not satisfy the requirement In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
not
This function SHALL take one logical argument If the argument evaluates to True then the result of the expression SHALL be False If the argument evaluates to False then the result of the expression SHALL be True In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
Note For an expression that is an application of AND OR or N-OF it MAY NOT be necessary to attempt a full evaluation of each boolean argument to a truth value in order to determine whether the evaluation of the argument would result in Indeterminate Analysis of the argument regarding its necessary attributes or other analysis regarding errors such as divide-by-zero may render the argument error free Such arguments occurring in the expression in a position after the evaluation is stated to stop need not be processed
A146Arithmetic comparison functionsThese functions form a minimal set for comparing two numbers yielding a boolean result They SHALL comply with the rules governed by IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-greater-than
integer-greater-than-or-equal
integer-less-than
integer-less-than-or-equal
double-greater-than
oasis--xacml-11pdf 104
217
38013802
3803
380438053806380738083809
3810
381138123813381438153816381738183819382038213822
3823
38243825382638273828
382938303831383238333834
3835
3836383738383839
3840
3841
3842
3843
3844
218
double-greater-than-or-equal
double-less-than
double-less-than-or-equal
A147Date and time arithmetic functionsThese functions perform arithmetic operations with the date and time In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
dateTime-add-dayTimeDuration
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is of data-type ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-subtract-dayTimeDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-dayTimeDurationrdquo had been applied to the corresponding positive duration
dateTime-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
date-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It
oasis--xacml-11pdf 105
219
3845
3846
3847
3848
384938503851
3852
385338543855385638573858
3859
386038613862386338643865
3866
386738683869387038713872387338743875
3876
387738783879388038813882388338843885
3886
388738883889
220
return a result of ldquohttpwwww3org2001XMLSchemadaterdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date [XS Appendix E]
date-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadaterdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
A148Non-numeric comparison functionsThese functions perform comparison operations on two arguments of non-numerical types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments that are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is greater than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-equalrdquo
string-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated with the logical function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-greater-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
string-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is less than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-less-thanrdquo
string-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated
oasis--xacml-11pdf 106
221
389038913892
3893
389438953896389738983899390039013902
3903
390439053906
3907
39083909391039113912391339143915
3916
391739183919392039213922
3923
39243925392639273928392939303931
3932
393339343935
222
with the function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-less-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
time-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
dateTime-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
oasis--xacml-11pdf 107
223
393639373938
3939
39403941394239433944
3945
39463947394839493950
3951
39523953395439553956
3957
39583959396039613962
3963
39643965396639673968
3969
39703971397239733974
3975
39763977397839793980
224
dateTime-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchema dateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
date-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
A149Bag functionsThese functions operate on a bag of type values where data-type is one of the primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate Some additional conditions defined for each function below SHALL cause the expression to evaluate to Indeterminate
type-one-and-only
This function SHALL take an argument of a bag of type values and SHALL return a value of data-type It SHALL return the only value in the bag If the bag does not have one and only one value then the expression SHALL evaluate to Indeterminate
type-bag-size
This function SHALL take a bag of type values as an argument and SHALL return an ldquohttpwwww3org2001XMLSchemaintegerrdquo indicating the number of values in the bag
oasis--xacml-11pdf 108
225
3981
3982
39833984398539863987
3988
39893990399139923993
3994
39953996399739983999
4000
40014002400340044005
4006
40074008400940104011
4012
4013401440154016
4017
401840194020
4021
40224023
226
type-is-in
This function SHALL take an argument of data-type type as the first argument and a bag of type values as the second argument The expression SHALL evaluate to True if the first argument matches by the urnoasisnamestcxacml10functiontype-equal to any value in the bag
type-bag
This function SHALL take any number of arguments of a single data-type and return a bag of type values containing the values of the arguments An application of this function to zero arguments SHALL produce an empty bag of the specified data-type
A1410 Set functionsThese functions operate on bags mimicking sets by eliminating duplicate elements from a bag In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
type-intersection
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type values such that it contains only elements that are common between the two bags which is determined by urnoasisnamestcxacml10functiontype-equal No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-at-least-one-member-of
This function SHALL take two arguments that are both a bag of type values The expression SHALL evaluate to True if at least one element of the first argument is contained in the second argument as determined by urnoasisnamestcxacml10functiontype-is-in
type-union
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type such that it contains all elements of both bags No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-subset
This function SHALL take two arguments that are both a bag of type values It SHALL return True if the first argument is a subset of the second argument Each argument is considered to have its duplicates removed as determined by urnoasisnamestcxacml10functiontype-equal before subset calculation
type-set-equals
This function SHALL take two arguments that are both a bag of type values and SHALL return the result of applying urnoasisnamestcxacml10functionand to the application of urnoasisnamestcxacml10functiontype-subset to the first and second arguments and the application of urnoasisnamestcxacml10functiontype-subset to the second and first arguments
oasis--xacml-11pdf 109
227
4024
4025
4026
4027402840294030
4031
403240334034
4035
403640374038
4039
40404041404240434044
4045
4046404740484049
4050
4051405240534054
4055
4056405740584059
4060
40614062406340644065
228
A1411 Higher-order bag functionsThis section describes functions in XACML that perform operations on bags such that functions may be applied to the bags in general
In this section a general-purpose functional language called Haskell [Haskell] is used to formally specify the semantics of these functions Although the English description is adequate a formal specification of the semantics is helpful
For a quick summary in the following Haskell notation a function definition takes the form of clauses that are applied to patterns of structures namely lists The symbol ldquo[]rdquo denotes the empty list whereas the expression ldquo(xxs)rdquo matches against an argument of a non-empty list of which ldquoxrdquo represents the first element of the list and ldquoxsrdquo is the rest of the list which may be an empty list We use the Haskell notion of a list which is an ordered collection of elements to model the XACML bags of values
A simple Haskell definition of a familiar function ldquournoasisnamestcxacml10functionandrdquo that takes a list of booleans is defined as follows
and [Bool] -gt Bool
and [] = True
and (xxs) = x ampamp (and xs)
The first definition line denoted by a ldquordquo formally describes the data-type of the function which takes a list of booleans denoted by ldquo[Bool]rdquo and returns a boolean denoted by ldquoBoolrdquo The second definition line is a clause that states that the function ldquoandrdquo applied to the empty list is True The second definition line is a clause that states that for a non-empty list such that the first element is ldquoxrdquo which is a value of data-type Bool the function ldquoandrdquo applied to x SHALL be combined with using the logical conjunction function which is denoted by the infix symbol ldquoampamprdquo the result of recursively applying the function ldquoandrdquo to the rest of the list Of course an application of the ldquoandrdquo function is True if and only if the list to which it is applied is empty or every element of the list is True For example the evaluation of the following Haskell expressions
(and []) (and [True]) (and [TrueTrue]) (and [TrueTrueFalse])
evaluate to True True True and False respectively
In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
any-of
This function applies a boolean function between a specific primitive value and a bag of values and SHALL return True if and only if the predicate is True for at least one element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element is applied to the second argument and each element of the third argument (the bag) and the results are combined with ldquournoasisnamestcxacml10functionorrdquo
In Haskell the semantics of this operation are as follows
oasis--xacml-11pdf 110
229
4066
40674068
406940704071
407240734074407540764077
40784079
4080
4081
4082
408340844085408640874088408940904091
4092
4093
40944095
4096
409740984099
4100410141024103
410441054106
4107
230
any_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolany_of f a [] = Falseany_of f a (xxs) = (f a x) || (any_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL return TrueltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is equal to at least one of the elements of the bag
all-of
This function applies a boolean function between a specific primitive value and a bag of values and returns True if and only if the predicate is True for every element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to the second argument and each element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo
In Haskell the semantics of this operation are as follows
all_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolall_of f a [] = Falseall_of f a (xxs) = (f a x) ampamp (all_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 111
231
410841094110
41114112
4113411441154116411741184119412041214122412341244125412641274128
41294130
4131
41324133
4134413541364137
413841394140
4141
414241434144
41454146
4147
232
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-ofrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt9ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is greater than all of the elements of the bag
any-of-any
This function applies a boolean function between each element of a bag of values and each element of another bag of values and returns True if and only if the predicate is True for at least one comparison
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any comparison of elements from the two bags
In Haskell taking advantage of the ldquoany_ofrdquo function defined above the semantics of the ldquoany_of_anyrdquo function are as follows
any_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_any f [] ys = Falseany_of_any f (xxs) ys = (any_of f x ys) || (any_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 112
233
4148414941504151415241534154415541564157415841594160416141624163
41644165
4166
416741684169
4170417141724173
41744175417641774178
41794180
418141824183
41844185
4186
234
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtMaryltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one of the elements of the first bag namely ldquoRingordquo is equal to at least one of the string values of the second bag
all-of-any
This function applies a boolean function between the elements of two bags The expression is True if and only if the predicate is True between each and all of the elements of the first bag collectively against at least one element of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for each element of the first bag and any element of the second bag
In Haskell taking advantage of the ldquoany_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_anyrdquo function are as follows
all_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_any f [] ys = Falseall_of_any f (xxs) ys = (any_of f x ys) ampamp (all_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 113
235
4187418841894190419141924193419441954196419741984199420042014202420342044205
42064207
4208
420942104211
4212421342144215
42164217421842194220
42214222
422342244225
42264227
4228
236
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt20ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt21ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all of the elements of the first bag each ldquo10rdquo and ldquo20rdquo are greater than at least one of the integer values ldquo1rdquo rdquo3rdquo rdquo5rdquo rdquo21rdquo of the second bag
any-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between at least one of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any element of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoany_of_allrdquo function are as follows
any_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_all f [] ys = Falseany_of_all f (xxs) ys = (all_of f x ys) || ( any_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 114
237
42294230423142324233423442354236423742384239424042414242424342444245424642474248
42494250
4251
425242534254
4255425642574258
42594260426142624263
42644265
426642674268
42694270
4271
238
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one element of the first bag namely ldquo5rdquo is greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
all-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between each and all of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression is evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression is True if and only if the applied predicate is True for all elements of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_allrdquo function is as follows
all_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_all f [] ys = Falseall_of_all f (xxs) ys = (all_of f x ys) ampamp (all_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 115
239
42724273427442754276427742784279428042814282428342844285428642874288428942904291
42924293
4294
429542964297
4298429943004301
43024303430443054306
43074308
430943104311
43124313
4314
240
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt6ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all elements of the first bag ldquo5rdquo and ldquo6rdquo are each greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
map
This function converts a bag of values to another bag of values
This function SHALL take two arguments The first function SHALL be a ltFunctiongt element naming a function that takes a single argument of a primitive data-type and returns a value of a primitive data-type The second argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to each element in the bag resulting in a bag of the converted value The result SHALL be a bag of the primitive data-type that is the same data-type that is returned by the function named in the ltFunctiongt element
In Haskell this function is defined as follows
map (a -gt b) -gt [a] -gt [b]
map f [] = []
map f (xxs) = (f x) (map f xs)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expressionltApply FunctionId=rdquournoasisnamestcxacml10functionmaprdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-normalize-to-lower-caserdquogt
ltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtHelloltAttributeValuegtltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtWorld
ltAttributeValuegtltApplygt
ltApplygt
evaluates to a bag containing ldquohellordquo and ldquoworldrdquo
oasis--xacml-11pdf 116
241
43154316431743184319432043214322432343244325432643274328432943304331433243334334
43354336
4337
4338
433943404341
434243434344
4345
4346
4347
4348
4349
43504351
43524353435443554356435743584359436043614362
4363
242
A1412 Special match functionsThese functions operate on various types and evaluate to ldquohttpwwww3org2001XMLSchemabooleanrdquo based on the specified standard matching algorithm In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
regexp-string-match
This function decides a regular expression match It SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The first argument SHALL be a regular expression and the second argument SHALL be a general string The function specification SHALL be that of the ldquoxfmatchesrdquo function with the arguments reversed [XF Section 6315]
x500Name-match
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if the first argument matches some terminal sequence of RDNs from the second argument when compared using x500Name-equal
rfc822Name-match
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and the second is of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if the first argument matches the second argument according to the following specification
An RFC822 name consists of a local-part followed by followed by domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS name) is not case-sensitive4
The second argument contains a complete rfc822Name The first argument is a complete or partial rfc822Name used to select appropriate values in the second argument as follows
In order to match a particular mailbox in the second argument the first argument must specify the complete mail address to be matched For example if the first argument is ldquoAndersonsuncomrdquo this matches a value in the second argument of ldquoAndersonsuncomrdquo and ldquoAndersonSUNCOMrdquo but not ldquoAnneAndersonsuncomrdquo ldquoandersonsuncomrdquo or ldquoAndersoneastsuncomrdquo
In order to match any mail address at a particular domain in the second argument the first argument must specify only a domain name (usually a DNS name) For example if the first argument is ldquosuncomrdquo this matches a value in the first argument of ldquoAndersonsuncomrdquo or ldquoBaxterSUNCOMrdquo but not ldquoAndersoneastsuncomrdquo
In order to match any mail address in a particular domain in the second argument the first argument must specify the desired domain-part with a leading For example if the first argument is ldquoeastsuncomrdquo this matches a value in the second argument of Andersoneastsuncom and anneandersonISRGEASTSUNCOM but not Andersonsuncom
4 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part Many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This anomaly is considered an error by mail-system designers and is not encouraged For this reason rfc822Name-match treats local-part as case sensitive
oasis--xacml-11pdf 117
243
4364
4365436643674368
4369
437043714372437343744375
4376
4377437843794380
4381
43824383438443854386
438743884389
43904391
43924393439443954396
4397439843994400
44014402440344044405
244245246247
248
A1413 XPath-based functionsThis section specifies functions that take XPath expressions for arguments An XPath expression evaluates to a node-set which is a set of XML nodes that match the expression A node or node-set is not in the formal data-type system of XACML All comparison or other operations on node-sets are performed in the isolation of the particular function specified The XPath expressions in these functions are restricted to the XACML request context The ltxacml-contextRequestgt element is a context node for every XPath expression The following functions are defined
xpath-node-count
This function SHALL take an ldquohttpwwww3org2001XMLSchemastringrdquo as an argument which SHALL be interpreted as an XPath expression and evaluates to an ldquohttpwwww3org2001XMLSchemaintegerrdquo The value returned from the function SHALL be the count of the nodes within the node-set that matches the given XPath expression
xpath-node-equal
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if any XML node from the node-set matched by the first argument equals according to the ldquoopnode-equalrdquo function [XF Section 1316] any XML node from the node-set matched by the second argument
xpath-node-match
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if either of the following two conditions is satisfied (1) Any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument (2) Any attribute and element node below any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument
NOTE The first condition is equivalent to xpath-node-equal and guarantees that xpath-node-equal is a special case of xpath-node-match
A1414 Extension functions and primitive typesFunctions and primitive types are specified by string identifiers allowing for the introduction of functions in addition to those specified by XACML This approach allows one to extend the XACML module with special functions and special primitive data-types
In order to preserve some integrity to the XACML evaluation strategy the result of all function applications SHALL depend only on the values of its arguments Global and hidden parameters SHALL NOT affect the evaluation of an expression Functions SHALL NOT have side effects as evaluation order cannot be guaranteed in a standard way
oasis--xacml-11pdf 118
249
4406
4407440844094410
44114412
4413
44144415441644174418
4419
442044214422442344244425
4426
442744284429443044314432443344344435
44364437
4438
443944404441
4442444344444445
250
Appendix B XACML identifiers (normative)This section defines standard identifiers for commonly used entities All XACML-defined identifiers have the common base
urnoasisnamestcxacml10
B1 XACML namespacesThere are currently two defined XACML namespaces
Policies are defined using this identifierurnoasisnamestcxacml10policy
Request and response contexts are defined using this identifierurnoasisnamestcxacml10context
B2 Access subject categoriesThis identifier indicates the system entity that initiated the access request That is the initial entity in a request chain If subject category is not specified this is the default value
urnoasisnamestcxacml10subject-categoryaccess-subject
This identifier indicates the system entity that will receive the results of the request Used when it is distinct from the access-subject
urnoasisnamestcxacml10subject-categoryrecipient-subject
This identifier indicates a system entity through which the access request was passed There may be more than one No means is provided to specify the order in which they passed the message
urnoasisnamestcxacml10subject-categoryintermediary-subject
This identifier indicates a system entity associated with a local or remote codebase that generated the request Corresponding subject attributes might include the URL from which it was loaded andor the identity of the code-signer There may be more than one No means is provided to specify the order they processed the request
urnoasisnamestcxacml10subject-categorycodebase
This identifier indicates a system entity associated with the computer that initiated the access request An example would be an IPsec identity
urnoasisnamestcxacml10subject-categoryrequesting-machine
B3 XACML functionsThis identifier is the base for all the identifiers in the table of functions See Section A1
urnoasisnamestcxacml10function
B4 Data-typesThe following identifiers indicate useful data-types
X500 distinguished name
oasis--xacml-11pdf 119
251
4446
44474448
4449
4450
4451
44524453
44544455
4456
44574458
4459
44604461
4462
44634464
4465
4466446744684469
4470
44714472
4473
4474
44754476
4477
4478
4479
252
urnoasisnamestcxacml10data-typex500Name
An x500Name contains an ITU-T Rec X520 Distinguished Name The valid syntax for such a name is described in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
RFC822 Nameurnoasisnamestcxacml10data-typerfc822Name
An rfc822Name contains an e-mail name The valid syntax for such a name is described in IETF RFC 2821 Section 412 Command Argument Syntax under the term Mailbox
The following data-type identifiers are defined by XML Schemahttpwwww3org2001XMLSchemastringhttpwwww3org2001XMLSchemabooleanhttpwwww3org2001XMLSchemaintegerhttpwwww3org2001XMLSchemadoublehttpwwww3org2001XMLSchematimehttpwwww3org2001XMLSchemadatehttpwwww3org2001XMLSchemadateTimehttpwwww3org2001XMLSchemaanyURIhttpwwww3org2001XMLSchemahexBinaryhttpwwww3org2001XMLSchemabase64Binary
The following data-type identifiers correspond to the dayTimeDuration and yearMonthDuration data-types defined in [XF Sections 822 and 821 respectively]
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationhttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
B5 Subject attributesThese identifiers indicate attributes of a subject When used they SHALL appear within a ltSubjectgt element of the request context They SHALL be accessed via a ltSubjectAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into a ltSubjectgt element of the request context
At most one of each of these attributes is associated with each subject Each attribute associated with authentication included within a single ltSubjectgt element relates to the same authentication event
This identifier indicates the name of the subject The default format is httpwwww3org2001XMLSchemastring To indicate other formats use DataType attributes listed in B4
urnoasisnamestcxacml10subjectsubject-id
This identifier indicates the subject category ldquoaccess-subjectrdquo is the defaulturnoasisnamestcxacml10subject-category
This identifier indicates the security domain of the subject It identifies the administrator and policy that manages the name-space in which the subject id is administered
urnoasisnamestcxacml10subjectsubject-id-qualifier
This identifier indicates a public key used to confirm the subjectrsquos identityurnoasisnamestcxacml10subjectkey-info
This identifier indicates the time at which the subject was authenticatedurnoasisnamestcxacml10subjectauthentication-time
This identifier indicates the method used to authenticate the subjecturnoasisnamestcxacml10subjectauthentication-method
oasis--xacml-11pdf 120
253
4480
448144824483
44844485
44864487
44884489449044914492449344944495449644974498
44994500
45014502
4503
4504450545064507
450845094510
451145124513
4514
45154516
45174518
4519
45204521
45224523
45244525
254
This identifier indicates the time at which the subject initiated the access request according to the PEP
urnoasisnamestcxacml10subjectrequest-time
This identifier indicates the time at which the subjectrsquos current session began according to the PEP
urnoasisnamestcxacml10subjectsession-start-time
The following identifiers indicate the location where authentication credentials were activated They are intended to support the corresponding entities from the SAML authentication statement
This identifier indicates that the location is expressed as an IP addressurnoasisnamestcxacml10subjectauthn-localityip-address
This identifier indicates that the location is expressed as a DNS nameurnoasisnamestcxacml10subjectauthn-localitydns-name
Where a suitable attribute is already defined in LDAP [LDAP-1 LDAP-2] the XACML identifier SHALL be formed by adding the attribute name to the URI of the LDAP specification For example the attribute name for the userPassword defined in the rfc2256 SHALL be
httpwwwietforgrfcrfc2256txtuserPassword
B6 Resource attributesThese identifiers indicate attributes of the resource When used they SHALL appear within the ltResourcegt element of the request context They SHALL be accessed via a ltResourceAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltResourcegt element of the request context
This identifier indicates the entire URI of the resourceurnoasisnamestcxacml10resourceresource-id
A resource attribute used to indicate values extracted from the resourceurnoasisnamestcxacml10resourceresource-content
This identifier indicates the last (rightmost) component of the file name For example if the URI is ldquofilehomemystatuspointerrdquo the simple-file-name is status
urnoasisnamestcxacml10resourcesimple-file-name
This identifier indicates that the resource is specified by an XPath expressionurnoasisnamestcxacml10resourcexpath
This identifier indicates a UNIX file-system pathurnoasisnamestcxacml10resourceufs-path
This identifier indicates the scope of the resource as described in Section 78urnoasisnamestcxacml10resourcescope
The allowed value for this attribute is of data-type httpwwww3org2001XMLSchemastring and is either Immediate Children or Descendants
B7 Action attributesThese identifiers indicate attributes of the action being requested When used they SHALL appear within the ltActiongt element of the request context They SHALL be accessed via an ltActionAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltActiongt element of the request context
oasis--xacml-11pdf 121
255
45264527
4528
45294530
4531
45324533
45344535
45364537
453845394540
4541
4542
4543454445454546
45474548
45494550
45514552
4553
45544555
45564557
45584559
45604561
4562
4563456445654566
256
urnoasisnamestcxacml10actionaction-id
Action namespaceurnoasisnamestcxacml10actionaction-namespace
Implied action This is the value for action-id attribute when action is impliedurnoasisnamestcxacml10actionimplied-action
B8 Environment attributesThese identifiers indicate attributes of the environment within which the decision request is to be evaluated When used in the decision request they SHALL appear in the ltEnvironmentgt element of the request context They SHALL be accessed via an ltEnvironmentAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltEnvironmentgt element of the request context
This identifier indicates the current time at the PDP In practice it is the time at which the request context was created
urnoasisnamestcxacml10environmentcurrent-timeurnoasisnamestcxacml10environmentcurrent-dateurnoasisnamestcxacml10environmentcurrent-dateTime
B9 Status codesThe following status code identifiers are defined
This identifier indicates successurnoasisnamestcxacml10statusok
This identifier indicates that attributes necessary to make a policy decision were not availableurnoasisnamestcxacml10statusmissing-attribute
This identifier indicates that some attribute value contained a syntax error such as a letter in a numeric field
urnoasisnamestcxacml10statussyntax-error
This identifier indicates that an error occurred during policy evaluation An example would be division by zero
urnoasisnamestcxacml10statusprocessing-error
B10Combining algorithmsThe deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId
urnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
The deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
The permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
The permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
oasis--xacml-11pdf 122
257
4567
45684569
45704571
4572
457345744575
45764577
45784579
458045814582
4583
4584
45854586
45874588
45894590
4591
45924593
4594
4595
45964597
45984599
4600
46014602
46034604
4605
258
The first-applicable rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
The first-applicable policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
The only-one-applicable-policy policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
The ordered-deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overrides
The ordered-deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-deny-overrides
The ordered-permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-permit-overrides
The ordered-permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
oasis--xacml-11pdf 123
259
46064607
46084609
4610
46114612
4613
46144615461646174618
4619462046214622
4623462446254626
46274628
260
Appendix C Combining algorithms (normative)This section contains a description of the rule-combining and policy-combining algorithms specified by XACML
C1 Deny-overridesThe following specification defines the ldquoDeny-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Deny then the result of the rule combination SHALL be Deny If any rule evaluates to Permit and all other rules evaluate to NotApplicable then the result of the rule combination SHALL be Permit In other words Deny takes precedence regardless of the result of evaluating any of the other rules in the combination If all rules are found to be NotApplicable to the decision request then the rule combination SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect value of Deny then the evaluation SHALL continue to evaluate subsequent rules looking for a result of Deny If no other rule evaluates to Deny then the combination SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Permit all other rules that do not have evaluation errors evaluate to Permit or NotApplicable and all rules that do have evaluation errors contain effects of Permit then the result of the combination SHALL be Permit
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision denyOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialDeny = falseBoolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(rules) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Deny)
potentialDeny = truecontinue
oasis--xacml-11pdf 124
261
4629
46304631
4632
4633
463446354636463746384639
4640464146424643
464446454646
4647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677
262
if (potentialDeny)
return Indeterminateif (atLeastOnePermit)
return Permitif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoDeny-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Deny then the result of the policy combination SHALL be Deny In other words Deny takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision denyOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
return Deny
if (atLeastOnePermit)
return Permitreturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
oasis--xacml-11pdf 125
263
4678467946804681468246834684468546864687468846894690469146924693
46944695
46964697469846994700
470147024703
4704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734
4735
264
C2 Ordered-deny-overrides (non-normative)The following specification defines the Ordered-deny-overridesrdquo rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Deny-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-deny-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Deny-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C3 Permit-overridesThe following specification defines the ldquoPermit-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Permit then the result of the rule combination SHALL be Permit If any rule evaluates to Deny and all other rules evaluate to NotApplicable then the policy SHALL evaluate to Deny In other words Permit takes precedence regardless of the result of evaluating any of the other rules in the policy If all rules are found to be NotApplicable to the decision request then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect of Permit then the evaluation SHALL continue looking for a result of Permit If no other rule evaluates to Permit then the policy SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Deny all other rules that do not have evaluation errors evaluate to Deny or NotApplicable and all rules that do have evaluation errors contain an effect value of Deny then the policy SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision permitOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialPermit = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(rule) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 126
265
4736
47374738
473947404741
47424743
474447454746
4747
4748
474947504751475247534754
4755475647574758
475947604761
476247634764476547664767476847694770477147724773477447754776477747784779478047814782
266
if (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Permit)
potentialPermit = truecontinue
if (potentialPermit)
return Indeterminateif (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoPermit-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Permit then the result of the policy combination SHALL be Permit In other words Permit takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status provided no other policies evaluate to Permit or Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision permitOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOneError = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 127
267
47834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808
48094810
48114812481348144815
4816481748184819
482048214822482348244825482648274828482948304831483248334834483548364837483848394840
268
if (decision == Indeterminate)
atLeastOneError = truecontinue
if (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
C4 Ordered-permit-overrides (non-normative)The following specification defines the Ordered-permit-overrides rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Permit-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-permit-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Permit-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C5 First-applicable The following specification defines the First-Applicable rule-combining algorithm of a policy
Each rule SHALL be evaluated in the order in which it is listed in the policy For a particular rule if the target matches and the condition evaluates to True then the evaluation of the policy SHALL halt and the corresponding effect of the rule SHALL be the result of the evaluation of the policy (ie Permit or Deny) For a particular rule selected in the evaluation if the target evaluates to False or the condition evaluates to False then the next rule in the order SHALL be evaluated If no further rule in the order exists then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule then the evaluation SHALL halt and the policy shall evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision firstApplicableEffectRuleCombiningAlgorithm(Rule rule[])
for( i = 0 i lt lengthOf(rule) i++ )
oasis--xacml-11pdf 128
269
4841484248434844484548464847484848494850485148524853485448554856
4857
4858
48594860
486148624863
48644865
486648674868
4869
4870
4871487248734874487548764877
487848794880
48814882488348844885
270
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
return Permitif (decision == NotApplicable)
continueif (decision == Indeterminate)
return Indeterminate
return NotApplicable
The following specification defines the ldquoFirst-applicablerdquo policy-combining algorithm of a policy set
Each policy is evaluated in the order that it appears in the policy set For a particular policy if the target evaluates to True and the policy evaluates to a determinate value of Permit or Deny then the evaluation SHALL halt and the policy set SHALL evaluate to the effect value of that policy For a particular policy if the target evaluate to False or the policy evaluates to NotApplicable then the next policy in the order SHALL be evaluated If no further policy exists in the order then the policy set SHALL evaluate to NotApplicable
If an error were to occur when evaluating the target or when evaluating a specific policy the reference to the policy is considered invalid or the policy itself evaluates to Indeterminate then the evaluation of the policy-combining algorithm shall halt and the policy set shall evaluate to Indeterminate with an appropriate error status
The following pseudo-code represents the evaluation strategy of this policy-combination algorithm
Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policy[]) for( i = 0 i lt lengthOf(policy) i++ ) Decision decision = evaluate(policy[i]) if(decision == Deny) return Deny if(decision == Permit) return Permit if (decision == NotApplicable) continue if (decision == Indeterminate) return Indeterminate return NotApplicable
oasis--xacml-11pdf 129
271
48864887488848894890489148924893489448954896489748984899490049014902490349044905
49064907
4908490949104911491249134914
4915491649174918
4919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943
272
Obligations of the individual policies shall be combined as described in Section 711
C6 Only-one-applicableThe following specification defines the ldquoOnly-one-applicable policy-combining algorithm of a policy set
In the entire set of policies in the policy set if no policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be NotApplicable If more than one policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be Indeterminate
If only one policy is considered applicable by evaluation of the policy targets then the result of the policy-combining algorithm SHALL be the result of evaluating the policy
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this policy combining algorithmDecision onlyOneApplicablePolicyPolicyCombiningAlogrithm(Policy policy[]) Boolean atLeastOne = false Policy selectedPolicy = null ApplicableResult appResult
for ( i = 0 i lt lengthOf(policy) i++ ) appResult = isApplicable(policy[I])
if ( appResult == Indeterminate ) return Indeterminate if( appResult == Applicable ) if ( atLeastOne ) return Indeterminate else atLeastOne = true selectedPolicy = policy[i] if ( appResult == NotApplicable ) continue if ( atLeastOne ) return evaluate(selectedPolicy) else return NotApplicable
oasis--xacml-11pdf 130
273
4944
4945
4946
49474948
4949495049514952
49534954
495549564957
495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996
274
oasis--xacml-11pdf 131
275
49974998
4999
276
Appendix D AcknowledgmentsThe following individuals contributed to the development of the specification
Anne AndersonBill ParducciCarlisle AdamsDaniel EngovatovDon FlinnErnesto DamianiGerald BroseHal LockhartJames MacLeanJohn MerrellsKen YagenKonstantin BeznosovMichiharu KudoPierangela SamaratiPirasenna Velandai ThiyagarajanPolar HumennSatoshi HadaSekhar VajjhalaSeth ProctorSimon GodikSteve AndersonSteve CrockerSuresh DamodaranTim Moses
oasis--xacml-11pdf 132
277
5000
5001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025
5026
278
Appendix E Revision historyRev Date By whom What
OS V10 18 Feb 2003 XACML Technical Committee
OASIS Standard
oasis--xacml-11pdf 133
279
5027
5028
280
Appendix F NoticesOASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available neither does it represent that it has made any effort to identify any such rights Information on OASISs procedures with respect to rights in OASIS specifications can be found at the OASIS website Copies of claims of rights made available for publication and any assurances of licenses to be made available or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the OASIS Executive Director
OASIS has been notified of intellectual property rights claimed in regard to some or all of the contents of this specification For more information consult the online list of claimed rights
OASIS invites any interested party to bring to its attention any copyrights patents or patent applications or other proprietary rights which may cover technology that may be required to implement this specification Please address the information to the OASIS Executive Director
Copyright (C) OASIS Open 2003 All Rights Reserved
This document and translations of it may be copied and furnished to others and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared copied published and distributed in whole or in part without restriction of any kind provided that the above copyright notice and this paragraph are included on all such copies and derivative works However this document itself may not be modified in any way such as by removing the copyright notice or references to OASIS except as needed for the purpose of developing OASIS specifications in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed or as required to translate it into languages other than English
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns
This document and the information contained herein is provided on an ldquoAS ISrdquo basis and OASIS DISCLAIMS ALL WARRANTIES EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
oasis--xacml-11pdf 134
281
5029
503050315032503350345035503650375038
50395040
504150425043
5044
50455046504750485049505050515052
50535054
50555056505750585059
282
Copyright (C) OASIS Open 2003 All Rights Reserved
oasis--xacml-11pdf 2
4
3435
5
Table of contents
1 Introduction (non-normative)10
11 Glossary10
111 Preferred terms10
112 Related terms11
12 Notation12
13 Schema organization and namespaces12
2 Background (non-normative)13
21 Requirements13
22 Rule and policy combining14
23 Combining algorithms14
24 Multiple subjects15
25 Policies based on subject and resource attributes15
26 Multi-valued attributes15
27 Policies based on resource contents16
28 Operators16
29 Policy distribution17
210 Policy indexing17
211 Abstraction layer17
212 Actions performed in conjunction with enforcement18
3 Models (non-normative)18
31 Data-flow model18
32 XACML context20
33 Policy language model20
331 Rule21
332 Policy 23
333 Policy set24
4 Examples (non-normative)25
41 Example one25
411 Example policy25
412 Example request context27
413 Example response context28
42 Example two28
421 Example medical record instance29
422 Example request context30
423 Example plain-language rules32
424 Example XACML rule instances32
oasis--xacml-11pdf 3
6
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
7
5 Policy syntax (normative with the exception of the schema fragments)46
51 Element ltPolicySetgt46
52 Element ltDescriptiongt47
53 Element ltPolicySetDefaultsgt47
54 Element ltXPathVersiongt48
55 Element ltTargetgt48
56 Element ltSubjectsgt49
57 Element ltSubjectgt49
58 Element ltAnySubjectgt49
59 Element ltSubjectMatchgt49
510 Element ltResourcesgt50
511 Element ltResourcegt50
512 Element ltAnyResourcegt51
513 Element ltResourceMatchgt51
514 Element ltActionsgt52
515 Element ltActiongt52
516 Element ltAnyActiongt52
517 Element ltActionMatchgt52
518 Element ltPolicySetIdReferencegt53
519 Element ltPolicyIdReferencegt53
520 Element ltPolicygt53
521 Element ltPolicyDefaultsgt55
522 Element ltRulegt55
523 Simple type EffectType56
524 Element ltConditiongt56
525 Element ltApplygt56
526 Element ltFunctiongt57
527 Complex type AttributeDesignatorType57
528 Element ltSubjectAttributeDesignatorgt58
529 Element ltResourceAttributeDesignatorgt59
530 Element ltActionAttributeDesignatorgt60
531 Element ltEnvironmentAttributeDesignatorgt60
532 Element ltAttributeSelectorgt61
533 Element ltAttributeValuegt62
534 Element ltObligationsgt63
535 Element ltObligationgt63
536 Element ltAttributeAssignmentgt64
oasis--xacml-11pdf 4
8
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
9
6 Context syntax (normative with the exception of the schema fragments)64
61 Element ltRequestgt64
62 Element ltSubjectgt65
63 Element ltResourcegt66
64 Element ltResourceContentgt66
65 Element ltActiongt67
66 Element ltEnvironmentgt67
67 Element ltAttributegt67
68 Element ltAttributeValuegt68
69 Element ltResponsegt68
610 Element ltResultgt69
611 Element ltDecisiongt70
612 Element ltStatusgt70
613 Element ltStatusCodegt71
614 Element ltStatusMessagegt71
615 Element ltStatusDetailgt71
7 Functional requirements (normative)72
71 Policy enforcement point72
72 Base policy72
73 Target evaluation73
74 Condition evaluation73
75 Rule evaluation73
76 Policy evaluation73
77 Policy Set evaluation74
78 Hierarchical resources75
79 Attributes76
791 Attribute Matching76
792 Attribute Retrieval76
793 Environment Attributes77
710 Authorization decision77
711 Obligations 77
712 Unsupported functionality78
713 Syntax and type errors78
8 XACML extensibility points (non-normative)78
81 Extensible XML attribute types78
82 Structured attributes79
9 Security and privacy considerations (non-normative)79
oasis--xacml-11pdf 5
10
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
11
91 Threat model 79
911 Unauthorized disclosure80
912 Message replay80
913 Message insertion80
914 Message deletion80
915 Message modification80
916 NotApplicable results81
917 Negative rules81
92 Safeguards82
921 Authentication82
922 Policy administration82
923 Confidentiality82
924 Policy integrity83
925 Policy identifiers83
926 Trust model84
927 Privacy 84
10 Conformance (normative)84
101 Introduction84
102 Conformance tables84
1021 Schema elements85
1022 Identifier Prefixes86
1023 Algorithms86
1024 Status Codes86
1025 Attributes87
1026 Identifiers87
1027 Data-types87
1028 Functions88
11 References 92
Appendix A Standard data-types functions and their semantics (normative)94
A1 Introduction 94
A2 Primitive types 94
A3 Structured types 95
A4 Representations 95
A5 Bags 96
A6 Expressions 96
A7 Element ltAttributeValuegt97
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt97
oasis--xacml-11pdf 6
12
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
13
A9 Element ltApplygt97
A10 Element ltConditiongt97
A11 Element ltFunctiongt98
A12 Matching elements98
A13 Arithmetic evaluation99
A14 XACML standard functions100
A141 Equality predicates100
A142 Arithmetic functions102
A143 String conversion functions103
A144 Numeric data-type conversion functions103
A145 Logical functions103
A146 Arithmetic comparison functions104
A147 Date and time arithmetic functions105
A148 Non-numeric comparison functions106
A149 Bag functions108
A1410 Set functions109
A1411 Higher-order bag functions110
A1412 Special match functions117
A1413 XPath-based functions118
A1414 Extension functions and primitive types118
Appendix B XACML identifiers (normative)119
B1 XACML namespaces119
B2 Access subject categories119
B3 XACML functions119
B4 Data-types 119
B5 Subject attributes120
B6 Resource attributes121
B7 Action attributes 121
B8 Environment attributes122
B9 Status codes 122
B10 Combining algorithms122
Appendix C Combining algorithms (normative)124
C1 Deny-overrides124
C2 Ordered-deny-overrides (non-normative)126
C3 Permit-overrides126
C4 Ordered-permit-overrides (non-normative)128
C5 First-applicable128
oasis--xacml-11pdf 7
14
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
15
C6 Only-one-applicable130
Appendix D Acknowledgments132
Appendix E Revision history133
Appendix F Notices134
oasis--xacml-11pdf 8
16
221
222
223
224225
226
17
Errata
Errata can be found at the following location
httpwwwoasis-openorgcommitteesxacmlrepositoryerrata-001pdf
oasis--xacml-11pdf 9
18
227
228
229
19
1 Introduction (non-normative)
11 Glossary
111 Preferred terms
Access - Performing an action
Access control - Controlling access in accordance with a policy
Action - An operation on a resource
Applicable policy - The set of policies and policy sets that governs access for a specific decision request
Attribute - Characteristic of a subject resource action or environment that may be referenced in a predicate or target
Authorization decision - The result of evaluating applicable policy returned by the PDP to the PEP A function that evaluates to Permitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicable and (optionally) a set of obligations
Bag ndash An unordered collection of values in which there may be duplicate values
Condition - An expression of predicates A function that evaluates to True False or ldquoIndeterminaterdquo
Conjunctive sequence - a sequence of boolean elements combined using the logical lsquoANDrsquo operation
Context - The canonical representation of a decision request and an authorization decision
Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format
Decision ndash The result of evaluating a rule policy or policy set
Decision request - The request by a PEP to a PDP to render an authorization decision
Disjunctive sequence - a sequence of boolean elements combined using the logical lsquoORrsquo operation
Effect - The intended consequence of a satisfied rule (either Permit or Deny)
Environment - The set of attributes that are relevant to an authorization decision and are independent of a particular subject resource or action
oasis--xacml-11pdf 10
20
230
231
232
233
234
235
236
237238
239240
241242243
244
245246
247248
249
250251252
253
254
255256
257
258259
21
Obligation - An operation specified in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision
Policy - A set of rules an identifier for the rule-combining algorithm and (optionally) a set of obligations May be a component of a policy set
Policy administration point (PAP) - The system entity that creates a policy or policy set
Policy-combining algorithm - The procedure for combining the decision and obligations from multiple policies
Policy decision point (PDP) - The system entity that evaluates applicable policy and renders an authorization decision
Policy enforcement point (PEP) - The system entity that performs access control by making decision requests and enforcing authorization decisions
Policy information point (PIP) - The system entity that acts as a source of attribute values
Policy set - A set of policies other policy sets a policy-combining algorithm and (optionally) a set of obligations May be a component of another policy set
Predicate - A statement about attributes whose truth can be evaluated
Resource - Data service or system component
Rule - A target an effect and a condition A component of a policy
Rule-combining algorithm - The procedure for combining decisions from multiple rules
Subject - An actor whose attributes may be referenced by a predicate
Target - The set of decision requests identified by definitions for resource subject and action that a rule policy or policy set is intended to evaluate
Type Unification - The method by which two type expressions are unified The type expressions are matched along their structure Where a type variable appears in one expression it is then unified to represent the corresponding structure element of the other expression be it another variable or subexpression All variable assignments must remain consistent in both structures Unification fails if the two expressions cannot be aligned either by having dissimilar structure or by having instance conflicts such as a variable needs to represent both xsstring and xsinteger For a full explanation of type unification please see [Hancock]
112 Related termsIn the field of access control and authorization there are several closely related terms in common use For purposes of precision and clarity certain of these terms are not used in this specification
For instance the term attribute is used in place of the terms group and role
In place of the terms privilege permission authorization entitlement and right we use the term rule
The term object is also in common use but we use the term resource in this specification
Requestors and initiators are covered by the term subject
oasis--xacml-11pdf 11
22
260261
262263
264
265266
267268
269270
271
272273
274
275
276
277
278
279280
281282283284285286287
288
289290
291
292293
294
295
23
12 NotationThis specification contains schema conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded policy statements
The key words MUST MUST NOT REQUIRED SHALL SHALL NOT SHOULD SHOULD NOT RECOMMENDED MAY and OPTIONAL in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119]
they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (eg limiting retransmissions)
These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations When these words are not capitalized they are meant in their natural-language sense
Listings of XACML schemas appear like this
Example code listings appear like this
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows whether or not a namespace declaration is present in the example
The prefix xacml stands for the XACML policy namespace
The prefix xacml-context stands for the XACML context namespace
The prefix ds stands for the W3C XML Signature namespace [DS]
The prefix xs stands for the W3C XML Schema namespace [XS]
The prefix xf stands for the XQuery 10 and XPath 20 Function and Operators specification namespace [XF]
This specification uses the following typographical conventions in text ltXACMLElementgt ltnsForeignElementgt Attribute Datatype OtherCode Terms in italic bold-face are intended to have the meaning defined in the Glossary
13 Schema organization and namespacesThe XACML policy syntax is defined in a schema associated with the following XML namespace
urnoasisnamestcxacml10policy
The XACML context syntax is defined in a schema associated with the following XML namespaceurnoasisnamestcxacml10context
The XML Signature [DS] is imported into the XACML schema and is associated with the following XML namespace
httpwwww3org200009xmldsig
2 Background (non-normative)The economics of scale have driven computing platform vendors to develop products with very generalized functionality so that they can be used in the widest possible range of situations Out
oasis--xacml-11pdf 12
24
296
297298
299300301
302303
304305306307308309310
311312313
314
315
316
317
318319
320321322
323
324325
326327
328329330
331
332333
25
of the box these products have the maximum possible privilege for accessing data and executing software so that they can be used in as many application environments as possible including those with the most permissive security policies In the more common case of a relatively restrictive security policy the platforms inherent privileges must be constrained by configuration
The security policy of a large enterprise has many elements and many points of enforcement Elements of policy may be managed by the Information Systems department by Human Resources by the Legal department and by the Finance department And the policy may be enforced by the extranet mail WAN and remote-access systems platforms which inherently implement a permissive security policy The current practice is to manage the configuration of each point of enforcement independently in order to implement the security policy as accurately as possible Consequently it is an expensive and unreliable proposition to modify the security policy And it is virtually impossible to obtain a consolidated view of the safeguards in effect throughout the enterprise to enforce the policy At the same time there is increasing pressure on corporate and government executives from consumers shareholders and regulators to demonstrate best practice in the protection of the information assets of the enterprise and its customers
For these reasons there is a pressing need for a common language for expressing security policy If implemented throughout an enterprise a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems Managing security policy may include some or all of the following steps writing reviewing testing approving issuing combining analyzing modifying withdrawing retrieving and enforcing policy
XML is a natural choice as the basis for the common security-policy language due to the ease with which its syntax and semantics can be extended to accommodate the unique requirements of this application and the widespread support that it enjoys from all the main platform and tool vendors
21 RequirementsThe basic requirements of a policy language for expressing information system security policy are
To provide a method for combining individual rules and policies into a single policy set that applies to a particular decision request
To provide a method for flexible definition of the procedure by which rules and policies are combined
To provide a method for dealing with multiple subjects acting in different capacities
To provide a method for basing an authorization decision on attributes of the subject and resource
To provide a method for dealing with multi-valued attributes
To provide a method for basing an authorization decision on the contents of an information resource
To provide a set of logical and mathematical operators on attributes of the subject resource and environment
To provide a method for handling a distributed set of policy components while abstracting the method for locating retrieving and authenticating the policy components
To provide a method for rapidly identifying the policy that applies to a given action based upon the values of attributes of the subjects resource and action
oasis--xacml-11pdf 13
26
334335336337
338339340341342343344345346347348
349350351352353354
355356357
358
359
360361
362363
364
365366
367
368369
370371
372373
374375
27
To provide an abstraction-layer that insulates the policy-writer from the details of the application environment
To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement
The motivation behind XACML is to express these well-established ideas in the field of access-control policy using an extension language of XML The XACML solutions for each of these requirements are discussed in the following sections
22 Rule and policy combiningThe complete policy applicable to a particular decision request may be composed of a number of individual rules or policies For instance in a personal privacy application the owner of the personal information may define certain aspects of disclosure policy whereas the enterprise that is the custodian of the information may define certain other aspects In order to render an authorization decision it must be possible to combine the two separate policies to form the single policy applicable to the request
XACML defines three top-level policy elements ltRulegt ltPolicygt and ltPolicySetgt The ltRulegt element contains a boolean expression that can be evaluated in isolation but that is not intended to be accessed in isolation by a PDP So it is not intended to form the basis of an authorization decision by itself It is intended to exist in isolation only within an XACML PAP where it may form the basic unit of management and be re-used in multiple policies
The ltPolicygt element contains a set of ltRulegt elements and a specified procedure for combining the results of their evaluation It is the basic unit of policy used by the PDP and so it is intended to form the basis of an authorization decision
The ltPolicySetgt element contains a set of ltPolicygt or other ltPolicySetgt elements and a specified procedure for combining the results of their evaluation It is the standard means for combining separate policies into a single combined policy
Hinton et al [Hinton94] discuss the question of the compatibility of separate policies applicable to the same decision request
23 Combining algorithmsXACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the ltPolicygt or ltPolicySetgt elements respectively The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules Similarly the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies Standard combining algorithms are defined for
Deny-overrides (Ordered and Unordered)
Permit-overrides (Ordered and Unordered)
First applicable and
Only-one-applicable
oasis--xacml-11pdf 14
28
376377
378379
380381382
383
384385386387388389
390391392393394
395396397
398399400
401402
403
404405406407408409410
411
412
413
414
29
In the first case if a single ltRulegt or ltPolicygt element is encountered that evaluates to Deny then regardless of the evaluation result of the other ltRulegt or ltPolicygt elements in the applicable policy the combined result is Deny Likewise in the second case if a single Permit result is encountered then the combined result is Permit In the case of the ldquoFirst-applicablerdquo combining algorithm the combined result is the same as the result of evaluating the first ltRulegt ltPolicygt or ltPolicySetgt element in the list of rules whose target is applicable to the decision request The Only-one-applicable policy-combining algorithm only applies to policies The result of this combining algorithm ensures that one and only one policy or policy set is applicable by virtue of their targets If no policy or policy set applies then the result is NotApplicable but if more than one policy or policy set is applicable then the result is Indeterminate When exactly one policy or policy set is applicable the result of the combining algorithm is the result of evaluating the single applicable policy or policy set
Users of this specification may if necessary define their own combining algorithms
24 Multiple subjectsAccess-control policies often place requirements on the actions of more than one subject For instance the policy governing the execution of a high-value financial transaction may require the approval of more than one individual acting in different capacities Therefore XACML recognizes that there may be more than one subject relevant to a decision request An attribute called ldquosubject-categoryrdquo is used to differentiate between subjects acting in different capacities Some standard values for this attribute are specified and users may define additional ones
25 Policies based on subject and resource attributesAnother common requirement is to base an authorization decision on some characteristic of the subject other than its identity Perhaps the most common application of this idea is the subjects role [RBAC] XACML provides facilities to support this approach Attributes of subjects may be identified by the ltSubjectAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular subject attribute value by its location in the context (see Section 211 for an explanation of context) XACML provides a standard way to reference the attributes defined in the LDAP series of specifications [LDAP-1 LDAP-2] This is intended to encourage implementers to use standard attribute identifiers for some common subject attributes
Another common requirement is to base an authorization decision on some characteristic of the resource other than its identity XACML provides facilities to support this approach Attributes of resource may be identified by the ltResourceAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular resource attribute value by its location in the context
26 Multi-valued attributesThe most common techniques for communicating attributes (LDAP XPath SAML etc) support multiple values per attribute Therefore when an XACML PDP retrieves the value of a named attribute the result may contain multiple values A collection of such values is called a bag A bag differs from a set in that it may contain duplicate values whereas a set may not Sometimes this situation represents an error Sometimes the XACML rule is satisfied if any one of the attribute values meets the criteria expressed in the rule
oasis--xacml-11pdf 15
30
415416417418
419420421422423424425426
427
428
429430431432433434
435
436437438
439440441442443444445
446447
448449450451
452
453454455456457458
31
XACML provides a set of functions that allow a policy writer to be absolutely clear about how the PDP should handle the case of multiple attribute values These are the ldquohigher-orderrdquo functions
27 Policies based on resource contentsIn many applications it is required to base an authorization decision on data contained in the information resource to which access is requested For instance a common component of privacy policy is that a person should be allowed to read records for which he or she is the subject The corresponding policy must contain a reference to the subject identified in the information resource itself
XACML provides facilities for doing this when the information resource can be represented as an XML document The ltAttributeSelectorgt element may contain an XPath expression over the request context to identify data in the information resource to be used in the policy evaluation
In cases where the information resource is not an XML document specified attributes of the resource can be referenced as described in Section 24
28 OperatorsInformation security policies operate upon attributes of subjects the resource and the action to be performed on the resource in order to arrive at an authorization decision In the process of arriving at the authorization decision attributes of many different types may have to be compared or computed For instance in a financial application a persons available credit may have to be calculated by adding their credit limit to their account balance The result may then have to be compared with the transaction value This sort of situation gives rise to the need for arithmetic operations on attributes of the subject (account balance and credit limit) and the resource (transaction value)
Even more commonly a policy may identify the set of roles that are permitted to perform a particular action The corresponding operation involves checking whether there is a non-empty intersection between the set of roles occupied by the subject and the set of roles identified in the policy Hence the need for set operations
XACML includes a number of built-in functions and a method of adding non-standard functions These functions may be nested to build arbitrarily complex expressions This is achieved with the ltApplygt element The ltApplygt element has an XML attribute called FunctionId that identifies the function to be applied to the contents of the element Each standard function is defined for specific argument data-type combinations and its return data-type is also specified Therefore data-type consistency of the policy can be checked at the time the policy is written or parsed And the types of the data values presented in the request context can be checked against the values expected by the policy to ensure a predictable outcome
In addition to operators on numerical and set arguments operators are defined for date time and duration arguments
Relationship operators (equality and comparison) are also defined for a number of data-types including the RFC822 and X500 name-forms strings URIs etc
Also noteworthy are the operators over boolean data-types which permit the logical combination of predicates in a rule For example a rule may contain the statement that access may be permitted during business hours AND from a terminal on business premises
The XACML method of representing functions borrows from MathML [MathML] and from the XQuery 10 and XPath 20 Functions and Operators specification [XF]
oasis--xacml-11pdf 16
32
459460
461
462463464465466
467468469
470471
472
473474475476477478479480
481482483484
485486
487488489490491492
493494
495496
497498499
500501
33
29 Policy distributionIn a distributed system individual policy statements may be written by several policy writers and enforced at several enforcement points In addition to facilitating the collection and combination of independent policy components this approach allows policies to be updated as required XACML policy statements may be distributed in any one of a number of ways But XACML does not describe any normative way to do this Regardless of the means of distribution PDPs are expected to confirm by examining the policys ltTargetgt element that the policy is applicable to the decision request that it is processing
ltPolicygt elements may be attached to the information resources to which they apply as described by Perritt [Perritt93] Alternatively ltPolicygt elements may be maintained in one or more locations from which they are retrieved for evaluation In such cases the applicable policy may be referenced by an identifier or locator closely associated with the information resource
210 Policy indexingFor efficiency of evaluation and ease of management the overall security policy in force across an enterprise may be expressed as multiple independent policy components In this case it is necessary to identify and retrieve the applicable policy statement and verify that it is the correct one for the requested action before evaluating it This is the purpose of the ltTargetgt element in XACML
Two approaches are supported
1 Policy statements may be stored in a database whose data-model is congruent with that of the ltTargetgt element The PDP should use the contents of the decision request that it is processing to form the database read command by which applicable policy statements are retrieved Nevertheless the PDP should still evaluate the ltTargetgt element of the retrieved policy or policy set statements as defined by the XACML specification
2 Alternatively the PDP may evaluate the ltTargetgt element from each of the policies or policy sets that it has available to it in the context of a particular decision request in order to identify the policies and policy sets that are applicable to that request
The use of constraints limiting the applicability of a policy were described by Sloman [Sloman94]
211 Abstraction layerPEPs come in many forms For instance a PEP may be part of a remote-access gateway part of a Web server or part of an email user-agent etc It is unrealistic to expect that all PEPs in an enterprise do currently or will in the future issue decision requests to a PDP in a common format Nevertheless a particular policy may have to be enforced by multiple PEPs It would be inefficient to force a policy writer to write the same policy several different ways in order to accommodate the format requirements of each PEP Similarly attributes may be contained in various envelope types (eg X509 attribute certificates SAML attribute assertions etc) Therefore there is a need for a canonical form of the request and response handled by an XACML PDP This canonical form is called the XACML Context Its syntax is defined in XML schema
Naturally XACML-conformant PEPs may issue requests and receive responses in the form of an XACML context But where this situation does not exist an intermediate step is required to convert between the requestresponse format understood by the PEP and the XACML context format understood by the PDP
oasis--xacml-11pdf 17
34
502
503504505506507
508509
510511512513
514
515516517
518519
520
521522523
524525
526527528
529
530
531532533534535536537538539
540541542543
35
The benefit of this approach is that policies may be written and analyzed independent of the specific environment in which they are to be enforced
In the case where the native requestresponse format is specified in XML Schema (eg a SAML-conformant PEP) the transformation between the native format and the XACML context may be specified in the form of an Extensible Stylesheet Language Transformation [XSLT]
Similarly in the case where the resource to which access is requested is an XML document the resource itself may be included in or referenced by the request context Then through the use of XPath expressions [XPath] in the policy values in the resource may be included in the policy evaluation
212 Actions performed in conjunction with enforcementIn many applications policies specify actions that MUST be performed either instead of or in addition to actions that MAY be performed This idea was described by Sloman [Sloman94] XACML provides facilities to specify actions that MUST be performed in conjunction with policy evaluation in the ltObligationsgt element This idea was described as a provisional action by Kudo [Kudo00] There are no standard definitions for these actions in version 10 of XACML Therefore bilateral agreement between a PAP and the PEP that will enforce its policies is required for correct interpretation PEPs that conform with v10 of XACML are required to deny access unless they understand all the ltObligationsgt elements associated with the applicable policy ltObligationsgt elements are returned to the PEP for enforcement
3 Models (non-normative)The data-flow model and language model of XACML are described in the following sub-sections
31 Data-flow modelThe major actors in the XACML domain are shown in the data-flow diagram of Figure 1
oasis--xacml-11pdf 18
36
544545
546547548
549550551552
553
554555556
557558559560
561562
563
564
565
566
37
Figure 1 - Data-flow diagram
Note some of the data-flows shown in the diagram may be facilitated by a repository For instance the communications between the context handler and the PIP or the communications between the PDP and the PAP may be facilitated by a repository The XACML specification is not intended to place restrictions on the location of any such repository or indeed to prescribe a particular communication protocol for any of the data-flows
The model operates by the following steps
1 PAPs write policies and policy sets and make them available to the PDP These policies or policy sets represent the complete policy for a specified target
2 The access requester sends a request for access to the PEP
3 The PEP sends the request for access to the context handler in its native request format optionally including attributes of the subjects resource and action The context handler constructs an XACML request context in accordance with steps 456 and 7
4 Subject resource and environment attributes may be requested from a PIP
5 The PIP obtains the requested attributes
6 The PIP returns the requested attributes to the context handler
oasis--xacml-11pdf 19
38
567
568
569570571572573
574
575576
577
578579580
581
582
583
39
7 Optionally the context handler includes the resource in the context
8 The context handler sends a decision request including the target to the PDP The PDP identifies the applicable policy and retrieves the required attributes and (optionally) the resource from the context handler The PDP evaluates the policy
9 The PDP returns the response context (including the authorization decision) to the context handler
10 The context handler translates the response context to the native response format of the PEP The context handler returns the response to the PEP
11 The PEP fulfills the obligations
12 (Not shown) If access is permitted then the PEP permits access to the resource otherwise it denies access
32 XACML contextXACML is intended to be suitable for a variety of application environments The core language is insulated from the application environment by the XACML context as shown in Figure 2 in which the scope of the XACML specification is indicated by the shaded area The XACML context is defined in XML schema describing a canonical representation for the inputs and outputs of the PDP Attributes referenced by an instance of XACML policy may be in the form of XPath expressions on the context or attribute designators that identify the attribute by subject resource action or environment and its identifier Implementations must convert between the attribute representations in the application environment (eg SAML J2SE CORBA and so on) and the attribute representations in the XACML context How this is achieved is outside the scope of the XACML specification In some cases such as SAML this conversion may be accomplished in an automated way through the use of an XSLT transformation
domain-specificinputs
domain-specificoutputs
xacml ContextRequestxml
xacml ContextResponsexmlPDP
xacmlPolicyxml
Figure 2 - XACML context
Note The PDP may be implemented such that it uses a processed form of the XML files
See Section 79 for a more detailed discussion of the request context
33 Policy language modelThe policy language model is shown in Figure 3 The main components of the model are
Rule
Policy and
oasis--xacml-11pdf 20
40
584
585586587
588589
590591
592
593594
595
596597598599600601602603604605606
607
608
609
610
611
612
613
614
41
Policy set
These are described in the following sub-sections
1
1
1
1
1
1
Condition
Target
Rule
1
01
Policy
1
1
Obligations
1
1
1
0
1 01
ActionResourceSubject
PolicySet
1
0
1
1
PolicyCombiningAlogorithm
1
0
RuleCombiningAlgorithm
1
0
1
01
101
Effect
1 1
Figure 3 - Policy language model
331 RuleA rule is the most elementary unit of policy It may exist in isolation only within one of the major actors of the XACML domain In order to exchange rules between major actors they must be encapsulated in a policy A rule can be evaluated on the basis of its contents The main components of a rule are
oasis--xacml-11pdf 21
42
615
616
617
618
619
620621622623
43
a target
an effect and
a condition
These are discussed in the following sub-sections
3311 Rule target
The target defines the set of
resources
subjects and
actions
to which the rule is intended to apply The ltConditiongt element may further refine the applicability established by the target If the rule is intended to apply to all entities of a particular data-type then an empty element named ltAnySubjectgt ltAnyResourcegt or ltAnyActiongt is used An XACML PDP verifies that the subjects resource and action identified in the request context are all present in the target of the rules that it uses to evaluate the decision request Target definitions are discrete in order that applicable rules may be efficiently identified by the PDP
The ltTargetgt element may be absent from a ltRulegt In this case the target of the ltRulegt is the same as that of the parent ltPolicygt element
Certain subject name-forms resource name-forms and certain types of resource are internally structured For instance the X500 directory name-form and RFC 822 name-form are structured subject name-forms whereas an account number commonly has no discernible structure UNIX file-system path-names and URIs are examples of structured resource name-forms And an XML document is an example of a structured resource
Generally the name of a node (other than a leaf node) in a structured name-form is also a legal instance of the name-form So for instance the RFC822 name medicocom is a legal RFC822 name identifying the set of mail addresses hosted by the medicocom mail server And the XPathXPointer value ctxResourceContentmdrecordmdpatient is a legal XPathXPointer value identifying a node-set in an XML document
The question arises how should a name that identifies a set of subjects or resources be interpreted by the PDP whether it appears in a policy or a request context Are they intended to represent just the node explicitly identified by the name or are they intended to represent the entire sub-tree subordinate to that node
In the case of subjects there is no real entity that corresponds to such a node So names of this type always refer to the set of subjects subordinate in the name structure to the identified node Consequently non-leaf subject names should not be used in equality functions only in match functions such as ldquournoasisnamestcxacml10functionrfc822Name-matchrdquo not ldquournoasisnamestcxacml10functionrfc822Name-equalrdquo (see Appendix A)
On the other hand in the case of resource names and resources themselves three options exist The name could refer to
1 the contents of the identified node only
2 the contents of the identified node and the contents of its immediate child nodes or
3 the contents of the identified node and all its descendant nodes
oasis--xacml-11pdf 22
44
624
625
626
627
628
629
630
631
632
633634
635636637638639
640641
642643644645646
647648649
650651
652653654655
656657658659660
661662
663
664
665
45
All three options are supported in XACML
3312 Effect
The effect of the rule indicates the rule-writers intended consequence of a True evaluation for the rule Two values are allowed Permit and Deny
3313 Condition
Condition represents a boolean expression that refines the applicability of the rule beyond the predicates implied by its target Therefore it may be absent
332 Policy From the data-flow model one can see that rules are not exchanged amongst system entities Therefore a PAP combines rules in a policy A policy comprises four main components
a target
a rule-combining algorithm-identifier
a set of rules and
obligations
Rules are described above The remaining components are described in the following sub-sections
3321 Policy target
An XACML ltPolicySetgt ltPolicygt or ltRulegt element contains a ltTargetgt element that specifies the set of subjects resources and actions to which it applies The ltTargetgt of a ltPolicySetgt or ltPolicygt may be declared by the writer of the ltPolicySetgt or ltPolicygt or it may be calculated from the ltTargetgt elements of the ltPolicySetgt ltPolicygt and ltRulegt elements that it contains
A system entity that calculates a ltTargetgt in this way is not defined by XACML but there are two logical methods that might be used In one method the ltTargetgt element of the outer ltPolicySetgt or ltPolicygt (the outer component) is calculated as the union of all the ltTargetgt elements of the referenced ltPolicySetgt ltPolicygt or ltRulegt elements (the inner components) In another method the ltTargetgt element of the outer component is calculated as the intersection of all the ltTargetgt elements of the inner components The results of evaluation in each case will be very different in the first case the ltTargetgt element of the outer component makes it applicable to any decision request that matches the ltTargetgt element of at least one inner component in the second case the ltTargetgt element of the outer component makes it applicable only to decision requests that match the ltTargetgt elements of every inner component Note that computing the intersection of a set of ltTargetgt elements is likely only practical if the target data-model is relatively simple
In cases where the ltTargetgt of a ltPolicygt is declared by the policy writer any component ltRulegt elements in the ltPolicygt that have the same ltTargetgt element as the ltPolicygt element may omit the ltTargetgt element Such ltRulegt elements inherit the ltTargetgt of the ltPolicygt in which they are contained
oasis--xacml-11pdf 23
46
666
667
668669
670
671672
673
674675
676
677
678
679
680681
682
683684685686687
688689690691692693694695696697698699
700701702703
47
3322 Rule-combining algorithm
The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined when evaluating the policy ie the Decision value placed in the response context by the PDP is the value of the policy as defined by the rule-combining algorithm
See Appendix C for definitions of the normative rule-combining algorithms
3323 Obligations
The XACML ltRulegt syntax does not contain an element suitable for carrying obligations therefore if required in a policy obligations must be added by the writer of the policy
When a PDP evaluates a policy containing obligations it returns certain of those obligations to the PEP in the response context Section 711 explains which obligations are to be returned
333 Policy set A policy set comprises four main components
a target
a policy-combining algorithm-identifier
a set of policies and
obligations
The target and policy components are described above The other components are described in the following sub-sections
3331 Policy-combining algorithm
The policy-combining algorithm specifies the procedure by which the results of evaluating the component policies are combined when evaluating the policy set iethe Decision value placed in the response context by the PDP is the result of evaluating the policy set as defined by the policy-combining algorithm
See Appendix C for definitions of the normative policy-combining algorithms
3332 Obligations
The writer of a policy set may add obligations to the policy set in addition to those contained in the component policies and policy sets
When a PDP evaluates a policy set containing obligations it returns certain of those obligations to the PEP in its response context Section 711 explains which obligations are to be returned
oasis--xacml-11pdf 24
48
704
705706707708
709
710
711712
713714
715
716
717
718
719
720
721722
723
724725726727
728
729
730731
732733
734
49
4 Examples (non-normative)This section contains two examples of the use of XACML for illustrative purposes The first example is a relatively simple one to illustrate the use of target context matching functions and subject attributes The second example additionally illustrates the use of the rule-combining algorithm conditions and obligations
41 Example one
411 Example policyAssume that a corporation named Medi Corp (medicocom) has an access control policy that states in English
Any user with an e-mail name in the medicocom namespace is allowed to perform any action on any resource
An XACML policy consists of header information an optional text description of the policy a target one or more rules and an optional set of obligations
The header for this policy is[p01] ltxml version=10 encoding=UTF-8gt[p02] ltPolicy xmlns=urnoasisnamestcxacml10policy[p03] xmlnsxsi=httpwwww3org2001XMLSchema-instance[p04] xsischemaLocation=urnoasisnamestcxacml10policy[p05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-policy-01xsd[p06] PolicyId=identifierexampleSimplePolicy1[p07] RuleCombiningAlgId=identifierrule-combining-algorithmdeny-overridesgt
[p01] is a standard XML document tag indicating which version of XML is being used and what the character encoding is
[p02] introduces the XACML Policy itself
[p03-p05] are XML namespace declarations
[p05] gives a URL to the schema for XACML policies
[p06] assigns a name to this policy instance The name of a policy should be unique for a given PDP so that there is no ambiguity if one policy is referenced from another policy
[p07] specifies the algorithm that will be used to resolve the results of the various rules that may be in the policy The deny-overrides rule-combining algorithm specified here says that if any rule evaluates to ldquoDenyrdquo then that policy must return ldquoDenyrdquo If all rules evaluate to ldquoPermitrdquo then the policy must return ldquoPermitrdquo The rule-combining algorithm which is fully described in Appendix C also says what to do if an error were to occur when evaluating any rule and what to do with rules that do not apply to a particular decision request[p08] ltDescriptiongt[p09] Medi Corp access control policy[p10] ltDescriptiongt
[p08-p10] provide a text description of the policy This description is optional[p11] ltTargetgt[p12] ltSubjectsgt[p13] ltAnySubjectgt[p14] ltSubjectsgt[p15] ltResourcesgt
oasis--xacml-11pdf 25
50
735
736737738739
740
741
742743
744745
746747
748
749750
751
752
753
754755
756757758759760761
762
51
[p16] ltAnyResourcegt[p17] ltResourcesgt[p18] ltActionsgt[p19] ltAnyActiongt[p20] ltActionsgt[p21] ltTargetgt
[p11-p21] describe the decision requests to which this policy applies If the subject resource and action in a decision request do not match the values specified in the target then the remainder of the policy does not need to be evaluated This target section is very useful for creating an index to a set of policies In this simple example the target section says the policy is applicable to any decision request[p22] ltRule[p23] RuleId= urnoasisnamestcxacml10exampleSimpleRule1[p24] Effect=Permitgt
[p22] introduces the one and only rule in this simple policy Just as for a policy each rule must have a unique identifier (at least unique for any PDP that will be using the policy)
[p23] specifies the identifier for this rule
[p24] says what effect this rule has if the rule evaluates to ldquoTruerdquo Rules can have an effect of either ldquoPermitrdquo or ldquoDenyrdquo In this case the rule will evaluate to ldquoPermitrdquo meaning that as far as this one rule is concerned the requested access should be permitted If a rule evaluates to ldquoFalserdquo then it returns a result of ldquoNotApplicablerdquo If an error occurs when evaluating the rule the rule returns a result of ldquoIndeterminaterdquo As mentioned above the rule-combining algorithm for the policy tells how various rule values are combined into a single policy value[p25] ltDescriptiongt[p26] Any subject with an e-mail name in the medicocom domain[p27] can perform any action on any resource[p28] ltDescriptiongt
[p25-p28] provide a text description of this rule This description is optional[p29] ltTargetgt
[p29] introduces the target of the rule As described above for the target of a policy the target of a rule describes the decision requests to which this rule applies If the subject resource and action in a decision request do not match the values specified in the rule target then the remainder of the rule does not need to be evaluated and a value of ldquoNotApplicablerdquo is returned to the policy evaluation[p30] ltSubjectsgt[p31] ltSubjectgt[p32] ltSubjectMatch MatchId=
urnoasisnamestcxacml10functionrfc822Name-matchgt[p33] ltSubjectAttributeDesignator[p34]
AttributeId=urnoasisnamestcxacml10subjectsubject-id[p35] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[p36] ltAttributeValue[p37] DataType=urnoasisnamestcxacml10data-
typerfc822Namegtmedicocom[p38] ltAttributeValuegt[p39] ltSubjectMatchgt[p40] ltSubjectgt[p41] ltSubjectsgt[p42] ltResourcesgt[p43] ltAnyResourcegt[p44] ltResourcesgt[p45] ltActionsgt[p46] ltAnyActiongt[p47] ltActionsgt[p48] ltTargetgt
oasis--xacml-11pdf 26
52
763764765766767
768769
770
771772773774775776
777
778779780781782
53
The rule target is similar to the target of the policy itself but with one important difference [p32-p41] do not say ltAnySubjectgt but instead spell out a specific value that the subject in the decision request must match The ltSubjectMatchgt element specifies a matching function in the MatchId attribute a pointer to a specific subject attribute in the request context by means of the ltSubjectAttributeDesignatorgt element and a literal value of ldquomedicocomrdquo The matching function will be used to compare the value of the subject attribute with the literal value Only if the match returns ldquoTruerdquo will this rule apply to a particular decision request If the match returns ldquoFalserdquo then this rule will return a value of ldquoNotApplicablerdquo[p49] ltRulegt[p50] lt Policygt
[p49] closes the rule we have been examining In this rule all the work is done in the ltTargetgt element In more complex rules the ltTargetgt may have been followed by a ltConditiongt (which could also be a set of conditions to be ANDed or ORed together)
[p50] closes the policy we have been examining As mentioned above this policy has only one rule but more complex policies may have any number of rules
412 Example request contextLets examine a hypothetical decision request that might be submitted to a PDP using the policy above In English the access request that generates the decision request may be stated as follows
Bart Simpson with e-mail name bssimpsonscom wants to read his medical record at Medi Corp
In XACML the information in the decision request is formatted into a request context statement that looks as follows[c01] ltxml version=10 encoding=UTF-8gt[c02] ltRequest xmlns=urnoasisnamestcxacml10context[c03] Xmlnsxsi=httpwwww3org2001XMLSchema-instance[c04] xsischemaLocation=urnoasisnamestcxacml10context[c05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-01xsdgt
[c01-c05] are the header for the request context and are used the same way as the header for the policy explained above[c06] ltSubjectgt[c07] ltAttribute AttributeId=urnoasisnamestcxacml10subjectsubject-
id[c08] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[c09] ltAttributeValuegtbssimpsonscomltAttributeValuegt[c10] ltAttributegt[c11] ltSubjectgt
The ltSubjectgt element contains one or more attributes of the entity making the access request There can be multiple subjects and each subject can have multiple attributes In this case in [c06-c11] there is only one subject and the subject has only one attribute the subjects identity expressed as an e-mail name is ldquobssimpsonscomrdquo[c12] ltResourcegt[c13] ltAttribute AttributeId=urnoasisnamestcxacml10resourceufs-
path[c14] DataType=httpwwww3org2001XMLSchemaanyURIgt[c15] ltAttributeValuegtmedicorecordpatientBartSimpsonltAttributeValuegt[c16] ltAttributegt[c17] ltResourcegtThe ltResourcegt element contains one or more attributes of the resource to which the subject (or subjects) has requested access There can be only one ltResourcegt
oasis--xacml-11pdf 27
54
783784785786787788789790
791792793
794795
796
797798799
800801
802803
804805
806807808809
810811
55
per decision request Lines [c13-c16] contain the one attribute of the resource to which Bart Simpson has requested access the resource unix file-system path-name which is ldquomedicorecordpatientBartSimpsonrdquo[c18] ltActiongt[c19] ltAttribute AttributeId=urnoasisnamestcxacml10actionaction-id[c20] DataType=httpwwww3org2001XMLSchemastringgt[c21] ltAttributeValuegtreadltAttributeValuegt[c22] ltAttributegt[c23] ltActiongt
The ltActiongt element contains one or more attributes of the action that the subject (or subjects) wishes to take on the resource There can be only one action per decision request [c18-c23] describe the identity of the action Bart Simpson wishes to take which is ldquoreadrdquo[c24] ltRequestgt
[c24] closes the request context A more complex request context may have contained some attributes not associated with the subject the resource or the action These would have been placed in an optional ltEnvironmentgt element following the ltActiongt element
The PDP processing this request context locates the policy in its policy repository It compares the subject resource and action in the request context with the subjects resources and actions in the policy target Since the policy target matches the ltAnySubjectgt ltAnyResourcegt and ltAnyActiongt elements the policy matches this context
The PDP now compares the subject resource and action in the request context with the target of the one rule in this policy The requested resource matches the ltAnyResourcegt element and the requested action matches the ltAnyActiongt element but the requesting subject-id attribute does not match medicocom
413 Example response contextAs a result there is no rule in this policy that returns a Permit result for this request The rule-combining algorithm for the policy specifies that in this case a result of NotApplicable should be returned The response context looks as follows[r01] ltxml version=10 encoding=UTF-8gt[r02] ltResponse xmlns=urnoasisnamestcxacml10context[r03] xsischemaLocation=urnoasisnamestcxacml10context[r04] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-
01xsdgt
[r01-r04] contain the same sort of header information for the response as was described above for a policy[r05] ltResultgt[r06] ltDecisiongtNotApplicableltDecisiongt[r07] ltResultgt
The ltResultgt element in lines [r05-r07] contains the result of evaluating the decision request against the policy In this case the result is ldquoNotApplicablerdquo A policy can return ldquoPermitrdquo ldquoDenyrdquo ldquoNotApplicablerdquo or ldquoIndeterminaterdquo[r08] ltResponsegt
[r08] closes the response context
42 Example twoThis section contains an example XML document an example request context and example XACML rules The XML document is a medical record Four separate rules are defined These illustrate a rule-combining algorithm conditions and obligations
oasis--xacml-11pdf 28
56
812813
814
815816817
818819
820
821822
823824
825826827828
829
830831832
833834
835836837
838
839
840841842
57
421 Example medical record instanceThe following is an instance of a medical record to which the example XACML rules can be applied The ltrecordgt schema is defined in the registered namespace administered by medicocom
ltxml version=10 encoding=UTF-8gtltrecord xmlns=httpwwwmedicocomschemasrecordxsd xmlnsxsi=httpwwww3org2001XMLSchema-instancerdquogt
ltpatientgtltpatientNamegt
ltfirstgtBartholomewltfirstgtltlastgtSimpsonltlastgt
ltpatientNamegtltpatientContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgt
ltpatientContactgtltpatientDoBgt1992-03-21ltpatientDoBgtltpatientGendergtmaleltpatientGendergtltpatient-numbergt555555ltpatient-numbergt
ltpatientgtltparentGuardiangt
ltparentGuardianIdgtHS001ltparentGuardianIdgtltparentGuardianNamegt
ltfirstgtHomerltfirstgtltlastgtSimpsonltlastgt
ltparentGuardianNamegtltparentGuardianContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgthomersaolcomltemailgt
ltparentGuardianContactgtltparentGuardiangtltprimaryCarePhysiciangt
ltphysicianNamegtltfirstgtJuliusltfirstgtltlastgtHibbertltlastgt
ltphysicianNamegtltphysicianContactgt
ltstreetgt1 First StltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551239012ltphonegtltfaxgt5551239013ltfaxgtltemailgt
ltphysicianContactgtltregistrationIDgtABC123ltregistrationIDgt
ltprimaryCarePhysiciangtltinsurergt
ltnamegtBlue Crossltnamegtltstreetgt1234 Main StltstreetgtltcitygtSpringfieldltcitygt
oasis--xacml-11pdf 29
58
843
844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903
59
ltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551235678ltphonegtltfaxgt5551235679ltfaxgtltemailgt
ltinsurergtltmedicalgt
lttreatmentgtltdruggt
ltnamegtmethylphenidate hydrochlorideltnamegtltdailyDosagegt30mgsltdailyDosagegtltstartDategt1999-01-12ltstartDategt
ltdruggtltcommentgtpatient exhibits side-effects of skin coloration and carpal
degenerationltcommentgtlttreatmentgtltresultgt
lttestgtblood pressurelttestgtltvaluegt12080ltvaluegtltdategt2001-06-09ltdategtltperformedBygtNurse BettyltperformedBygt
ltresultgtltmedicalgt
ltrecordgt
422 Example request contextThe following example illustrates a request context to which the example rules may be applicable It represents a request by the physician Julius Hibbert to read the patient date of birth in the record of Bartholomew Simpson
[01] ltxml version=10 encoding=UTF-8gt[02] ltRequest xmlns=urnoasisnamestcxacml10context[03] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo [04] ltSubject SubjectCategory=urnoasisnamestcxacml10subject-categoryaccess-subjectgt[05] ltAttribute AttributeId=[06] urnoasisnamestcxacml10subjectsubject-id[07] DataType=[08] rdquournoasisnamestcxacml10data-typex500namerdquo[09] Issuer=wwwmedicocom [10] IssueInstant=2001-12-17T093047-0500gt[11] ltAttributeValuegtCN=Julius HibbertltAttributeValuegt[12] ltAttributegt[13] ltAttribute AttributeId=[14] urnoasisnamestcxacml10exampleattributerole[15] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[16] Issuer=wwwmedicocom [17] IssueInstant=2001-12-17T093047-0500gt[18] ltAttributeValuegtphysicianltAttributeValuegt[19] ltAttributegt[20] ltAttribute AttributeId=[21] urnoasisnamestcxacml10exampleattributephysician-id[22] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[23] Issuer=wwwmedicocom [24] IssueInstant=2001-12-17T093047-0500gt[25] ltAttributeValuegtjh1234ltAttributeValuegt[26] ltAttributegt[27] ltSubjectgt[28] ltResourcegt[29] ltResourceContentgt[30] ltmdrecord[31] xmlnsmd=httpwwwmedicocomschemasrecordxsdgt
oasis--xacml-11pdf 30
60
904905906907908909910911912913914915916917918919920921922923924925926927
928
929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963
61
[32] ltmdpatientgt[33] ltmdpatientDoBgt1992-03-21ltmdpatientDoBgt[34] ltmdpatientgt[35] lt-- other fields --gt[36] ltmdrecordgt[37] ltResourceContentgt[38] ltAttribute AttributeId=[39] urnoasisnamestcxacml10resourceresource-id[40] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[41] ltAttributeValuegt[42] medicocomrecordsbart-simpsonxml[43] xmlns(md=httpwwwmedicocomschemasrecordxsd)[44] xpointer(mdrecordmdpatientmdpatientDoB)[45] ltAttributeValuegt[46] ltAttributegt[47] ltAttribute AttributeId=[48] urnoasisnamestcxacml10resourcexpath[49] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[50] ltAttributeValuegt[51] xmlns(md=httpwwwmedicocomschemasrecordxsd)[52] xpointer(mdrecordmdpatientmdpatientDoB)[53] ltAttributeValuegt[54] ltAttributegt[55] ltAttribute AttributeId=[56] rdquournoasisnamestcxacml10resourcetarget-namespacerdquo[57] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[58] ltAttributeValuegt[59] httpwwwmedicocomschemasrecordxsd[60] ltAttributeValuegt[61] ltAttributegt[62] ltResourcegt[63] ltActiongt[64] ltAttribute AttributeId=[65] urnoasisnamestcxacml10actionaction-id[66] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[67] ltAttributeValuegtreadltAttributeValuegt[68] ltAttributegt[69] ltActiongt[70] ltRequestgt
[02]-[03] Standard namespace declarations
[04]-[27] Subject attributes are placed in the Subject section of the Request Each attribute consists of the attribute meta-data and the attribute value
[04] Each Subject element has SubjectCategory xml attribute The value of this attribute describes the role that the subject plays in making the decision request The value of ldquoaccess-subjectrdquo denotes the identity for which the request was issued
[05]-[12] Subject subject-id attribute
[13]-[19] Subject role attribute
[20]-[26] Subject physician-id attribute
[28]-[62] Resource attributes are placed in the Resource section of the Request Each attribute consists of attribute meta-data and an attribute value
[29]-[36] Resource content The XML document that is being requested is placed here
[38]-[46] Resource identifier
oasis--xacml-11pdf 31
62
964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999
100010011002
1003
10041005
100610071008
1009
1010
1011
10121013
1014
1015
63
[47]-[61] The Resource is identified with an Xpointer expression that names the URI of the file that is accessed the target namespace of the document and the XPath location path to the specific element
[47]-[54] The XPath location path in the ldquoresource-idrdquo attribute is extracted and placed in the xpath attribute
[55]-[61] Resource target-namespace attribute
[63]-[69] Action attributes are placed in the Action section of the Request
[64]-[68] Action identifier
423 Example plain-language rulesThe following plain-language rules are to be enforced
Rule 1 A person identified by his or her patient number may read any record for which he or she is the designated patient
Rule 2 A person may read any record for which he or she is the designated parent or guardian and for which the patient is under 16 years of age
Rule 3 A physician may write to any medical element for which he or she is the designated primary care physician provided an email is sent to the patient
Rule 4 An administrator shall not be permitted to read or write to medical elements of a patient record
These rules may be written by different PAPs operating independently or by a single PAP
424 Example XACML rule instances
4241 Rule 1
Rule 1 illustrates a simple rule with a single ltConditiongt element The following XACML ltRulegt instance expresses Rule 1
[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid1[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomschemasrecordxsd namespace[12] for which he or she is a designated patient[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt
oasis--xacml-11pdf 32
64
101610171018
10191020
1021
1022
1023
1024
1025
10261027
10281029
10301031
10321033
1034
1035
1036
10371038
10391040104110421043104410451046104710481049105010511052105310541055105610571058
65
[22] ltResourceMatch MatchId=urnoasisnamestcxacml10functionstring-equalgt
[23] ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] ltActionMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[40] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[41] ltActionAttributeDesignator AttributeId=[42] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[43] ltActionMatchgt[44] ltActiongt[45] ltActionsgt[46] ltTargetgt[47] lt-- compare policy number in the document with [48] policy-number attribute --gt[49] ltCondition FunctionId=urnoasisnamestcxacml10functionstring-
equalgt[50] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[51] lt-- policy-number attribute --gt[52] ltSubjectAttributeDesignator AttributeId=[53] urnoasisnamestcxacml10examplesattributepolicy-number
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[54] ltApplygt[55] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[56] lt-- policy number in the document --gt[57] ltAttributeSelector RequestContextPath=[58] mdrecordmdpatientmdpatient-numbertext()
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[59] ltAttributeSelectorgt[60] ltApplygt[61] ltConditiongt[62] ltRulegt
[02]-[06] XML namespace declarations
[07] Rule identifier
[08] When a rule evaluates to lsquoTruersquo it emits the value of the Effect attribute This value is combined with the Effect values of other rules according to the rule-combining algorithm
oasis--xacml-11pdf 33
66
10591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114
1115
1116
11171118
67
[09]-[13] Free form description of the rule
[14]-[46] A rule target defines a set of decision requests that are applicable to the rule A decision request such that the value of the ldquournoasisnamestcxacml10resourcetarget-namespacerdquo resource attribute is equal to ldquohttpwwwmedicocomschemarecordsxsdrdquo and the value of the ldquournoasisnamestcxacml10resourcexpathrdquo resource attribute matches the XPath expression ldquomdrecordldquo and the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute is equal to ldquoreadrdquo matches the target of this rule
[15]-[17] The Subjects element may contain either a disjunctive sequence of Subject elements or AnySubject element
[16] The AnySubject element is a special element that matches any subject in the request context
[18]-[36] The Resources element may contain either a disjunctive sequence of Resource elements or AnyResource element
[20]-[35] The Resource element encloses the conjunctive sequence of ResourceMatch elements
[22]-[28] The ResourceMatch element compares its first and second child elements according to the matching function A match is positive if the value of the first argument matches any of the values selected by the second argument This match compares the target namespace of the requested document with the value of ldquohttpwwwmedicocomschemarecordsxsdrdquo
[22] The MatchId attribute names the matching function
[23]-[25] Literal attribute value to match
[26]-[27] The ResourceAttributeDesignator element selects the resource attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values
[30]-[34] The ResourceMatch This match compares the results of two XPath expressions The first XPath expression is mdrecord and the second XPath expression is the location path to the requested xml element The ldquoxpath-node-matchrdquo function evaluates to ldquoTruerdquo if the requested XML element is below the mdrecord element
[30] MatchId attribute names the matching function
[31] The literal XPath expression to match The md prefix is resolved using a standard namespace declaration
[32]-[33] The ResourceAttributeDesignator selects the bag of values for the ldquournoasisnamestcxacml10xpathrdquo resource attribute Here there is just one element in the bag which is the location path for the requested XML element
[37]-[45] The Actions element may contain either a disjunctive sequence of Action elements or an AnyAction element
[38]-[44] The Action element contains a conjunctive sequence of ActionMatch elements
[39]-[43] The ActionMatch element compares its first and second child elements according to the matching function Match is positive if the value of the first argument matches any of the values selected by the second argument In this case the value of the action-id action attribute in the request context is compared with the value ldquoreadrdquo
oasis--xacml-11pdf 34
68
1119
11201121
11221123
1124112511261127
11281129
11301131
11321133
11341135
1136113711381139
1140
1141
114211431144
114511461147
1148
1149
11501151
115211531154
11551156
1157
11581159
11601161
69
[39] The MatchId attribute names the matching function
[40] The Attribute value to match This is an action name
[41]-[42] The ActionAttributeDesignator selects action attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values ldquournoasisnamestcxacml10actionaction-idrdquo is the predefined name for the action identifier
[49]-[61] The ltConditiongt element A condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the patient-number subject attribute is equal to the patient-number in the XML document
[49] The FunctionId attribute of the ltConditiongt element names the function to be used for comparison In this case comparison is done with urnoasisnamestcxacml10functionstring-equal this function takes two arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[50] The first argument to the urnoasisnamestcxacml10functionstring-equal in the Condition Functions can take other functions as arguments The Apply element encodes the function call with the FunctionId attribute naming the function Since urnoasisnamestcxacml10functionstring-equal takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and SubjectAttributeDesignator selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[52]-[53] The SubjectAttributeDesignator selects a bag of values for the policy-number subject attribute in the request context
[55] The second argument to the ldquournoasisnamestcxacml10functionstring-equalrdquo in the Condition Functions can take other functions as arguments The Apply element encodes function call with the FunctionId attribute naming the function Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and the AttributeSelector selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[57] The AttributeSelector element selects a bag of values from the request context The AttributeSelector is a free-form XPath pointing device into the request context The RequestContextPath attribute specifies an XPath expression over the content of the requested XML document selecting the policy number Note that the namespace prefixes in the XPath expression are resolved with the standard XML namespace declarations
4242 Rule 2
Rule 2 illustrates the use of a mathematical function ie the ltApplygt element with functionId urnoasisnamestcxacml10functiondate-add-yearMonthDuration to calculate date It also illustrates the use of predicate expressions with the functionId urnoasisnamestcxacml10functionand
[01] ltxml version=10 encoding=UTF-8gt
oasis--xacml-11pdf 35
70
1162
1163
1164116511661167
116811691170
11711172
11731174
117511761177117811791180118111821183
1184
11851186
11871188118911901191119211931194
1195
11961197119811991200
1201
12021203
120412051206
71
[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid2[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomrecordsxsd namespace[12] for which he or she is the designated parent or guardian [13] and for which the patient is under 16 years of age[14] ltDescriptiongt[15] ltTargetgt[16] ltSubjectsgt[17] ltAnySubjectgt[18] ltSubjectsgt[19] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt[22] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[23] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=rdquournoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] lt-- match read action --gt[40] ltActionMatch
MatchId=rdquournoasisnamestcxacml10functionstring-equalgt[41] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[42] ltActionAttributeDesignator AttributeId=[43] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[44] ltActionMatchgt[45] ltActiongt[46] ltActionsgt[47] ltTargetgt[48] ltCondition FunctionId=ldquournoasisnamestcxacml10functionandgt[49] lt-- compare parent-guardian-id subject attribute with [50] the value in the document --gt[51] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-equalgt[52] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[53] lt-- parent-guardian-id subject attribute --gt
oasis--xacml-11pdf 36
72
120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269
73
[54] ltSubjectAttributeDesignator AttributeId=[55] urnoasisnamestcxacml10examplesattribute[56] parent-guardian-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[57] ltApplygt[58] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[59] lt-- parent-guardian-id element in the document --gt[60] ltAttributeSelector RequestContextPath=[61] mdrecordmdparentGuardianmdparentGuardianIdtext()[62] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[63] ltAttributeSelectorgt[64] ltApplygt[65] ltApplygt[66] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-less-or-
equalrdquogt[67] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-one-
and-onlyrdquogt[68] ltEnvironmentAttributeDesignator AttributeId=[69] rdquournoasisnamestcxacml10environmentcurrent-daterdquo
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[70] ltApplygt[71] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-add-
yearMonthDurationrdquogt[73] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-
one-and-onlyrdquogt[74] lt-- patient dob recorded in the document --gt[75] ltAttributeSelector RequestContextPath=[76] mdrecordmdpatientmdpatientDoBtext()
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[77] ltAttributeSelectorgt[78] ltApplygt[79] ltAttributeValue DataType=rdquohttpwwww3orgTR2002WD-xquery-
operators-20020816yearMonthDurationrdquogt[80] P16Y[81] ltAttributeValuegt[82] ltApplygt[83] ltApplygt[84] ltConditiongt[85] ltRulegt
[02]-[47] Rule declaration and rule target See Rule 1 in Section 4241 for the detailed explanation of these elements
[48]-[82] The Condition element Condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the requestor is the designated parent or guardian and the patient is under 16 years of age
[48] The Condition is using the ldquournoasisnamestcxacml10functionandrdquo function This is a boolean function that takes one or more boolean arguments (2 in this case) and performs the logical ldquoANDrdquo operation to compute the truth value of the expression
[51]-[65] The truth of the first part of the condition is evaluated The requestor is the designated parent or guardian The Apply element contains a function invocation The function name is contained in the FunctionId attribute The comparison is done with ldquournoasisnamestcxacml10functionstring-equalrdquo that takes 2 arguments of ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[52] Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo in
oasis--xacml-11pdf 37
74
1270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309
13101311
131213131314
131513161317
13181319132013211322
1323132413251326
75
the request context contains one and only one value ldquournoasisnamestcxacml10functionstring-equalrdquo takes an argument expression that evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[54] Value of the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo is selected from the request context with the ltSubjectAttributeDesignatorgt element This expression evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[58] ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[60] The value of the mdparentGuardianId element is selected from the resource content with the AttributeSelector element AttributeSelector is a free-form XPath expression pointing into the request context The RequestContextPath XML attribute contains an XPath expression over the request context Note that all namespace prefixes in the XPath expression are resolved with standard namespace declarations The AttributeSelector evaluates to the bag of values of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[66]-[83] The expression ldquothe patient is under 16 years of agerdquo is evaluated The patient is under 16 years of age if the current date is less than the date computed by adding 16 to the patientrsquos date of birth
[66] ldquournoasisnamestcxacml10functiondate-less-or-equalrdquo is used to compute the difference of two dates
[67] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by its argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemadaterdquo
[68]-[69] Current date is evaluated by selecting the ldquournoasisnamestcxacml10environmentcurrent-daterdquo environment attribute
[71] ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo is used to compute the date by adding 16 to the patientrsquos date of birth The first argument is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second argument is an ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo
[73] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type rdquohttpwwww3org2001XMLSchemadaterdquo
[75]-[76] The ltAttributeSelectorgt element selects the patientrsquos date of birth by taking the XPath expression over the document content
[79]-[81] Year Month Duration of 16 years
4243 Rule 3
Rule 3 illustrates the use of an obligation The XACML ltRulegt element syntax does not include an element suitable for carrying an obligation therefore Rule 3 has to be formatted as a ltPolicygt element
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicy
oasis--xacml-11pdf 38
76
1327132813291330
1331133213331334
13351336
1337
1338133913401341
13421343
134413451346
13471348
13491350
1351
13521353
13541355
135613571358
13591360
1361
13621363
1364
1365
13661367
136813691370
77
[03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] PolicyId=urnoasisnamestcxacmlexamplespolicyid3[08] RuleCombiningAlgId=urnoasisnamestcxacml10[09] rule-combining-algorithmdeny-overridesgt[10] ltDescriptiongt[11] Policy for any medical record in the[12] httpwwwmedicocomschemasrecordxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- match document target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomschemasrecordxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltAnyActiongt[32] ltActionsgt[33] ltTargetgt[34] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid3[35] Effect=Permitgt[36] ltDescriptiongt[37] A physician may write any medical element in a record[38] for which he or she is the designated primary care[39] physician provided an email is sent to the patient[40] ltDescriptiongt[41] ltTargetgt[42] ltSubjectsgt[43] ltSubjectgt[44] lt-- match subject group attribute --gt[45] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[46] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtphysicianltAttributeValuegt
[47] ltSubjectAttributeDesignator AttributeId=[48] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[49] ltSubjectMatchgt[50] ltSubjectgt[51] ltSubjectsgt[52] ltResourcesgt[53] ltResourcegt[54] lt-- match requested xml element --gt[55] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[56] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
oasis--xacml-11pdf 39
78
137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433
79
[57] mdrecordmdmedical[58] ltAttributeValuegt[59] ltResourceAttributeDesignator AttributeId=[60] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[61] ltResourceMatchgt[62] ltResourcegt[63] ltResourcesgt[64] ltActionsgt[65] ltActiongt[66] lt-- match action --gt[67] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[68] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwriteltAttributeValuegt[069] ltActionAttributeDesignator AttributeId=[070] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[071] ltActionMatchgt[072] ltActiongt[073] ltActionsgt[074] ltTargetgt[075] ltCondition FunctionId=ldquournoasisnamestcxacml10functionstring-
equalgt[076] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[077] lt-- physician-id subject attribute --gt[078] ltSubjectAttributeDesignator AttributeId=[079] urnoasisnamestcxacml10example[080] attributephysician-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[081] ltApplygt[082] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[083] ltAttributeSelector RequestContextPath=[084] mdrecordmdprimaryCarePhysicianmdregistrationIDtext()[085] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[086] ltApplygt[087] ltConditiongt[089] ltRulegt[090] ltObligationsgt[091] lt-- send e-mail message to the document owner --gt[092] ltObligation ObligationId=[093] urnoasisnamestcxacmlexampleobligationemail[094] FulfillOn=Permitgt[095] ltAttributeAssignment AttributeId=[096] urnoasisnamestcxacml10exampleattributemailto[097] DataType=httpwwww3org2001XMLSchemastringgt[098] ltAttributeSelector RequestContextPath=[099] mdrecordmdpatientmdpatientContactmdemail[100] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[101] ltAttributeAssignmentgt[102] ltAttributeAssignment AttributeId=[103] urnoasisnamestcxacml10exampleattributetext[104] DataType=httpwwww3org2001XMLSchemastringgt[105] ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgt[106] Your medical record has been accessed by[107] ltAttributeValuegt[108] ltAttributeAssignmentgt[109] ltAttributeAssignment AttributeId=[110] urnoasisnamestcxacmlexampleattributetext[111] DataType=httpwwww3org2001XMLSchemastringgt
oasis--xacml-11pdf 40
80
143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496
81
[112] ltSubjectAttributeDesignator AttributeId=[113] urnosasisnamestcxacml10subjectsubject-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[114] ltAttributeAssignmentgt[115] ltObligationgt[116] ltObligationsgt[117] ltPolicygt
[01]-[09] The Policy element includes standard namespace declarations as well as policy specific parameters such as PolicyId and RuleCombiningAlgId
[07] Policy identifier This parameter is used for the inclusion of the Policy in the PolicySet element
[08]-[09] Rule combining algorithm identifier This parameter is used to compute the combined outcome of rule effects for rules that are applicable to the decision request
[10-13] Free-form description of the policy
[14]-[33] Policy target The policy target defines a set of applicable decision requests The structure of the Target element in the Policy is identical to the structure of the Target element in the Rule In this case the policy target is a set of all XML documents conforming to the ldquohttpwwwmedicocomschemasrecordxsdrdquo target namespace For the detailed description of the Target element see Rule 1 Section 4241
[34]-[89] The only Rule element included in this Policy Two parameters are specified in the rule header RuleId and Effect For the detailed description of the Rule structure see Rule 1 Section 4241
[41]-[74] A rule target narrows down a policy target Decision requests with the value of ldquournoasisnamestcxacml10exampeattributerolerdquo subject attribute equal to ldquophysicianrdquo [42]-[51] and that access elements of the medical record that ldquoxpath-node-matchrdquo the ldquomdrecordmdmedicalrdquo XPath expression [52]-[63] and that have the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute equal to ldquoreadrdquo
[65]-[73] match the target of this rule For a detailed description of the rule target see example 1 Section 4241
[75]-[87] The Condition element For the rule to be applicable to the authorization request condition must evaluate to True This rule condition compares the value of the ldquournoasisnamestcxacml10examplesattributephysician-idrdquo subject attribute with the value of the physician id element in the medical record that is being accessed For a detailed explanation of rule condition see Rule 1 Section 4241
[90]-[116] The Obligations element Obligations are a set of operations that must be performed by the PEP in conjunction with an authorization decision An obligation may be associated with a positive or negative authorization decision
[92]-[115] The Obligation element consists of the ObligationId the authorization decision value for which it must fulfill and a set of attribute assignments
[92]-[93] ObligationId identifies an obligation Obligation names are not interpreted by the PDP
[94] FulfillOn attribute defines an authorization decision value for which this obligation must be fulfilled
[95]-[101] Obligation may have one or more parameters The obligation parameter ldquournoasisnamestcxacml10examplesattributemailtordquo is assigned the value from the content of the xml document
oasis--xacml-11pdf 41
82
1497149814991500150115021503
15041505
15061507
15081509
1510
1511151215131514
1515
151615171518
15191520152115221523
15241525
15261527
152815291530
153115321533
15341535
15361537
15381539
154015411542
83
[95-96] AttributeId declares ldquournoasisnamestcxacml10examplesattributemailtordquo obligation parameter
[97] The obligation parameter data-type is defined
[98]-[100] The obligation parameter value is selected from the content of the XML document that is being accessed with the XPath expression over request context
[102]-[108] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of data-type ldquohttpwwww3org2001XMLSchemastringrdquo is assigned the literal value ldquoYour medical record has been accessed byrdquo
[109]-[114] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type is assigned the value of the ldquournoasisnamestcxacml10subjectsubject-idrdquo subject attribute
4244 Rule 4
Rule 4 illustrates the use of the Deny Effect value and a Rule with no Condition element[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexampleruleid4 [08] Effect=Denygt[09] ltDescriptiongt[10] An Administrator shall not be permitted to read or write [11] medical elements of a patient record in the[12] httpwwwmedicocomrecordsxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltSubjectgt[17] lt-- match role subject attribute --gt[18] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[19] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtadministratorltAttributeValuegt
[20] ltSubjectAttributeDesignator AttributeId=[21] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[22] ltSubjectMatchgt[23] ltSubjectgt[24] ltSubjectsgt[25] ltResourcesgt[26] ltResourcegt[27] lt-- match document target namespace --gt[28] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[29] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[30] httpwwwmedicocomschemasrecordxsd[31] ltAttributeValuegt[32] ltResourceAttributeDesignator AttributeId=
oasis--xacml-11pdf 42
84
15431544
1545
15461547
1548154915501551
155215531554
1555
1556
155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595
85
[33] urnoasisnamestcxacml10resourcetarget-namespace DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[34] ltResourceMatchgt[35] lt-- match requested xml element --gt[36] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[37] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[38] mdrecordmdmedical[39] ltAttributeValuegt[40] ltResourceAttributeDesignator AttributeId=[41] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[42] ltResourceMatchgt[43] ltResourcegt[44] ltResourcesgt[45] ltActionsgt[46] ltActiongt[47] lt-- match read action --gt[48] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[49] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtread
ltAttributeValuegt[50] ltActionAttributeDesignator AttributeId=[51] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[52] ltActionMatchgt[53] ltActiongt[54] ltActiongt[55] lt-- match write action --gt[56] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[57] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwrite
ltAttributeValuegt[58] ltActionAttributeDesignator AttributeId=[59] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[60] ltActionMatchgt[61] ltActiongt[62] ltActionsgt[63] ltTargetgt[64] ltRulegt
[01]-[08] The Rule element declaration The most important parameter here is Effect See Rule 1 Section 4241 for a detailed explanation of the Rule structure
[08] Rule Effect Every rule that evaluates to ldquoTruerdquo emits rule effect as its value that will be combined later on with other rule effects according to the rule combining algorithm This rule Effect is ldquoDenyrdquo meaning that according to this rule access must be denied
[09]-[13] Free form description of the rule
[14]-[63] Rule target The Rule target defines a set of decision requests that are applicable to the rule This rule is matched by
a decision request with subject attribute ldquournoasisnamestcxacml10examplesattributerolerdquo equal to ldquoadministratorrdquo
oasis--xacml-11pdf 43
86
1596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641
16421643
16441645
1646
1647
16481649
165016511652
87
the value of resource attribute ldquournoasisnamestcxacml10resourcetarget-namespacerdquo is equal to ldquohttpwwwmedicocomschemasrecordxsdrdquo
the value of the requested XML element matches the XPath expression ldquomdrecordmdmedicalrdquo
the value of action attribute ldquournoasisnamestcxacml10actionaction-idrdquo is equal to ldquoreadrdquo
See Rule 1 Section 4241 for the detailed explanation of the Target element
This rule does not have a Condition element
4245 Example PolicySet
This section uses the examples of the previous sections to illustrate the process of combining policies The policy governing read access to medical elements of a record is formed from each of the four rules described in Section 423 In plain language the combined rule is
Either the requestor is the patient or
the requestor is the parent or guardian and the patient is under 16 or
the requestor is the primary care physician and a notification is sent to the patient and
the requestor is not an administrator
The following XACML ltPolicySetgt illustrates the combined policies Policy 3 is included by reference and policy 2 is explicitly included
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicySet [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] PolicySetId=[06] urnoasisnamestcxacml10examplespolicysetid1[07] PolicyCombiningAlgId=rdquournoasisnamestcxacml10[071] policy-combining-algorithmdeny-overridesrdquogt[08] ltDescriptiongt[09] Example policy set[10] ltDescriptiongt[11] ltTargetgt[12] ltSubjectsgt[13] ltSubjectgt[14] lt-- any subject --gt[15] ltAnySubjectgt[16] ltSubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- any resource in the target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomrecordsxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt
oasis--xacml-11pdf 44
88
165316541655
16561657
16581659
1660
1661
1662
166316641665
1666
1667
1668
1669
167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702
89
[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltActiongt[32] lt-- any action --gt[33] ltAnyActiongt[34] ltActiongt[35] ltActionsgt[36] ltTargetgt[37] lt-- include policy from the example 3 by reference --gt[38] ltPolicyIdReferencegt[39] urnoasisnamestcxacml10examplespolicyid3[40] ltPolicyIdReferencegt[41] lt-- policy 2 combines rules from the examples 1 2 [42] and 4 is included by value --gt[43] ltPolicy [44] PolicyId=urnoasisnamestcxacmlexamplespolicyid2[45] RuleCombiningAlgId=[46] urnoasisnamestcxacml10rule-combining-algorithmdeny-overridesgt[47] ltDescriptiongt[48] Policy for any medical record in the[49] httpwwwmedicocomschemasrecordxsd namespace[50] ltDescriptiongt[51] ltTargetgt ltTargetgt[52] ltRule [53] RuleId=urnoasisnamestcxacmlexamplesruleid1[54] Effect=Permitgt ltRulegt[55] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid2 [56] Effect=Permitgt ltRulegt[57] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid4[58] Effect=Denygt ltRulegt[59] ltObligationsgt ltObligationsgt[60] ltPolicygt[61] ltPolicySetgt
[02]-[07] PolicySet declaration Standard XML namespace declarations are included as well as PolicySetId and policy combining algorithm identifier
[05]-[06] PolicySetId is used for identifying this policy set and for possible inclusion of this policy set into another policy set
[07] Policy combining algorithm identifier Policies in the policy set are combined according to the specified policy combining algorithm identifier when the authorization decision is computed
[08]-[10] Free form description of the policy set
[11]-[36] PolicySet Target element defines a set of decision requests that are applicable to this PolicySet
[38]-[40] PolicyIdReference includes policy by id
[43]-[60] Policy 2 is explicitly included in this policy set
oasis--xacml-11pdf 45
90
17031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737
17381739
17401741
174217431744
1745
17461747
1748
1749
91
5 Policy syntax (normative with the exception of the schema fragments)
51 Element ltPolicySetgtThe ltPolicySetgt element is a top-level element in the XACML policy schema ltPolicySetgt is an aggregation of other policy sets and policies Policy sets MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicySetgt element or indirectly using the ltPolicySetIdReferencegt element Policies MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicygt element or indirectly using the ltPolicyIdReferencegt element
If a ltPolicySetgt element contains references to other policy sets or policies in the form of URLs then these references MAY be resolvable
Policies included in the ltPolicySetgt element MUST be combined using the algorithm specified by the PolicyCombiningAlgId attribute ltPolicySetgt is treated exactly like a ltPolicygt in all the policy combining algorithms
The ltTargetgt element defines the applicability of the ltPolicySetgt to a set of decision requests If the ltTargetgt element within ltPolicySetgt matches the request context then the ltPolicySetgt element MAY be used by the PDP in making its authorization decision
The ltObligationsgt element contains a set of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision If the PEP does not understand any of the obligations then it MUST act as if the PDP had returned a ldquoDenyrdquo authorization decision value
ltxselement name=PolicySet type=xacmlPolicySetTypegtltxscomplexType name=PolicySetTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicySetDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxschoice minOccurs=0 maxOccurs=unboundedgt
ltxselement ref=xacmlPolicySetgtltxselement ref=xacmlPolicygtltxselement ref=xacmlPolicySetIdReferencegtltxselement ref=xacmlPolicyIdReferencegt
ltxschoicegtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicySetId type=xsanyURI use=requiredgtltxsattribute name=PolicyCombiningAlgId type=rdquoxsanyURI
use=requiredgtltxscomplexTypegt
The ltPolicySetgt element is of PolicySetType complex type
The ltPolicySetgt element contains the following attributes and elements
PolicySetId [Required]
Policy set identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy set identifier is in the form of a URL then it MAY be resolvable
oasis--xacml-11pdf 46
92
1750
1751
1752
17531754
1755175617571758
17591760
176117621763
176417651766
176717681769177017711772177317741775177617771778177917801781178217831784178517861787
1788
1789
1790
1791179217931794
1795
93
PolicyCombiningAlgId [Required]
The identifier of the policy-combining algorithm by which the ltPolicySetgt components MUST be combined Standard policy-combining algorithms are listed in Appendix C Standard policy-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the ltPolicySetgt
ltPolicySetDefaultsgt [Optional]
A set of default values applicable to the ltPolicySetgt The scope of the ltPolicySetDefaultsgt element SHALL be the enclosing policy set
ltTargetgt [Required]
The ltTargetgt element defines the applicability of a ltPolicySetgt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicySetgt or it MAY be computed from the ltTargetgt elements of the referenced ltPolicygt elements either as an intersection or as a union
ltPolicySetgt [Any Number]
A policy set component that is included in this policy set
ltPolicygt [Any Number]
A policy component that is included in this policy set
ltPolicySetIdReferencegt [Any Number]
A reference to a ltPolicySetgt component that MUST be included in this policy set If ltPolicySetIdReferencegt is a URL then it MAY be resolvable
ltPolicyIdReferencegt [Any Number]
A reference to a ltPolicygt component that MUST be included in this policy set If the ltPolicyIdReferencegt is a URL then it MAY be resolvable
ltObligationsgt [Optional]
Contains the set of ltObligationgt elements See Section 711 for a description of how the set of obligations to be returned by the PDP shall be determined
52 Element ltDescriptiongtThe ltDescriptiongt element is used for a free-form description of the ltPolicySetgt element ltPolicygt element and ltRulegt element The ltDescriptiongt element is of xsstring simple type
ltxselement name=Description type=xsstringgt
53 Element ltPolicySetDefaultsgtThe ltPolicySetDefaultsgt element SHALL specify default values that apply to the ltPolicySetgt element
oasis--xacml-11pdf 47
94
1796
179717981799
1800
1801
1802
18031804
1805
18061807
180818091810
1811
1812
1813
1814
1815
18161817
1818
18191820
1821
18221823
1824
1825182618271828
1829
18301831
95
ltxselement name=PolicySetDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicySetDefaultsgt element is of DefaultsType complex type
The ltPolicySetDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
54 Element ltXPathVersiongtThe ltXPathVersiongt element SHALL specify the version of the XPath specification to be used by ltAttributeSelectorgt elements
ltxselement name=XPathVersion type=xsanyURIgt
The URI for the XPath 10 specification is ldquohttpwwww3orgTR1999Rec-xpath-19991116rdquo The ltXPathVersiongt element is REQUIRED if the XACML enclosing policy set or policy contains ltAttributeSelectorgt elements or XPath-based functions
55 Element ltTargetgtThe ltTargetgt element identifies the set of decision requests that the parent element is intended to evaluate The ltTargetgt element SHALL appear as a child of ltPolicySetgt ltPolicygt and ltRulegt elements It contains definitions for subjects resources and actions
The ltTargetgt element SHALL contain a conjunctive sequence of ltSubjectsgt ltResourcesgt and ltActionsgt elements For the parent of the ltTargetgt element to be applicable to the decision request there MUST be at least one positive match between each section of the ltTargetgt element and the corresponding section of the ltxacml-contextRequestgt element
ltxselement name=Target type=xacmlTargetTypegtltxscomplexType name=TargetTypegt
ltxssequencegtltxselement ref=xacmlSubjectsgtltxselement ref=xacmlResourcesgtltxselement ref=xacmlActionsgt
ltxssequencegtltxscomplexTypegt
The ltTargetgt element is of TargetType complex type
The ltTargetgt element contains the following elements
ltSubjectsgt [Required]
Matching specification for the subject attributes in the context
ltResourcesgt [Required]
Matching specification for the resource attributes in the context
oasis--xacml-11pdf 48
96
18321833183418351836183718381839
1840
1841
1842
1843
1844
18451846
1847
184818491850
1851
185218531854
185518561857
185818591860186118621863186418651866
1867
1868
1869
1870
1871
1872
1873
97
ltActionsgt [Required]
Matching specification for the action attributes in the context
56 Element ltSubjectsgtThe ltSubjectsgt element SHALL contains a disjunctive sequence of ltSubjectgt elements
ltxselement name=Subjects type=xacmlSubjectsTypegtltxscomplexType name=SubjectsTypegt
ltxschoicegtltxselement ref=xacmlSubject maxOccurs=unboundedgtltxselement ref=xacmlAnySubjectgt
ltxschoicegtltxscomplexTypegt
The ltSubjectsgt element is of SubjectsType complex type
The ltSubjectsgt element contains the following elements
ltSubjectgt [One To Many Required Choice]
See Section 57
ltAnySubjectgt [Required Choice]
See Section 58
57 Element ltSubjectgtThe ltSubjectgt element SHALL contain a conjunctive sequence of ltSubjectMatchgt elements
ltxselement name=Subject type=xacmlSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacmlSubjectMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
ltSubjectMatchgt [One to Many]
A conjunctive sequence of individual matches of the subject attributes in the context and the embedded attribute values
58 Element ltAnySubjectgtThe ltAnySubjectgt element SHALL match any subject attribute in the context
ltxselement name=AnySubjectgt
59 Element ltSubjectMatchgtThe ltSubjectMatchgt element SHALL identify a set of subject-related entities by matching attribute values in a ltxacml-contextSubjectgt element of the context with the embedded attribute value
oasis--xacml-11pdf 49
98
1874
1875
1876
18771878187918801881188218831884
1885
1886
1887
1888
1889
1890
1891
18921893189418951896189718981899
1900
1901
1902
19031904
1905
19061907
1908
190919101911
99
ltxselement name=SubjectMatch type=xacmlSubjectMatchTypegtltxscomplexType name=SubjectMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltSubjectMatchgt element is of SubjectMatchType complex type
The ltSubjectMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltSubjectAttributeDesignatorgt [Required choice]
Identifies one or more attribute values in a ltSubjectgt element of the context
ltAttributeSelectorgt [Required choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in a ltSubjectgt element of the context
510 Element ltResourcesgtThe ltResourcesgt element SHALL contain a disjunctive sequence of ltResourcegt elements
ltxselement name=Resources type=xacmlResourcesTypegtltxscomplexType name=ResourcesTypegt
ltxschoicegtltxselement ref=xacmlResource maxOccurs=unboundedgtltxselement ref=xacmlAnyResourcegt
ltxschoicegtltxscomplexTypegt
The ltResourcesgt element is of ResourcesType complex type
The ltResourcesgt element contains the following elements
ltResourcegt [One To Many Required Choice]
See Section 511
ltAnyResourcegt [Required Choice]
See Section 512
511 Element ltResourcegtThe ltResourcegt element SHALL contain a conjunctive sequence of ltResourceMatchgt elements
oasis--xacml-11pdf 50
100
19121913191419151916191719181919192019211922
1923
1924
1925
19261927
1928
1929
1930
1931
1932
19331934
1935
19361937193819391940194119421943
1944
1945
1946
1947
1948
1949
1950
19511952
101
ltxselement name=Resource type=xacmlResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacmlResourceMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceMatchgt [One to Many]
A conjunctive sequence of individual matches of the resource attributes in the context and the embedded attribute values
512 Element ltAnyResourcegtThe ltAnyResourcegt element SHALL match any resource attribute in the context
ltxselement name=AnyResourcegt
513 Element ltResourceMatchgtThe ltResourceMatchgt element SHALL identify a set of resource-related entities by matching attribute values in the ltxacml-contextResourcegt element of the context with the embedded attribute value
ltxselement name=ResourceMatch type=xacmlResourceMatchTypegtltxscomplexType name=ResourceMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyMatch use=requiredgt
ltxscomplexTypegt
The ltResourceMatchgt element is of ResourceMatchType complex type
The ltResourceMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function Values of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltResourceAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltResourcegt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltResourcegt element of the context
oasis--xacml-11pdf 51
102
195319541955195619571958
1959
1960
1961
19621963
1964
19651966
1967
19681969197019711972197319741975197619771978197919801981
1982
1983
1984
19851986
1987
1988
1989
1990
1991
19921993
103
514 Element ltActionsgtThe ltActionsgt element SHALL contain a disjunctive sequence of ltActiongt elements
ltxselement name=Actions type=xacmlActionsTypegtltxscomplexType name=ActionsTypegt
ltxschoicegtltxselement ref=xacmlAction maxOccurs=unboundedgtltxselement ref=xacmlAnyActiongt
ltxschoicegtltxscomplexTypegt
The ltActionsgt element is of ActionsType complex type
The ltActionsgt element contains the following elements
ltActiongt [One To Many Required Choice]
See Section 515
ltAnyActiongt [Required Choice]
See Section 516
515 Element ltActiongtThe ltActiongt element SHALL contain a conjunctive sequence of ltActionMatchgt elements
ltxselement name=Action type=xacmlActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacmlActionMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltActionMatchgt [One to Many]
A conjunctive sequence of individual matches of the action attributes in the context and the embedded attribute values
516 Element ltAnyActiongtThe ltAnyActiongt element SHALL match any action attribute in the context
ltxselement name=AnyActiongt
517 Element ltActionMatchgtThe ltActionMatchgt element SHALL identify a set of action-related entities by matching attribute values in the ltxacml-contextActiongt element of the context with the embedded attribute value
ltxselement name=ActionMatch type=xacmlActionMatchTypegtltxscomplexType name=ActionMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegt
oasis--xacml-11pdf 52
104
1994
19951996199719981999200020012002
2003
2004
2005
2006
2007
2008
2009
2010201120122013201420152016
2017
2018
2019
20202021
2022
20232024
2025
2026
2027202820292030203120322033
105
ltxschoicegtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltActionMatchgt element is of ActionMatchType complex type
The ltActionMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltActionAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltActiongt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltActiongt element of the context
518 Element ltPolicySetIdReferencegtThe ltPolicySetIdReferencegt element SHALL be used to reference a ltPolicySetgt element by id If ltPolicySetIdReferencegt is a URL then it MAY be resolvable to the ltPolicySetgt The mechanism for resolving a policy set reference to the corresponding policy set is outside the scope of this specification
ltxselement name=PolicySetIdReference type=xsanyURIgt
Element ltPolicySetIdReferencegt is of xsanyURI simple type
519 Element ltPolicyIdReferencegtThe ltxacmlPolicyIdReferencegt element SHALL be used to reference a ltPolicygt element by id If ltPolicyIdReferencegt is a URL then it MAY be resolvable to the ltPolicygt The mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification
ltxselement name=PolicyIdReference type=xsanyURIgt
Element ltPolicyIdReferencegt is of xsanyURI simple type
520 Element ltPolicygtThe ltPolicygt element is the smallest entity that SHALL be presented to the PDP for evaluation
The main components of this element are the ltTargetgt ltRulegt and ltObligationsgt elements and the RuleCombiningAlgId attribute
oasis--xacml-11pdf 53
106
2034203520362037203820392040
2041
2042
2043
20442045
2046
2047
2048
2049
2050
20512052
2053
20542055205620572058
2059
2060
20612062206320642065
2066
2067
2068
20692070
107
The ltTargetgt element SHALL define the applicability of the ltPolicygt to a set of decision requests
Rules included in the ltPolicygt element MUST be combined by the algorithm specified by the RuleCombiningAlgId attribute
The ltObligationsgt element SHALL contain a set of obligations that MUST be fulfilled by the PDP in conjunction with the authorization decision
ltxselement name=Policy type=xacmlPolicyTypegtltxscomplexType name=PolicyTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicyDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxselement ref=xacmlRule minOccurs=0 maxOccurs=unboundedgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicyId type=xsanyURI use=requiredgtltxsattribute name=RuleCombiningAlgId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltPolicygt element is of PolicyType complex type
The ltPolicygt element contains the following attributes and elements
PolicyId [Required]
Policy identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy identifier is in the form of a URL then it MAY be resolvable
RuleCombiningAlgId [Required]
The identifier of the rule-combining algorithm by which the ltPolicygt components MUST be combined Standard rule-combining algorithms are listed in Appendix C Standard rule-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the policy See Section 52 Element ltDescriptiongt
ltPolicyDefaultsgt [Optional]
Defines a set of default values applicable to the policy The scope of the ltPolicyDefaultsgt element SHALL be the enclosing policy
ltTargetgt [Required]
The ltTargetgt element SHALL define the applicability of a ltPolicygt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicygt element or it MAY be computed from the ltTargetgt elements of the referenced ltRulegt elements either as an intersection or as a union
ltRulegt [Any Number]
A sequence of authorizations that MUST be combined according to the RuleCombiningAlgId attribute Rules whose ltTargetgt elements match the decision request MUST be considered Rules whose ltTargetgt elements do not match the decision request SHALL be ignored
oasis--xacml-11pdf 54
108
20712072
20732074
20752076207720782079208020812082208320842085208620872088
2089
2090
2091
209220932094
2095
209620972098
2099
2100
2101
21022103
2104
21052106
210721082109
2110
2111211221132114
109
ltObligationsgt [Optional]
A conjunctive sequence of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision See Section 711 for a description of how the set of obligations to be returned by the PDP SHALL be determined
521 Element ltPolicyDefaultsgtThe ltPolicyDefaultsgt element SHALL specify default values that apply to the ltPolicygt element
ltxselement name=PolicyDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicyDefaultsgt element is of DefaultsType complex type
The ltPolicyDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
522 Element ltRulegtThe ltRulegt element SHALL define the individual rules in the policy The main components of this element are the ltTargetgt and ltConditiongt elements and the Effect attribute
ltxselement name=Rule type=xacmlRuleTypegtltxscomplexType name=RuleTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlTarget minOccurs=0gtltxselement ref=xacmlCondition minOccurs=0gt
ltxssequencegtltxsattribute name=RuleId type=xsanyURI use=requiredgtltxsattribute name=Effect type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltRulegt element is of RuleType complex type
The ltRulegt element contains the following attributes and elements
RuleId [Required]
A URN identifying this rule
Effect [Required]
Rule effect Values of this attribute are either ldquoPermitrdquo or ldquoDenyrdquo
ltDescriptiongt [Optional]
A free-form description of the rule
oasis--xacml-11pdf 55
110
2115
211621172118
2119
2120212121222123212421252126212721282129
2130
2131
2132
2133
2134
21352136
2137213821392140214121422143214421452146
2147
2148
2149
2150
2151
2152
2153
2154
2155
111
ltTargetgt [Optional]
Identifies the set of decision requests that the ltRulegt element is intended to evaluate If this element is omitted then the target for the ltRulegt SHALL be defined by the ltTargetgt element of the enclosing ltPolicygt element See Section 55 for details
ltConditiongt [Optional]
A predicate that MUST be satisfied for the rule to be assigned its Effect value A condition is a boolean function over a combination of subject resource action and environment attributes or other functions
523 Simple type EffectTypeThe EffectType simple type defines the values allowed for the Effect attribute of the ltRulegt element and for the FulfillOn attribute of the ltObligationgt element
ltxssimpleType name=EffectTypegtltxsrestriction base=xsstringgt
ltxsenumeration value=Permitgtltxsenumeration value=Denygt
ltxsrestrictiongtltxssimpleTypegt
524 Element ltConditiongtThe ltConditiongt element is a boolean function over subject resource action and environment attributes or functions of attributes If the ltConditiongt element evaluates to True then the enclosing ltRulegt element is assigned its Effect value
ltxselement name=Condition type=xacmlApplyTypegt
The ltConditiongt element is of ApplyType complex type
525 Element ltApplygtThe ltApplygt element denotes application of a function to its arguments thus encoding a function call The ltApplygt element can be applied to any combination of ltApplygt ltAttributeValuegt ltSubjectAttributeDesignatorgt ltResourceAttributeDesignatorgt ltActionAttributeDesignatorgt ltEnvironmentAttributeDesignatorgt and ltAttributeSelectorgt arguments
ltxselement name=Apply type=xacmlApplyTypegtltxscomplexType name=ApplyTypegt
ltxschoice minOccurs=0 maxOccurs=unboundedgtltxselement ref=rdquoxacmlFunctionrdquogt ltxselement ref=xacmlApplygtltxselement ref=xacmlAttributeValuegtltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlEnvironmentAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxsattribute name=FunctionId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltApplygt element is of ApplyType complex type
The ltApplygt element contains the following attributes and elements
oasis--xacml-11pdf 56
112
2156
215721582159
2160
216121622163
2164
21652166
216721682169217021712172
2173
217421752176
2177
2178
2179
2180218121822183
218421852186218721882189219021912192219321942195219621972198
2199
2200
113
FunctionId [Required]
The URN of a function XACML-defined functions are described in Appendix A
ltFunctiongt [Optional]
The name of a function that is applied to the elements of a bag See Section A1411
ltApplygt [Optional]
A nested function-call argument
ltAttributeValuegt [Optional]
A literal value argument
ltSubjectAttributeDesignatorgt [Optional]
A subject attribute argument
ltResourceAttributeDesignatorgt [Optional]
A resource attribute argument
ltActionAttributeDesignatorgt [Optional]
An action attribute argument
ltEnvironmentAttributeDesignatorgt [Optional]
An environment attribute argument
ltAttributeSelectorgt [Optional]
An attribute selector argument
526 Element ltFunctiongtThe Function element SHALL be used to name a function that is applied by the higher-order bag functions to every element of a bag The higher-order bag functions are described in Section A1411
ltxselement name=rdquoFunctionrdquo type=rdquoxacmlFunctionTyperdquogtltxscomplexType name=rdquoFunctionTyperdquogt
ltxsattribute name=rdquoFunctionIdrdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxscomplexTypegt
The Function element is of FunctionType complex type
The Function element contains the following attributes
FunctionId [Required]
The identifier for the function that is applied to the elements of a bag by the higher-order bag functions
527 Complex type AttributeDesignatorTypeThe AttributeDesignatorType complex type is the type for elements and extensions that identify attributes An element of this type contains properties by which it MAY be matched to attributes in the request context
oasis--xacml-11pdf 57
114
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220222122222223222422252226
2227
2228
2229
22302231
2232
223322342235
115
In addition elements of this type MAY control behaviour in the event that no matching attribute is present in the context
Elements of this type SHALL NOT alter the match semantics of named attributes but MAY narrow the search space
ltxscomplexType name=AttributeDesignatorTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsattribute name=Issuer type=xsstring use=optionalgtltxsattribute name=MustBePresent type=xsboolean use=optional
default=falsegtltxscomplexTypegt
A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and Issuer attributes match The attribute designatorrsquos AttributeId MUST match by URI equality the AttributeId of the attribute The attribute designatorrsquos DataType MUST match by URI equality the DataType of the same attribute
If the Issuer attribute is present in the attribute designator then it MUST match by string equality the Issuer of the same attribute If the Issuer is not present in the attribute designator then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone
The ltAttributeDesignatorTypegt contains the following attributes
AttributeId [Required]
This attribute SHALL specify the AttributeId with which to match the attribute
DataType [Required]
This attribute SHALL specify the data-type with which to match the attribute
Issuer [Optional]
This attribute if supplied SHALL specify the Issuer with which to match the attribute
MustBePresent [Optional]
This attribute governs whether the element returns ldquoIndeterminaterdquo in the case where the named attribute is absent If the named attribute is absent and MustBePresent is ldquoTruerdquo then this element SHALL result in ldquoIndeterminaterdquo The default value SHALL be ldquoFalserdquo
528 Element ltSubjectAttributeDesignatorgtThe ltSubjectAttributeDesignatorgt element is of the SubjectAttributeDesignatorType The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType complex type It is the base type for elements and extensions that refer to named categorized subject attributes A named categorized subject attribute is defined as follows
A subject is represented by a ltSubjectgt element in the ltxacml-contextRequestgt element Each ltSubjectgt element SHALL contain the XML attribute SubjectCategory This attribute is called the subject category attribute
A categorized subject is a subject that is identified by a particular subject category attribute
A subject attribute is an attribute of a particular subject ie contained within a ltSubjectgt element
oasis--xacml-11pdf 58
116
22362237
223822392240224122422243224422452246
2247224822492250
225122522253
2254
2255
2256
2257
2258
2259
2260
2261
2262
226322642265
2266
2267226822692270
227122722273
2274
22752276
117
A named subject attribute is a named attribute for a subject
A named categorized subject attribute is a named subject attribute for a particular categorized subject
The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType with a SubjectCategory attribute The SubjectAttributeDesignatorType extends the match semantics of the AttributeDesignatorType such that it narrows the attribute search space to the specific categorized subject such that the value of this elementrsquos SubjectCategory attribute matches by URI equality the value of the ltRequestgt elementrsquos subject category attribute
If there are multiple subjects with the same SubjectCategory xml attribute then they SHALL be treated as if they were one categorized subject
Elements and extensions of the SubjectAttributeDesignatorType complex type determine the presence of select attribute values associated with named categorized subject attributes Elements and extensions of the SubjectAttributeDesignatorType SHALL NOT alter the match semantics of named categorized subject attributes but MAY narrow the search space
ltxscomplexType name=SubjectAttributeDesignatorTypegtltxscomplexContentgt
ltxsextension base=xacmlAttributeDesignatorTypegt ltxsattribute name=SubjectCategory type=xsanyURI use=optional default= urnoasisnamestcxacml10subject-categoryaccess-subjectgt ltxsextensiongt ltxscomplexContentgtltxscomplexTypegt
The ltSubjectAttributeDesignatorTypegt complex type contains the following attribute in addition to the attributes of the AttributeDesignatorType complex type
SubjectCategory [Optional]
This attribute SHALL specify the categorized subject from which to match named subject attributes If SubjectCategory is not present then its default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used
529 Element ltResourceAttributeDesignatorgtThe ltResourceAttributeDesignatorgt element retrieves a bag of values for a named resource attribute A resource attribute is an attribute contained within the ltResourcegt element of the ltxacml-contextRequestgt element A named resource attribute is a named attribute that matches a resource attribute A named resource attribute SHALL be considered present if there is at least one resource attribute that matches the criteria set out below A resource attribute value is an attribute value that is contained within a resource attribute
The ltResourceAttributeDesignatorgt element SHALL return a bag containing all the resource attribute values that are matched by the named resource attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named resource attribute is absent If the named resource attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named resource attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named
oasis--xacml-11pdf 59
118
2277
22782279
228022812282
22832284
22852286
2287228822892290229122922293229422952296229722982299230023012302
23032304
2305
2306230723082309
2310
231123122313231423152316
23172318
23192320
23212322
23232324
119
resource attribute is present or not in the request context or the value of the named resource attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named resource attribute SHALL match a resource attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltResourceAttributeDesignatorgt MAY appear in the ltResourceMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ResourceAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltResourceAttributeDesignatorgt element is of the AttributeDesignatorType complex type
530 Element ltActionAttributeDesignatorgtThe ltActionAttributeDesignatorgt element retrieves a bag of values for a named action attribute An action attribute is an attribute contained within the ltActiongt element of the ltxacml-contextRequestgt element A named action attribute has specific criteria (described below) with which to match an action attribute A named action attribute SHALL be considered present if there is at least one action attribute that matches the criteria An action attribute value is an attribute value that is contained within an action attribute
The ltActionAttributeDesignatorgt element SHALL return a bag of all the action attribute values that are matched by the named action attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named action attribute is absent If the named action attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named action attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named action attribute is present or not present in the request context or the value of the named action attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named action attribute SHALL match an action attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltActionAttributeDesignatorgt MAY appear in the ltActionMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ActionAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltActionAttributeDesignatorgt element is of the AttributeDesignatorType complex type
531 Element ltEnvironmentAttributeDesignatorgtThe ltEnvironmentAttributeDesignatorgt element retrieves a bag of values for a named environment attribute An environment attribute is an attribute contained within the ltEnvironmentgt element of the ltxacml-contextRequestgt element A named environment attribute has specific criteria (described below) with which to match an environment attribute A named environment attribute SHALL be considered present if there is at least one environment attribute that matches the criteria An environment attribute value is an attribute value that is contained within an environment attribute
oasis--xacml-11pdf 60
120
23252326
23272328
23292330
23312332
23332334
2335
233623372338233923402341
234223432344
23452346
23472348234923502351
23522353
23542355
23562357
23582359
2360
23612362
23632364236523662367
121
The ltEnvironmentAttributeDesignatorgt element SHALL evaluate to a bag of all the environment attribute values that are matched by the named environment attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named environment attribute is absent If the named environment attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named environment attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named environment attribute is present or not present in the request context or the value of the named environment attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named environment attribute SHALL match an environment attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltEnvironmentAttributeDesignatorgt MAY be passed to the ltApplygt element as an argument
ltxselement name=EnvironmentAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltEnvironmentAttributeDesignatorgt element is of the AttributeDesignatorType complex type
532 Element ltAttributeSelectorgtThe AttributeSelector elements RequestContextPath XML attribute SHALL contain a legal XPath expression whose context node is the ltxacml-contextRequestgt element The AttributeSelector element SHALL evaluate to a bag of values whose data-type is specified by the elementrsquos DataType attribute If the DataType specified in the AttributeSelector is a primitive data type defined in [XF] or [XS] then the value returned by the XPath expression SHALL be converted to the DataType specified in the AttributeSelector using the constructor function below [XF Section 4] that corresponds to the DataType If an error results from using the constructor function then the value of the AttributeSelector SHALL be Indeterminate
xsstring() xsboolean() xsinteger() xsdouble() xsdateTime() xsdate() xstime() xshexBinary() xsbase64Binary() xsanyURI() xfyearMonthDuration() xfdayTimeDuration()
If the DataType specified in the AttributeSelector is not one of the preceding primitive DataTypes then the AttributeSelector SHALL return a bag of instances of the specified DataType If there are errors encountered in converting the values returned by the XPath expression to the specified DataType then the result of the AttributeSelector SHALL be Indeterminate
Each selected node by the specified XPath expression MUST be either a text node an attribute node a processing instruction node or a comment node The string representation of the value of each selected node MUST be converted to an attribute value of the specified data type and the
oasis--xacml-11pdf 61
122
23682369
23702371
23722373
2374237523762377
23782379
2380238123822383
23842385
238623872388238923902391
23922393239423952396239723982399240024012402240324042405240624072408
240924102411241224132414241524162417
123
result of the AttributeSelector is the bag of the attribute values generated from all the selected nodes
If the selected node is different from the node types listed above (a text node an attribute node a processing instruction node or a comment node) then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
Support for the ltAttributeSelectorgt element is OPTIONAL
ltxselement name=AttributeSelector type=xacmlAttributeSelectorTypegtltxscomplexType name=AttributeSelectorTypegt
ltxsattribute name=RequestContextPath type=xsstring use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=rdquoMustBePresentrdquo type=rdquoxsbooleanrdquo use=rdquooptionalrdquo
default=rdquofalserdquolt xscomplexTypegt
The ltAttributeSelectorgt element is of AttributeSelectorType complex type
The ltAttributeSelectorgt element has the following attributes
RequestContextPath [Required]
An XPath expression whose context node is the ltxacml-contextRequestgt element There SHALL be no restriction on the XPath syntax
DataType [Required]
The bag of values returned by the AttributeSelector SHALL be of this data type
MustBePresent [Optional]
Whether or not the designated attribute must be present in the context If the XPath expression selects no node and the MustBePresent attribute is TRUE then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusmissing-attribute If the XPath expression selects no node and the MustBePresent attribute is missing or FALSE then the result SHALL be an empty bag If the XPath expression selects at least one node and the selected node(s) could be successfully converted to a bag of values of the specified data-type then the result SHALL be the bag regardless of the value of the MustBePresent attribute If the XPath expression selects at least one node but there is an error in converting one or more of the nodes to values of the specified data-type then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusprocessing-error regardless of the value of the MustBePresent attribute
533 Element ltAttributeValuegtThe ltAttributeValuegt element SHALL contain a literal attribute value
ltxselement name=AttributeValue type=xacmlAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
oasis--xacml-11pdf 62
124
24182419242024212422
242324242425
24262427242824292430243124322433
2434
2435
2436
24372438
2439
2440
2441
244224432444
2445244624472448
244924502451
24522453
2454
2455245624572458245924602461246224632464
125
The ltAttributeValuegt element is of AttributeValueType complex type
The ltAttributeValuegt element has the following attributes
DataType [Required]
The data-type of the attribute value
534 Element ltObligationsgtThe ltObligationsgt element SHALL contain a set of ltObligationgt elements
Support for the ltObligationsgt element is OPTIONALltxselement name=Obligations type=xacmlObligationsTypegtltxscomplexType name=ObligationsTypegt
ltxssequencegtltxselement ref=xacmlObligation maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltObligationsgt element is of ObligationsType complexType
The ltObligationsgt element contains the following element
ltObligationgt [One to Many]
A sequence of obligations
535 Element ltObligationgtThe ltObligationgt element SHALL contain an identifier for the obligation and a set of attributes that form arguments of the action defined by the obligation The FulfillOn attribute SHALL indicate the effect for which this obligation applies
ltxselement name=Obligation type=xacmlObligationTypegtltxscomplexType name=ObligationTypegt
ltxssequencegtltxselement ref=xacmlAttributeAssignment maxOccurs=unboundedgt
ltxssequencegtltxsattribute name=ObligationId type=xsanyURI use=requiredgtltxsattribute name=FulfillOn type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltObligationgt element is of ObligationType complexType See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
The ltObligationgt element contains the following elements and attributes
ObligationId [Required]
Obligation identifier The value of the obligation identifier SHALL be interpreted by the PEP
FulfillOn [Required]
The effect for which this obligation applies
ltAttributeAssignmentgt [One To Many]
Obligation arguments assignment The values of the obligation arguments SHALL be interpreted by the PEP
oasis--xacml-11pdf 63
126
2465
2466
2467
2468
2469
2470
2471247224732474247524762477
2478
2479
2480
2481
2482
24832484248524862487248824892490249124922493
24942495
2496
2497
24982499
2500
2501
2502
25032504
127
536 Element ltAttributeAssignmentgtThe ltAttributeAssignmentgt element SHALL contain an AttributeId and the corresponding attribute value The AttributeId is part of attribute meta-data and is used when the attribute cannot be referenced by its location in the ltxacml-contextRequestgt This situation may arise in an ltObligationgt element if the obligation includes parameters The ltAttributeAssignmentgt element MAY be used in any way consistent with the schema syntax which is a sequence of ldquoanyrdquo The value specified SHALL be understood by the PEP but it is not further specified by XACML See section 711 ldquoObligationsrdquo
ltxselement name=AttributeAssignment type=xacmlAttributeAssignmentTypegt
ltxscomplexType name=AttributeAssignmentType mixed=truegtltxscomplexContentgt
ltxsextension base=xacmlAttributeValueTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgt
ltxsextensiongtltxscomplexContentgt
ltxscomplexTypegt
The ltAttributeAssignmentgt element is of AttributeAssignmentType complex type
The ltAttributeAssignmentgt element contains the following attributes
AttributeId [Required]
The attribute Identifier
6 Context syntax (normative with the exception of the schema fragments)
61 Element ltRequestgtThe ltRequestgt element is a top-level element in the XACML context schema The ltRequestgt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform its decision request into the form of an XACML context ltRequestgt
The ltRequestgt element contains ltSubjectgt ltResourcegt ltActiongt and ltEnvironmentgt elements There may be multiple ltSubjectgt elements Each child element contains a sequence of ltxacml-contextAttributegt elements associated with the subject resource action and environment respectively
ltxselement name=Request type=xacml-contextRequestTypegtltxscomplexType name=RequestTypegt
ltxssequencegtltxselement ref=xacml-contextSubject maxOccurs=unboundedgtltxselement ref=xacml-contextResourcegtltxselement ref=xacml-contextActiongtltxselement ref=xacml-contextEnvironment minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltRequestgt element is of RequestType complex type
The ltRequestgt element contains the following elements
oasis--xacml-11pdf 64
128
2505
2506250725082509251025112512251325142515251625172518251925202521
2522
2523
2524
2525
2526
2527
2528
252925302531
2532
2533253425352536253725382539254025412542254325442545
2546
2547
129
ltSubjectgt [One to Many]
Specifies information about a subject of the request context by listing a sequence of ltAttributegt elements associated with the subject One or more ltSubjectgt elements are allowed A subject is an entity associated with the access request One subject might represent the human user that initiated the application from which the request was issued Another subject might represent the applicationrsquos executable code that created the request Another subject might represent the machine on which the application was executing Another subject might represent the entity that is to be the recipient of the resource Attributes of each of these entities MUST be enclosed in a separate ltSubjectgt element
ltResourcegt [Required]
Specifies information about the resource for which access is being requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include a ltResourceContentgt element
ltActiongt [Required]
Specifies the requested action to be performed on the resource by listing a set of ltAttributegt elements associated with the action
ltEnvironmentgt [Optional]
Contains a set of ltAttributegt elements of the environment These ltAttributegt elements MAY form a part of policy evaluation
62 Element ltSubjectgtThe ltSubjectgt element specifies a subject by listing a sequence of ltAttributegt elements associated with the subject
ltxselement name=Subject type=xacml-contextSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=SubjectCategory type=xsanyURI use=optional
default=urnoasisnamestcxacml10subject-categoryaccess-subjectgtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
SubjectCategory [Optional]
This attribute indicates the role that the parent ltSubjectgt played in the formation of the access request If this attribute is not present in a given ltSubjectgt element then the default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used indicating that the parent ltSubjectgt element represents the entity ultimately responsible for initiating the access request
If more than one ltSubjectgt element contains a urnoasisnamestcxacml10subject-category attribute with the same value then the PDP SHALL treat the contents of those elements as if they were contained in the same ltSubjectgt element
ltAttributegt [Any Number]
oasis--xacml-11pdf 65
130
2548
25492550255125522553255425552556
2557
2558
255925602561
2562
25632564
2565
25662567
2568
25692570257125722573257425752576257725782579
2580
2581
2582
258325842585
25862587
25882589
2590
2591
131
A sequence of attributes that apply to the subject
Typically a ltSubjectgt element will contain an ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10subjectsubject-idrdquo containing the identity of the subject
A ltSubjectgt element MAY contain additional ltAttributegt elements
63 Element ltResourcegtThe ltResourcegt element specifies information about the resource to which access is requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include the resource content
ltxselement name=Resource type=xacml-contextResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacml-contextResourceContent minOccurs=0gtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceContentgt [Optional]
The resource content
ltAttributegt [Any Number]
A sequence of resource attributes The ltResourcegt element MUST contain one and only one ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10resourceresource-idrdquo This attribute specifies the identity of the resource to which access is requested
A ltResourcegt element MAY contain additional ltAttributegt elements
64 Element ltResourceContentgtThe ltResourceContentgt element is a notional placeholder for the resource content If an XACML policy references the contents of the resource then the ltResourceContentgt element SHALL be used as the reference point
ltxscomplexType name=ResourceContentType mixed=rdquotruerdquogtltxssequencegt
ltxsany namespace=any processContents=lax minOccurs=0 maxOccurs=unboundedgt
ltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltResourceContentgt element is of ResourceContentType complex type
The ltResourceContentgt element allows arbitrary elements and attributes
oasis--xacml-11pdf 66
132
2592
25932594
2595
2596
25972598259926002601260226032604260526062607
2608
2609
2610
2611
2612
2613261426152616
2617
2618
2619262026212622262326242625262626272628
2629
2630
133
65 Element ltActiongtThe ltActiongt element specifies the requested action on the resource by listing a set of ltAttributegt elements associated with the action
ltxselement name=Action type=xacml-contextActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltAttributegt [Any Number]
List of attributes of the action to be performed on the resource
66 Element ltEnvironmentgtThe ltEnvironmentgt element contains a set of attributes of the environment These attributes MAY form part of the policy evaluation
ltxselement name=Environment type=xacml-contextEnvironmentTypegtltxscomplexType name=EnvironmentTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltEnvironmentgt element is of EnvironmentType complex type
The ltEnvironmentgt element contains the following elements
ltAttributegt [Any Number]
A list of environment attributes Environment attributes are attributes that are not associated with either the resource the action or any of the subjects of the access request
67 Element ltAttributegtThe ltAttributegt element is the central abstraction of the request context It contains an attribute value and attribute meta-data The attribute meta-data comprises the attribute identifier the attribute issuer and the attribute issue instant Attribute designators and attribute selectors in the policy MAY refer to attributes by means of this meta-data
ltxselement name=Attribute type=xacml-contextAttributeTypegtltxscomplexType name=AttributeTypegt
ltxssequencegtltxselement ref=xacml-contextAttributeValuegt
ltxssequencegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=Issuer type=xsstring use=optionalgt
oasis--xacml-11pdf 67
134
2631
26322633
2634263526362637263826392640
2641
2642
2643
2644
2645
26462647
26482649265026512652265326542655
2656
2657
2658
265926602661
2662
266326642665266626672668266926702671267226732674
135
ltxsattribute name=IssueInstant type=xsdateTime use=optionalgtltxscomplexTypegt
The ltAttributegt element is of AttributeType complex type
The ltAttributegt element contains the following attributes and elements
AttributeId [Required]
Attribute identifier A number of identifiers are reserved by XACML to denote commonly used attributes
DataType [Required]
The data-type of the contents of the ltAttributeValuegt element This SHALL be either a primitive type defined by the XACML 10 specification or a type defined in a namespace declared in the ltxacml-contextgt element
Issuer [Optional]
Attribute issuer This attribute value MAY be an x500Name that binds to a public key or it may be some other identifier exchanged out-of-band by issuing and relying parties
IssueInstant [Optional]
The date and time at which the attribute was issued
ltAttributeValuegt [Required]
Exactly one attribute value The mandatory attribute value MAY have contents that are empty occur once or occur multiple times
68 Element ltAttributeValuegtThe ltAttributeValuegt element contains the value of an attribute
ltxselement name=AttributeValue type=xacml-contextAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltAttributeValuegt element is of AttributeValueType type
The data-type of the ltAttributeValuegt MAY be specified by using the DataType attribute of the parent ltAttributegt element
69 Element ltResponsegtThe ltResponsegt element is a top-level element in the XACML context schema The ltResponsegt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform an XACML context ltResponsegt into the form of its authorization decision
oasis--xacml-11pdf 68
136
26752676
2677
2678
2679
26802681
2682
26832684
2685
2686
26872688
2689
2690
2691
2692
26932694
2695
269626972698269927002701270227032704
2705
27062707
2708
2709271027112712
137
The ltResponsegt element encapsulates the authorization decision produced by the PDP It includes a sequence of one or more results with one ltResultgt element per requested resource Multiple results MAY be returned when the value of the ldquournoasisxacml10resourcescoperdquo resource attribute in the request context is ldquoDescendantsrdquo or ldquoChildrenrdquo Support for multiple results is OPTIONAL
ltxselement name=Response type=xacml-contextResponseTypegtltxscomplexType name=ResponseTypegt
ltxssequencegtltxselement ref=xacml-contextResult maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResponsegt element is of ResponseType complex type
The ltResponsegt element contains the following elements
ltResultgt [One to Many]
An authorization decision result
610 Element ltResultgtThe ltResultgt element represents an authorization decision result for the resource specified by the ResourceId attribute It MAY include a set of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource
ltxselement name=Result type=xacml-contextResultTypegtltxscomplexType name=ResultTypegt
ltxssequencegtltxselement ref=xacml-contextDecisiongtltxselement ref=xacml-contextStatusgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=ResourceId type=xsstring use=optionalgt
ltxscomplexTypegt
The ltResultgt element is of ResultType complex type
The ltResultgt element contains the following attributes and elements
ResourceId [Optional]
The identifier of the requested resource If this attribute is omitted then the resource identity is specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo resource attribute in the corresponding ltRequestgt element
ltDecisiongt [Required]
The authorization decision ldquoPermitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicablerdquo
ltStatusgt [Required]
Indicates whether errors occurred during evaluation of the decision request and optionally information about those errors
ltxacmlObligationsgt [Optional]
oasis--xacml-11pdf 69
138
27132714271527162717271827192720272127222723
2724
2725
2726
2727
2728
2729273027312732
2733273427352736273727382739274027412742
2743
2744
2745
274627472748
2749
2750
2751
27522753
2754
139
A list of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
611 Element ltDecisiongtThe ltDecisiongt element contains the result of policy evaluation
ltxselement name=Decision type=xacml-contextDecisionTypegtltxssimpleType name=DecisionTypegt
ltxsrestriction base=xsstringgtltxsenumeration value=Permitgtltxsenumeration value=Denygtltxsenumeration value=Indeterminategtltxsenumeration value=NotApplicablegt
ltxsrestrictiongtltxssimpleTypegt
The ltDecisiongt element is of DecisionType simple type
The values of the ltDecisiongt element have the following meanings
ldquoPermitrdquo the requested access is permitted
ldquoDenyrdquo the requested access is denied
ldquoIndeterminaterdquo the PDP is unable to evaluate the requested access Reasons for such inability include missing attributes network errors while retrieving policies division by zero during policy evaluation syntax errors in the decision request or in the policy etc
ldquoNotApplicablerdquo the PDP does not have any policy that applies to this decision request
612 Element ltStatusgtThe ltStatusgt element represents the status of the authorization decision result
ltxselement name=Status type=xacml-contextStatusTypegtltxscomplexType name=StatusTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCodegtltxselement ref=xacml-contextStatusMessage minOccurs=0gtltxselement ref=xacml-contextStatusDetail minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltStatusgt element is of StatusType complex type
The ltStatusgt element contains the following elements
ltStatusCodegt [Required]
Status code
ltStatusMessagegt [Optional]
A status message describing the status code
ltStatusDetailgt [Optional]
Additional status information
oasis--xacml-11pdf 70
140
2755275627572758
2759
2760276127622763276427652766276727682769
2770
2771
2772
2773
277427752776
2777
2778
277927802781278227832784278527862787
2788
2789
2790
2791
2792
2793
2794
2795
141
613 Element ltStatusCodegtThe ltStatusCodegt element contains a major status code value and an optional sequence of minor status codes
ltxselement name=StatusCode type=xacml-contextStatusCodeTypegtltxscomplexType name=StatusCodeTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCode minOccurs=0gt
ltxssequencegtltxsattribute name=Value type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltStatusCodegt element is of StatusCodeType complex type
The ltStatusCodegt element contains the following attributes and elements
Value [Required]
See Section B9 for a list of values
ltStatusCodegt [Any Number]
Minor status code This status code qualifies its parent status code
614 Element ltStatusMessagegtThe ltStatusMessagegt element is a free-form description of the status code
ltxselement name=StatusMessage type=xsstringgt
The ltStatusMessagegt element is of xsstring type
615 Element ltStatusDetailgtThe ltStatusDetailgt element qualifies the ltStatusgt element with additional information
ltxselement name=StatusDetail type=xacml-contextStatusDetailTypegtltxscomplexType name=StatusDetailTypegt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltStatusDetailgt element is of StatusDetailType complex type
The ltStatusDetailgt element allows arbitrary XML content
Inclusion of a ltStatusDetailgt element is optional However if a PDP returns one of the following XACML-defined ltStatusCodegt values and includes a ltStatusDetailgt element then the following rules apply
urnoasisnamestcxacml10statusok
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquookrdquo status value
urnoasisnamestcxacml10statusmissing-attribute
A PDP MAY choose not to return any ltStatusDetailgt information or MAY choose to return a ltStatusDetailgt element containing one or more ltxacml-contextAttributegt elements If the PDP includes ltAttributeValuegt elements in the ltAttributegt element then this indicates
oasis--xacml-11pdf 71
142
2796
279727982799280028012802280328042805
2806
2807
2808
2809
2810
2811
2812
28132814
2815
2816
28172818281928202821282228232824
2825
2826
282728282829
2830
2831
2832
283328342835
143
the acceptable values for that attribute If no ltAttributeValuegt elements are included then this indicates the names of attributes that the PDP failed to resolve during its evaluation The list of attributes may be partial or complete There is no guarantee by the PDP that supplying the missing values or attributes will be sufficient to satisfy the policy
urnoasisnamestcxacml10statussyntax-error
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquosyntax-errorrdquo status value A syntax error may represent either a problem with the policy being used or with the request context The PDP MAY return a ltStatusMessagegt describing the problem
urnoasisnamestcxacml10statusprocessing-error
A PDP MUST NOT return ltStatusDetailgt element in conjunction with the ldquoprocessing-errorrdquo status value This status code indicates an internal problem in the PDP For security reasons the PDP MAY choose to return no further information to the PEP In the case of a divide-by-zero error or other computational error the PDP MAY return a ltStatusMessagegt describing the nature of the error
7 Functional requirements (normative)This section specifies certain functional requirements that are not directly associated with the production or consumption of a particular XACML element
71 Policy enforcement pointThis section describes the requirements for the PEPAn application functions in the role of the PEP if it guards access to a set of resources and asks the PDP for an authorization decision The PEP MUST abide by the authorization decision in the following way
A PEP SHALL allow access to the resource only if a valid XACML response of Permit is returned by the PDP The PEP SHALL deny access to the resource in all other cases An XACML response of Permit SHALL be considered valid only if the PEP understands all of the obligations contained in the response
72 Base policyA PDP SHALL represent one policy or policy set called its base policy This base policy MAY be a ltPolicygt element containing a ltTargetgt element that matches every possible decision request or (for instance) it MAY be a ltPolicygt element containing a ltTargetgt element that matches only a specific subject In such cases the base policy SHALL form the root-node of a tree of policies connected by ltPolicyIdReferencegt and ltPolicySetIdReferencegt elements to all the rules that may be applicable to any decision request that the PDP is capable of evaluating
In the case of a PDP that retrieves policies according to the decision request that it is processing the base policy SHALL contain a ltPolicygt element containing a ltTargetgt element that matches every possible decision request and a PolicyCombiningAlgId attribute with the value ldquoOnly-one-applicable In other words the PDP SHALL return an error if it retrieves policies that do not form a single tree
oasis--xacml-11pdf 72
144
2836283728382839
2840
28412842
2843
2844
284528462847
28482849
2850
28512852
28532854285528562857
2858285928602861
2862
2863286428652866
286728682869
28702871287228732874
145
73 Target evaluationThe target value SHALL be Match if the subject resource and action specified in the target all match values in the request context The target value SHALL be No-match if one or more of the subject resource and action specified in the target do not match values in the request context The value of a ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element in which a referenced attribute value cannot be obtained depends on the value of the MustBePresent attribute of the ltAttributeDesignatorgt or ltAttributeSelectorgt element If the MustBePresent attribute is True then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be Indeterminate in this case If the MustBePresent attribute is False or missing then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be No-match
74 Condition evaluationThe condition value SHALL be True if the ltConditiongt element is absent or if it evaluates to True for the attribute values supplied in the request context Its value is False if the ltConditiongt element evaluates to False for the attribute values supplied in the request context If any attribute value referenced in the condition cannot be obtained then the condition SHALL evaluate to Indeterminate
75 Rule evaluationA rule has a value that can be calculated by evaluating its contents Rule evaluation involves separate evaluation of the rules target and condition The rule truth table is shown in Table 1
Target Condition Rule Value
ldquoMatchrdquo ldquoTruerdquo Effect
ldquoMatchrdquo ldquoFalserdquo ldquoNotApplicablerdquo
ldquoMatchrdquo ldquoIndeterminaterdquo ldquoIndeterminaterdquo
ldquoNo-matchrdquo Donrsquot care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot care ldquoIndeterminaterdquo
Table 1 - Rule truth table
If the target value is No-match or ldquoIndeterminaterdquo then the rule value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the condition For these cases therefore the condition need not be evaluated in order to determine the rule value
If the target value is ldquoMatchrdquo and the condition value is ldquoTruerdquo then the effect specified in the rule SHALL determine the rule value
76 Policy evaluationThe value of a policy SHALL be determined only by its contents considered in relation to the contents of the request context A policys value SHALL be determined by evaluation of the policys target and rules according to the specified rule-combining algorithm
oasis--xacml-11pdf 73
146
2875287628772878
2879288028812882288328842885
2886
28872888
288928902891
2892
28932894
2895
2896
2897
289828992900
29012902
2903
290429052906
147
The policys target SHALL be evaluated to determine the applicability of the policy If the target evaluates to Match then the value of the policy SHALL be determined by evaluation of the policys rules according to the specified rule-combining algorithm If the target evaluates to No-match then the value of the policy SHALL be NotApplicable If the target evaluates to Indeterminate then the value of the policy SHALL be Indeterminate
The policy truth table is shown in Table 2
Target Rule values Policy Value
ldquoMatchrdquo At least one rule value is its Effect
Specified by the rule-combining algorithm
ldquoMatchrdquo All rule values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
ldquoMatchrdquo At least one rule value is ldquoIndeterminaterdquo
Specified by the rule-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot-care ldquoIndeterminaterdquo
Table 2 - Policy truth table
A rules value of At least one rule value is its Effect SHALL be used if the ltRulegt element is absent or if one or more of the rules contained in the policy is applicable to the decision request (ie returns a value of ldquoEffectrdquo see Section 75) A rules value of ldquoAll rule values are lsquoNotApplicablersquordquo SHALL be used if no rule contained in the policy is applicable to the request and if no rule contained in the policy returns a value of ldquoIndeterminaterdquo If no rule contained in the policy is applicable to the request but one or more rule returns a value of ldquoIndeterminaterdquo then rules value SHALL evaluate to At least one rule value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the rules For these cases therefore the rules need not be evaluated in order to determine the policy value
If the target value is ldquoMatchrdquo and the rules value is ldquoAt least one rule value is itrsquos Effectrdquo or ldquoAt least one rule value is lsquoIndeterminatersquordquo then the rule-combining algorithm specified in the policy SHALL determine the policy value
77 Policy Set evaluationThe value of a policy set SHALL be determined by its contents considered in relation to the contents of the request context A policy sets value SHALL be determined by evaluation of the policy sets target policies and policy sets according to the specified policy-combining algorithm
The policy sets target SHALL be evaluated to determine the applicability of the policy set If the target evaluates to Match then the value of the policy set SHALL be determined by evaluation of the policy sets policies and policy sets according to the specified policy-combining algorithm If the target evaluates to No-match then the value of the policy set shall be NotApplicable If the target evaluates to Indeterminate then the value of the policy set SHALL be Indeterminate
The policy set truth table is shown in Table 3
Target Policy values Policy Set Value
oasis--xacml-11pdf 74
148
29072908290929102911
2912
2913
2914291529162917291829192920
292129222923
292429252926
2927
2928292929302931
29322933293429352936
2937
149
Match At least one policy value is its Decision
Specified by the policy-combining algorithm
Match All policy values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
Match At least one policy value is ldquoIndeterminaterdquo
Specified by the policy-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
Indeterminate Donrsquot-care ldquoIndeterminaterdquo
Table 3 ndash Policy set truth table
A policies value of At least one policy value is its Decision SHALL be used if there are no contained or referenced policies or policy sets or if one or more of the policies or policy sets contained in or referenced by the policy set is applicable to the decision request (ie returns a value determined by its rule-combining algorithm see Section 76) A policies value of ldquoAll policy values are lsquoNotApplicablersquordquo SHALL be used if no policy or policy set contained in or referenced by the policy set is applicable to the request and if no policy or policy set contained in or referenced by the policy set returns a value of ldquoIndeterminaterdquo If no policy or policy set contained in or referenced by the policy set is applicable to the request but one or more policy or policy set returns a value of ldquoIndeterminaterdquo then policies SHALL evaluate to At least one policy value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy set value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the policies For these cases therefore the policies need not be evaluated in order to determine the policy set value
If the target value is ldquoMatchrdquo and the policies value is ldquoAt least one policy value is itrsquos Decisionrdquo or ldquoAt least one policy value is lsquoIndeterminatersquordquo then the policy-combining algorithm specified in the policy set SHALL determine the policy set value
78 Hierarchical resourcesIt is often the case that a resource is organized as a hierarchy (eg file system XML document) Some access requesters may request access to an entire subtree of a resource specified by a node XACML allows the PEP (or context handler) to specify whether the decision request is just for a single resource or for a subtree below the specified resource The latter is equivalent to repeating a single request for each node in the entire subtree When a request context contains a resource attribute of type
urnoasisnamestcxacml10resourcescope
with a value of Immediate or if it does not contain that attribute then the decision request SHALL be interpreted to apply to just the single resource specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo attribute
When the
urnoasisnamestcxacml10resourcescope
oasis--xacml-11pdf 75
150
2938
2939294029412942294329442945294629472948
294929502951
295229532954
2955
295629572958295929602961
2962
29632964
2965
2966
2967
151
attribute has the value Children the decision request SHALL be interpreted to apply to the specified resource and its immediate children resources
When the
urnoasisnamestcxacml10resourcescope
attribute has the value Descendants the decision request SHALL be interpreted to apply to both the specified resource and all its descendant resources
In the case of Children and Descendants the authorization decision MAY include multiple results for the multiple sub-nodes in the resource sub-tree
An XACML authorization response MAY contain multiple ltResultgt elements
Note that the method by which the PDP discovers whether the resource is hierarchically organized or not is outside the scope of XACML
In the case where a child or descendant resource cannot be accessed the ltResultgt element associated with the parent element SHALL contain a ltStatusCodegt Value of ldquournoasisnamestcxacml10statusprocessing-errorrdquo
79 AttributesAttributes are specified in the request context regardless of whether or not they appeared in the original decision request and are referred to in the policy by subject resource action and environment attribute designators and attribute selectors A named attribute is the term used for the criteria that the specific subject resource action and environment attribute designators and selectors use to refer to attributes in the subject resource action and environment elements of the request context respectively
791 Attribute MatchingA named attribute has specific criteria with which to match attributes in the context An attribute specifies AttributeId DataType and Issuer attributes and each named attribute also specifies AttributeId DataType and optional Issuer attributes A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and optional Issuer attributes match within their particular element eg subject resource action or environment of the context The AttributeId of the named attribute MUST match by URI equality the AttributeId of the context attribute The DataType of the named attribute MUST match by URI equality the DataType of the same context attribute If Issuer is supplied in the named attribute then it MUST match by string equality the Issuer of the same context attribute If Issuer is not supplied in the named attribute then the matching of the context attribute to the named attribute SHALL be governed by AttributeId and DataType alone regardless of the presence absence or actual value of Issuer In the case of an attribute selector the matching of the attribute to the named attribute SHALL be governed by the XPath expression and DataType
792 Attribute RetrievalThe PDP SHALL request the values of attributes in the request context from the context handler The PDP SHALL reference the attributes as if they were in a physical request context document but the context handler is responsible for obtaining and supplying the requested values The context handler SHALL return the values of attributes that match the attribute designator or attribute selector and form them into a bag of values with the specified data-type If no attributes
oasis--xacml-11pdf 76
152
29682969
2970
2971
29722973
29742975
2976
29772978
297929802981
2982
298329842985298629872988
2989
29902991299229932994
29952996299729982999300030013002
3003
3004
30053006300730083009
153
from the request context match then the attribute SHALL be considered missing If the attribute is missing then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an ldquoIndeterminaterdquo result If MustBePresent is ldquoFalserdquo (default value) then a missing attribute SHALL result in an empty bag If MustBePresent is ldquoTruerdquo then a missing attribute SHALL result in ldquoIndeterminaterdquo This ldquoIndeterminaterdquo result SHALL be handled in accordance with the specification of the encompassing expressions rules policies and policy sets If the result is ldquoIndeterminaterdquo then the AttributeId DataType and Issuer of the attribute MAY be listed in the authorization decision as described in Section 710 However a PDP MAY choose not to return such information for security reasons
793 Environment AttributesEnvironment attributes are listed in Section B8 If a value for one of these attributes is supplied in the decision request then the context handler SHALL use that value Otherwise the context handler SHALL supply a value For the date and time attributes the supplied value SHALL have the semantics of date and time that apply to the decision request
710 Authorization decisionGiven a valid XACML policy or policy set a compliant XACML PDP MUST evaluate the policy as specified in Sections 5 and 42 The PDP MUST return a response context with one ltDecisiongt element of value Permit Deny Indeterminate or NotApplicable
If the PDP cannot make a decision then an Indeterminate ltDecisiongt element contents SHALL be returned The PDP MAY return a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
signifying that more information is needed In this case the ltStatusgt element MAY list the names and data-types of any attributes of the subjectsresource action or environment that are needed by the PDP to refine its decision A PEP MAY resubmit a refined request context in response to a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
by adding attribute values for the attribute names that were listed in the previous response When the PDP returns a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
it MUST NOT list the names and data-types of any attribute of the subjectresource action or environment for which values were supplied in the original request Note this requirement forces the PDP to eventually return an authorization decision of Permit Deny or Indeterminate with some other status code in response to successively-refined requests
711 ObligationsA policy or policy set may contain one or more obligations When such a policy or policy set is evaluated an obligation SHALL be passed up to the next level of evaluation (the enclosing or referencing policy set or authorization decision) only if the effect of the policy or policy set being evaluated matches the value of the xacmlFulfillOn attribute of the obligation
As a consequence of this procedure no obligations SHALL be returned to the PEP if the policies or policy sets from which they are drawn are not evaluated or if their evaluated result is
oasis--xacml-11pdf 77
154
301030113012301330143015
301630173018
3019
3020302130223023
3024
30253026
3027
302830293030
3031
303230333034
3035
3036
30373038
3039
3040304130423043
3044304530463047
3048304930503051
155
Indeterminate or NotApplicable or if the decision resulting from evaluating the policy or policy set does not match the decision resulting from evaluating an enclosing policy set
If the PDPs evaluation is viewed as a tree of policy sets and policies each of which returns Permit or Deny then the set of obligations returned by the PDP to the PEP will include only the obligations associated with those paths where the effect at each level of evaluation is the same as the effect being returned by the PDPA PEP that receives a valid XACML response of Permit with obligations SHALL be responsible for fulfilling all of those obligations A PEP that receives an XACML response of Deny with obligations SHALL be responsible for fulfilling all of the obligations that it understands
712 Unsupported functionalityIf the PDP attempts to evaluate a policy set or policy that contains an optional element type or feature that the PDP does not support then the PDP SHALL return a ltDecisiongt value of Indeterminate If a ltStatusCodegt element is also returned then its value SHALL be urnoasisnamestcxacml10statussyntax-error in the case of an unsupported element type and urnoasisnamestcxacml10statusprocessing-error in the case of an unsupported feature
713 Syntax and type errorsIf a policy that contains invalid syntax is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
If a policy that contains invalid static data-types is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statusprocessing-error
8 XACML extensibility points (non-normative)This section describes the points within the XACML model and schema where extensions can be added
81 Extensible XML attribute typesThe following XML attributes have values that are URIs These may be extended by the creation of new URIs associated with new semantics for these attributes
AttributeId
AttributeValue
DataType
FunctionId
MatchId
ObligationId
PolicyCombiningAlgId
RuleCombiningAlgId
oasis--xacml-11pdf 78
156
3052305330543055305630573058305930603061
3062
30633064306530663067
3068
306930703071
307230733074
3075
30763077
3078
30793080
3081
3082
3083
3084
3085
3086
3087
3088
157
StatusCode
SubjectCategory
See Section 5 for definitions of these attribute types
82 Structured attributesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type Section A3 describes a number of standard techniques to identify data items within such a structured attribute Listed here are some additional techniques that require XACML extensions
1 For a given structured data-type a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types Using these new attribute identifiers the PEPs or context handlers used by that community of users can flatten instances of the structured data-type into a sequence of individual ltAttributegt elements Each such ltAttributegt element can be compared using the XACML-defined functions Using this method the structured data-type itself never appears in an ltAttributeValuegt element
2 A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value This method may only be used by PDPs that support the new function
9 Security and privacy considerations (non-normative)
This section identifies possible security and privacy compromise scenarios that should be considered when implementing an XACML-based system The section is informative only It is left to the implementer to decide whether these compromise scenarios are practical in their environment and to select appropriate safeguards
91 Threat modelWe assume here that the adversary has access to the communication channel between the XACML actors and is able to interpret insert delete and modify messages or parts of messages
Additionally an actor may use information from a former transaction maliciously in subsequent transactions It is further assumed that rules and policies are only as reliable as the actors that create and use them Thus it is incumbent on each actor to establish appropriate trust in the other actors upon which it relies Mechanisms for trust establishment are outside the scope of this specification
The messages that are transmitted between the actors in the XACML model are susceptible to attack by malicious third parties Other points of vulnerability include the PEP the PDP and the PAP While some of these entities are not strictly within the scope of this specification their compromise could lead to the compromise of access control enforced by the PEP
It should be noted that there are other components of a distributed system that may be compromised such as an operating system and the domain-name system (DNS) that are outside the scope of this discussion of threat models Compromise in these components may also lead to a policy violation
oasis--xacml-11pdf 79
158
3089
3090
3091
3092
309330943095
3096309730983099
310031013102
310331043105
3106
3107
3108310931103111
3112
31133114
31153116311731183119
3120312131223123
3124312531263127
159
The following sections detail specific compromise scenarios that may be relevant to an XACML system
911 Unauthorized disclosureXACML does not specify any inherent mechanisms for confidentiality of the messages exchanged between actors Therefore an adversary could observe the messages in transit Under certain security policies disclosure of this information is a violation Disclosure of attributes or the types of decision requests that a subject submits may be a breach of privacy policy In the commercial sector the consequences of unauthorized disclosure of personal data may range from embarrassment to the custodian to imprisonment and large fines in the case of medical or financial data
Unauthorized disclosure is addressed by confidentiality mechanisms
912 Message replayA message replay attack is one in which the adversary records and replays legitimate messages between XACML actors This attack may lead to denial of service the use of out-of-date information or impersonation
Prevention of replay attacks requires the use of message freshness mechanisms
Note that encryption of the message does not mitigate a replay attack since the message is just replayed and does not have to be understood by the adversary
913 Message insertionA message insertion attack is one in which the adversary inserts messages in the sequence of messages between XACML actors
The solution to a message insertion attack is to use mutual authentication and a message sequence integrity mechanism between the actors It should be noted that just using SSL mutual authentication is not sufficient This only proves that the other party is the one identified by the subject of the X509 certificate In order to be effective it is necessary to confirm that the certificate subject is authorized to send the message
914 Message deletionA message deletion attack is one in which the adversary deletes messages in the sequence of messages between XACML actors Message deletion may lead to denial of service However a properly designed XACML system should not render an incorrect authorization decision as a result of a message deletion attack
The solution to a message deletion attack is to use a message integrity mechanism between the actors
915 Message modificationIf an adversary can intercept a message and change its contents then they may be able to alter an authorization decision Message integrity mechanisms can prevent a successful message modification attack
oasis--xacml-11pdf 80
160
31283129
3130
3131313231333134313531363137
3138
3139
314031413142
3143
31443145
3146
31473148
31493150315131523153
3154
3155315631573158
31593160
3161316231633164
161
916 NotApplicable resultsA result of NotApplicable means that the PDP did not have a policy whose target matched the information in the decision request In general we highly recommend using a default-deny policy so that when a PDP would have returned NotApplicable a result of Deny is returned instead
In some security models however such as is common in many Web Servers a result of NotApplicable is treated as equivalent to Permit There are particular security considerations that must be taken into account for this to be safe These are explained in the following paragraphs
If NotApplicable is to be treated as Permit it is vital that the matching algorithms used by the policy to match elements in the decision request are closely aligned with the data syntax used by the applications that will be submitting the decision request A failure to match will be treated as Permit so an unintended failure to match may allow unintended access
A common example of this is a Web Server Commercial http responders allow a variety of syntaxes to be treated equivalently The can be used to represent characters by hex value The URL path provides multiple ways of specifying the same value Multiple character sets may be permitted and in some cases the same printed character can be represented by different binary values Unless the matching algorithm used by the policy is sophisticated enough to catch these variations unintended access may be permitted
It is safe to treat NotApplicable as Permit only in a closed environment where all applications that formulate a decision request can be guaranteed to use the exact syntax expected by the policies used by the PDP In a more open environment where decision requests may be received from applications that may use any legal syntax it is strongly recommended that NotApplicable NOT be treated as Permit unless matching rules have been very carefully designed to match all possible applicable inputs regardless of syntax or type variations
917 Negative rulesA negative rule is one that is based on a predicate not being True If not used with care negative rules can lead to policy violation therefore some authorities recommend that they not be used However negative rules can be extremely efficient in certain cases so XACML has chosen to include them Nevertheless it is recommended that they be used with care and avoided if possible
A common use for negative rules is to deny access to an individual or subgroup when their membership in a larger group would otherwise permit them access For example we might want to write a rule that allows all Vice Presidents to see the unpublished financial data except for Joe who is only a Ceremonial Vice President and can be indiscreet in his communications If we have complete control of the administration of subject attributes a superior approach would be to define ldquoVice Presidentrdquo and ldquoCeremonial Vice Presidentrdquo as distinct groups and then define rules accordingly However in some environments this approach may not be feasible (It is worth noting in passing that generally speaking referring to individuals in rules does not scale well Generally shared attributes are preferred)
If not used with care negative rules can lead to policy violation in two common cases They are when attributes are suppressed and when the base group changes An example of suppressed attributes would be if we have a policy that access should be permitted unless the subject is a credit risk If it is possible that the attribute of being a credit risk may be unknown to the PDP for some reason then unauthorized access may be permitted In some environments the subject may be able to suppress the publication of attributes by the application of privacy controls or the server or repository that contains the information may be unavailable for accidental or intentional reasons
oasis--xacml-11pdf 81
162
3165
3166316731683169
3170317131723173
3174317531763177
317831793180318131823183
318431853186318731883189
3190
31913192319331943195
319631973198319932003201320232033204
32053206320732083209321032113212
163
An example of a changing base group would be if there is a policy that everyone in the engineering department may change software source code except for secretaries Suppose now that the department was to merge with another engineering department and the intent is to maintain the same policy However the new department also includes individuals identified as administrative assistants who ought to be treated in the same way as secretaries Unless the policy is altered they will unintentionally be permitted to change software source code Problems of this type are easy to avoid when one individual administers all policies but when administration is distributed as XACML allows this type of situation must be explicitly guarded against
92 Safeguards
921 Authentication Authentication provides the means for one party in a transaction to determine the identity of the other party in the transaction Authentication may be in one direction or it may be bilateral
Given the sensitive nature of access control systems it is important for a PEP to authenticate the identity of the PDP to which it sends decision requests Otherwise there is a risk that an adversary could provide false or invalid authorization decisions leading to a policy violation
It is equally important for a PDP to authenticate the identity of the PEP and assess the level of trust to determine what if any sensitive data should be passed One should keep in mind that even simple Permit or Deny responses could be exploited if an adversary were allowed to make unlimited requests to a PDP
Many different techniques may be used to provide authentication such as co-located code a private network a VPN or digital signatures Authentication may also be performed as part of the communication protocol used to exchange the contexts In this case authentication may be performed at the message level or at the session level
922 Policy administrationIf the contents of policies are exposed outside of the access control system potential subjects may use this information to determine how to gain unauthorized access
To prevent this threat the repository used for the storage of policies may itself require access control In addition the ltStatusgt element should be used to return values of missing attributes only when exposure of the identities of those attributes will not compromise security
923 Confidentiality Confidentiality mechanisms ensure that the contents of a message can be read only by the desired recipients and not by anyone else who encounters the message while it is in transit There are two areas in which confidentiality should be considered one is confidentiality during transmission the other is confidentiality within a ltPolicygt element
9231 Communication confidentiality
In some environments it is deemed good practice to treat all data within an access control system as confidential In other environments policies may be made freely available for distribution inspection and audit The idea behind keeping policy information secret is to make it more difficult for an adversary to know what steps might be sufficient to obtain unauthorized access Regardless of the approach chosen the security of the access control system should not depend on the secrecy of the policy
oasis--xacml-11pdf 82
164
32133214321532163217321832193220
3221
3222
32233224
322532263227
3228322932303231
3232323332343235
3236
32373238
323932403241
3242
324332443245
3246
3247
324832493250325132523253
165
Any security concerns or requirements related to transmitting or exchanging XACML ltPolicygt elements are outside the scope of the XACML standard While it is often important to ensure that the integrity and confidentiality of ltPolicygt elements is maintained when they are exchanged between two parties it is left to the implementers to determine the appropriate mechanisms for their environment
Communications confidentiality can be provided by a confidentiality mechanism such as SSL Using a point-to-point scheme like SSL may lead to other vulnerabilities when one of the end-points is compromised
9232 Statement level confidentiality
In some cases an implementation may want to encrypt only parts of an XACML ltPolicygt element
The XML Encryption Syntax and Processing Candidate Recommendation from W3C can be used to encrypt all or parts of an XML document This specification is recommended for use with XACML
It should go without saying that if a repository is used to facilitate the communication of cleartext (ie unencrypted) policy between the PAP and PDP then a secure repository should be used to store this sensitive data
924 Policy integrityThe XACML policy used by the PDP to evaluate the request context is the heart of the system Therefore maintaining its integrity is essential There are two aspects to maintaining the integrity of the policy One is to ensure that ltPolicygt elements have not been altered since they were originally created by the PAP The other is to ensure that ltPolicygt elements have not been inserted or deleted from the set of policies
In many cases both aspects can be achieved by ensuring the integrity of the actors and implementing session-level mechanisms to secure the communication between actors The selection of the appropriate mechanisms is left to the implementers However when policy is distributed between organizations to be acted on at a later time or when the policy travels with the protected resource it would be useful to sign the policy In these cases the XML Signature Syntax and Processing standard from W3C is recommended to be used with XACML
Digital signatures should only be used to ensure the integrity of the statements Digital signatures should not be used as a method of selecting or evaluating policy That is the PDP should not request a policy based on who signed it or whether or not it has been signed (as such a basis for selection would itself be a matter of policy) However the PDP must verify that the key used to sign the policy is one controlled by the purported issuer of the policy The means to do this are dependent on the specific signature technology chosen and are outside the scope of this document
925 Policy identifiersSince policies can be referenced by their identifiers it is the responsibility of the PAP to ensure that these are unique Confusion between identifiers could lead to misidentification of the applicable policy This specification is silent on whether a PAP must generate a new identifier when a policy is modified or may use the same identifier in the modified policy This is a matter of administrative practice However care must be taken in either case If the identifier is reused there is a danger that other policies or policy sets that reference it may be adversely affected Conversely if a new identifier is used these other policies may continue to use the prior policy unless it is deleted In either case the results may not be what the policy administrator intends
oasis--xacml-11pdf 83
166
32543255
325632573258
325932603261
3262
32633264
326532663267
326832693270
3271
32723273
327432753276
327732783279328032813282
328332843285328632873288
3289
32903291329232933294329532963297
167
926 Trust modelDiscussions of authentication integrity and confidentiality mechanisms necessarily assume an underlying trust model how can one actor come to believe that a given key is uniquely associated with a specific identified actor so that the key can be used to encrypt data for that actor or verify signatures (or other integrity structures) from that actor Many different types of trust model exist including strict hierarchies distributed authorities the Web the bridge and so on
It is worth considering the relationships between the various actors of the access control system in terms of the interdependencies that do and do not exist
None of the entities of the authorization system are dependent on the PEP They may collect data from it for example authentication but are responsible for verifying it
The correct operation of the system depends on the ability of the PEP to actually enforce policy decisions
The PEP depends on the PDP to correctly evaluate policies This in turn implies that the PDP is supplied with the correct inputs Other than that the PDP does not depend on the PEP
The PDP depends on the PAP to supply appropriate policies The PAP is not dependent on other components
927 PrivacyIt is important to be aware that any transactions that occur with respect to access control may reveal private information about the actors For example if an XACML policy states that certain data may only be read by subjects with ldquoGold Card Memberrdquo status then any transaction in which a subject is permitted access to that data leaks information to an adversary about the subjects status Privacy considerations may therefore lead to encryption andor to access control policies surrounding the enforcement of XACML policy instances themselves confidentiality-protected channels for the requestresponse protocol messages protection of subject attributes in storage and in transit and so on
Selection and use of privacy mechanisms appropriate to a given environment are outside the scope of XACML The decision regarding whether how and when to deploy such mechanisms is left to the implementers associated with the environment
10 Conformance (normative)
101 IntroductionThe XACML specification addresses the following aspect of conformance
The XACML specification defines a number of functions etc that have somewhat specialist application therefore they are not required to be implemented in an implementation that claims to conform with the OASIS standard
102Conformance tablesThis section lists those portions of the specification that MUST be included in an implementation of a PDP that claims to conform with XACML v10 A set of test cases has been created to assist in this process These test cases are hosted by Sun Microsystems and can be located from the
oasis--xacml-11pdf 84
168
3298
32993300330133023303
33043305
33063307
33083309
331033113312
33133314
3315
33163317331833193320332133223323
332433253326
3327
3328
3329
333033313332
3333
333433353336
169
XACML Web page The site hosting the test cases contains a full description of the test cases and how to execute them
Note M means mandatory-to-implement O means optional
1021 Schema elementsThe implementation MUST support those schema elements that are marked ldquoMrdquoElement name MOxacml-contextAction Mxacml-contextAttribute Mxacml-contextAttributeValue Mxacml-contextDecision Mxacml-contextEnvironment Mxacml-contextObligations Oxacml-contextRequest Mxacml-contextResource Mxacml-contextResourceContent Oxacml-contextResponse Mxacml-contextResult Mxacml-contextStatus Mxacml-contextStatusCode Mxacml-contextStatusDetail Oxacml-contextStatusMessage Oxacml-contextSubject MxacmlAction MxacmlActionAttributeDesignator MxacmlActionMatch MxacmlActions MxacmlAnyAction MxacmlAnyResource MxacmlAnySubject MxacmlApply MxacmlAttributeAssignment OxacmlAttributeSelector OxacmlAttributeValue MxacmlCondition MxacmlDescription MxacmlEnvironmentAttributeDesignator MxacmlFunction MxacmlObligation OxacmlObligations OxacmlPolicy MxacmlPolicyDefaults OxacmlPolicyIdReference MxacmlPolicySet MxacmlPolicySetDefaults OxacmlPolicySetIdReference MxacmlResource MxacmlResourceAttributeDesignator MxacmlResourceMatch MxacmlResources MxacmlRule MxacmlSubject MxacmlSubjectMatch MxacmlSubjects M
oasis--xacml-11pdf 85
170
33373338
3339
3340
3341
171
xacmlTarget MxacmlXPathVersion O
1022 Identifier PrefixesThe following identifier prefixes are reserved by XACML
Identifierurnoasisnamestcxacml10urnoasisnamestcxacml10conformance-testurnoasisnamestcxacml10contexturnoasisnamestcxacml10exampleurnoasisnamestcxacml10functionurnoasisnamestcxacml10policyurnoasisnamestcxacml10subjecturnoasisnamestcxacml10resourceurnoasisnamestcxacml10action
1023 AlgorithmsThe implementation MUST include the rule- and policy-combining algorithms associated with the following identifiers that are marked M
Algorithm MOurnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
M
urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11rule-combining-algorithmordered-permit-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
1024 Status CodesImplementation support for the urnoasisnamestcxacml10contextstatus element is optional but if the element is supported then the following status codes must be supported and must be used in the way XACML has specified
Identifier MOurnoasisnamestcxacml10statusmissing-attribute Murnoasisnamestcxacml10statusok Murnoasisnamestcxacml10statusprocessing-error M
oasis--xacml-11pdf 86
172
3342
3343
3344
33453346
3347
334833493350
173
urnoasisnamestcxacml10statussyntax-error M
1025 AttributesThe implementation MUST support the attributes associated with the following attribute identifiers as specified by XACML If values for these attributes are not present in the decision request then their values MUST be supplied by the PDP So unlike most other attributes their semantics are not transparent to the PDP
Identifier MOurnoasisnamestcxacml10environmentcurrent-time Murnoasisnamestcxacml10environmentcurrent-date Murnoasisnamestcxacml10environmentcurrent-dateTime M
1026 IdentifiersThe implementation MUST use the attributes associated with the following identifiers in the way XACML has defined This requirement pertains primarily to implementations of a PAP or PEP that use XACML since the semantics of the attributes are transparent to the PDP
Identifier MOurnoasisnamestcxacml10subjectauthn-localitydns-name Ournoasisnamestcxacml10subjectauthn-localityip-address Ournoasisnamestcxacml10subjectauthentication-method Ournoasisnamestcxacml10subjectauthentication-time Ournoasisnamestcxacml10subjectkey-info Ournoasisnamestcxacml10subjectrequest-time Ournoasisnamestcxacml10subjectsession-start-time Ournoasisnamestcxacml10subjectsubject-id Ournoasisnamestcxacml10subjectsubject-id-qualifier Ournoasisnamestcxacml10subject-categoryaccess-subject Murnoasisnamestcxacml10subject-categorycodebase Ournoasisnamestcxacml10subject-categoryintermediary-subject Ournoasisnamestcxacml10subject-categoryrecipient-subject Ournoasisnamestcxacml10subject-categoryrequesting-machine Ournoasisnamestcxacml10resourceresource-location Ournoasisnamestcxacml10resourceresource-id Murnoasisnamestcxacml10resourcescope Ournoasisnamestcxacml10resourcesimple-file-name Ournoasisnamestcxacml10actionaction-id Murnoasisnamestcxacml10actionimplied-action M
1027 Data-typesThe implementation MUST support the data-types associated with the following identifiers marked M
Data-type MOhttpwwww3org2001XMLSchemastring Mhttpwwww3org2001XMLSchemaboolean Mhttpwwww3org2001XMLSchemainteger Mhttpwwww3org2001XMLSchemadouble Mhttpwwww3org2001XMLSchematime Mhttpwwww3org2001XMLSchemadate Mhttpwwww3org2001XMLSchemadateTime Mhttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
M
oasis--xacml-11pdf 87
174
3351
3352335333543355
3356
335733583359
3360
33613362
175
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
M
httpwwww3org2001XMLSchemaanyURI Mhttpwwww3org2001XMLSchemahexBinary Mhttpwwww3org2001XMLSchemabase64Binary Murnoasisnamestcxacml10data-typerfc822Name Murnoasisnamestcxacml10data-typex500Name M
1028 FunctionsThe implementation MUST properly process those functions associated with the identifiers marked with an M
Function MOurnoasisnamestcxacml10functionstring-equal Murnoasisnamestcxacml10functionboolean-equal Murnoasisnamestcxacml10functioninteger-equal Murnoasisnamestcxacml10functiondouble-equal Murnoasisnamestcxacml10functiondate-equal Murnoasisnamestcxacml10functiontime-equal Murnoasisnamestcxacml10functiondateTime-equal Murnoasisnamestcxacml10functiondayTimeDuration-equal Murnoasisnamestcxacml10functionyearMonthDuration-equal Murnoasisnamestcxacml10functionanyURI-equal Murnoasisnamestcxacml10functionx500Name-equal Murnoasisnamestcxacml10functionrfc822Name-equal Murnoasisnamestcxacml10functionhexBinary-equal Murnoasisnamestcxacml10functionbase64Binary-equal Murnoasisnamestcxacml10functioninteger-add Murnoasisnamestcxacml10functiondouble-add Murnoasisnamestcxacml10functioninteger-subtract Murnoasisnamestcxacml10functiondouble-subtract Murnoasisnamestcxacml10functioninteger-multiply Murnoasisnamestcxacml10functiondouble-multiply Murnoasisnamestcxacml10functioninteger-divide Murnoasisnamestcxacml10functiondouble-divide Murnoasisnamestcxacml10functioninteger-mod Murnoasisnamestcxacml10functioninteger-abs Murnoasisnamestcxacml10functiondouble-abs Murnoasisnamestcxacml10functionround Murnoasisnamestcxacml10functionfloor Murnoasisnamestcxacml10functionstring-normalize-space Murnoasisnamestcxacml10functionstring-normalize-to-lower-case Murnoasisnamestcxacml10functiondouble-to-integer Murnoasisnamestcxacml10functioninteger-to-double Murnoasisnamestcxacml10functionor Murnoasisnamestcxacml10functionand Murnoasisnamestcxacml10functionn-of Murnoasisnamestcxacml10functionnot Murnoasisnamestcxacml10functionpresent Murnoasisnamestcxacml10functioninteger-greater-than Murnoasisnamestcxacml10functioninteger-greater-than-or-equal Murnoasisnamestcxacml10functioninteger-less-than Murnoasisnamestcxacml10functioninteger-less-than-or-equal Murnoasisnamestcxacml10functiondouble-greater-than Murnoasisnamestcxacml10functiondouble-greater-than-or-equal Murnoasisnamestcxacml10functiondouble-less-than M
oasis--xacml-11pdf 88
176
3363
33643365
177
urnoasisnamestcxacml10functiondouble-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-add-dayTimeDuration Murnoasisnamestcxacml10functiondateTime-add-yearMonthDuration Murnoasisnamestcxacml10functiondateTime-subtract-dayTimeDuration
M
urnoasisnamestcxacml10functiondateTime-subtract-yearMonthDuration
M
urnoasisnamestcxacml10functiondate-add-yearMonthDuration Murnoasisnamestcxacml10functiondate-subtract-yearMonthDuration Murnoasisnamestcxacml10functionstring-greater-than Murnoasisnamestcxacml10functionstring-greater-than-or-equal Murnoasisnamestcxacml10functionstring-less-than Murnoasisnamestcxacml10functionstring-less-than-or-equal Murnoasisnamestcxacml10functiontime-greater-than Murnoasisnamestcxacml10functiontime-greater-than-or-equal Murnoasisnamestcxacml10functiontime-less-than Murnoasisnamestcxacml10functiontime-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-greater-than Murnoasisnamestcxacml10functiondateTime-greater-than-or-equal Murnoasisnamestcxacml10functiondateTime-less-than Murnoasisnamestcxacml10functiondateTime-less-than-or-equal Murnoasisnamestcxacml10functiondate-greater-than Murnoasisnamestcxacml10functiondate-greater-than-or-equal Murnoasisnamestcxacml10functiondate-less-than Murnoasisnamestcxacml10functiondate-less-than-or-equal Murnoasisnamestcxacml10functionstring-one-and-only Murnoasisnamestcxacml10functionstring-bag-size Murnoasisnamestcxacml10functionstring-is-in Murnoasisnamestcxacml10functionstring-bag Murnoasisnamestcxacml10functionboolean-one-and-only Murnoasisnamestcxacml10functionboolean-bag-size Murnoasisnamestcxacml10functionboolean-is-in Murnoasisnamestcxacml10functionboolean-bag Murnoasisnamestcxacml10functioninteger-one-and-only Murnoasisnamestcxacml10functioninteger-bag-size Murnoasisnamestcxacml10functioninteger-is-in Murnoasisnamestcxacml10functioninteger-bag Murnoasisnamestcxacml10functiondouble-one-and-only Murnoasisnamestcxacml10functiondouble-bag-size Murnoasisnamestcxacml10functiondouble-is-in Murnoasisnamestcxacml10functiondouble-bag Murnoasisnamestcxacml10functiontime-one-and-only Murnoasisnamestcxacml10functiontime-bag-size Murnoasisnamestcxacml10functiontime-is-in Murnoasisnamestcxacml10functiontime-bag Murnoasisnamestcxacml10functiondate-one-and-only Murnoasisnamestcxacml10functiondate-bag-size Murnoasisnamestcxacml10functiondate-is-in Murnoasisnamestcxacml10functiondate-bag Murnoasisnamestcxacml10functiondateTime-one-and-only Murnoasisnamestcxacml10functiondateTime-bag-size Murnoasisnamestcxacml10functiondateTime-is-in Murnoasisnamestcxacml10functiondateTime-bag Murnoasisnamestcxacml10functionanyURI-one-and-only Murnoasisnamestcxacml10functionanyURI-bag-size Murnoasisnamestcxacml10functionanyURI-is-in Murnoasisnamestcxacml10functionanyURI-bag M
oasis--xacml-11pdf 89
178
179
urnoasisnamestcxacml10functionhexBinary-one-and-only Murnoasisnamestcxacml10functionhexBinary-bag-size Murnoasisnamestcxacml10functionhexBinary-is-in Murnoasisnamestcxacml10functionhexBinary-bag Murnoasisnamestcxacml10functionbase64Binary-one-and-only Murnoasisnamestcxacml10functionbase64Binary-bag-size Murnoasisnamestcxacml10functionbase64Binary-is-in Murnoasisnamestcxacml10functionbase64Binary-bag Murnoasisnamestcxacml10functiondayTimeDuration-one-and-only Murnoasisnamestcxacml10functiondayTimeDuration-bag-size Murnoasisnamestcxacml10functiondayTimeDuration-is-in Murnoasisnamestcxacml10functiondayTimeDuration-bag Murnoasisnamestcxacml10functionyearMonthDuration-one-and-only Murnoasisnamestcxacml10functionyearMonthDuration-bag-size Murnoasisnamestcxacml10functionyearMonthDuration-is-in Murnoasisnamestcxacml10functionyearMonthDuration-bag Murnoasisnamestcxacml10functionx500Name-one-and-only Murnoasisnamestcxacml10functionx500Name-bag-size Murnoasisnamestcxacml10functionx500Name-is-in Murnoasisnamestcxacml10functionx500Name-bag Murnoasisnamestcxacml10functionrfc822Name-one-and-only Murnoasisnamestcxacml10functionrfc822Name-bag-size Murnoasisnamestcxacml10functionrfc822Name-is-in Murnoasisnamestcxacml10functionrfc822Name-bag Murnoasisnamestcxacml10functionany-of Murnoasisnamestcxacml10functionall-of Murnoasisnamestcxacml10functionany-of-any Murnoasisnamestcxacml10functionall-of-any Murnoasisnamestcxacml10functionany-of-all Murnoasisnamestcxacml10functionall-of-all Murnoasisnamestcxacml10functionmap Murnoasisnamestcxacml10functionx500Name-match Murnoasisnamestcxacml10functionrfc822Name-match Murnoasisnamestcxacml10functionregexp-string-match Murnoasisnamestcxacml10functionxpath-node-count Ournoasisnamestcxacml10functionxpath-node-equal Ournoasisnamestcxacml10functionxpath-node-match Ournoasisnamestcxacml10functionstring-intersection Murnoasisnamestcxacml10functionstring-at-least-one-member-of Murnoasisnamestcxacml10functionstring-union Murnoasisnamestcxacml10functionstring-subset Murnoasisnamestcxacml10functionstring-set-equals Murnoasisnamestcxacml10functionboolean-intersection Murnoasisnamestcxacml10functionboolean-at-least-one-member-of Murnoasisnamestcxacml10functionboolean-union Murnoasisnamestcxacml10functionboolean-subset Murnoasisnamestcxacml10functionboolean-set-equals Murnoasisnamestcxacml10functioninteger-intersection Murnoasisnamestcxacml10functioninteger-at-least-one-member-of Murnoasisnamestcxacml10functioninteger-union Murnoasisnamestcxacml10functioninteger-subset Murnoasisnamestcxacml10functioninteger-set-equals Murnoasisnamestcxacml10functiondouble-intersection Murnoasisnamestcxacml10functiondouble-at-least-one-member-of Murnoasisnamestcxacml10functiondouble-union Murnoasisnamestcxacml10functiondouble-subset Murnoasisnamestcxacml10functiondouble-set-equals M
oasis--xacml-11pdf 90
180
181
urnoasisnamestcxacml10functiontime-intersection Murnoasisnamestcxacml10functiontime-at-least-one-member-of Murnoasisnamestcxacml10functiontime-union Murnoasisnamestcxacml10functiontime-subset Murnoasisnamestcxacml10functiontime-set-equals Murnoasisnamestcxacml10functiondate-intersection Murnoasisnamestcxacml10functiondate-at-least-one-member-of Murnoasisnamestcxacml10functiondate-union Murnoasisnamestcxacml10functiondate-subset Murnoasisnamestcxacml10functiondate-set-equals Murnoasisnamestcxacml10functiondateTime-intersection Murnoasisnamestcxacml10functiondateTime-at-least-one-member-of Murnoasisnamestcxacml10functiondateTime-union Murnoasisnamestcxacml10functiondateTime-subset Murnoasisnamestcxacml10functiondateTime-set-equals Murnoasisnamestcxacml10functionanyURI-intersection Murnoasisnamestcxacml10functionanyURI-at-least-one-member-of Murnoasisnamestcxacml10functionanyURI-union Murnoasisnamestcxacml10functionanyURI-subset Murnoasisnamestcxacml10functionanyURI-set-equals Murnoasisnamestcxacml10functionhexBinary-intersection Murnoasisnamestcxacml10functionhexBinary-at-least-one-member-of Murnoasisnamestcxacml10functionhexBinary-union Murnoasisnamestcxacml10functionhexBinary-subset Murnoasisnamestcxacml10functionhexBinary-set-equals Murnoasisnamestcxacml10functionbase64Binary-intersection Murnoasisnamestcxacml10functionbase64Binary-at-least-one-member-of
M
urnoasisnamestcxacml10functionbase64Binary-union Murnoasisnamestcxacml10functionbase64Binary-subset Murnoasisnamestcxacml10functionbase64Binary-set-equals Murnoasisnamestcxacml10functiondayTimeDuration-intersection Murnoasisnamestcxacml10functiondayTimeDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functiondayTimeDuration-union Murnoasisnamestcxacml10functiondayTimeDuration-subset Murnoasisnamestcxacml10functiondayTimeDuration-set-equals Murnoasisnamestcxacml10functionyearMonthDuration-intersection Murnoasisnamestcxacml10functionyearMonthDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functionyearMonthDuration-union Murnoasisnamestcxacml10functionyearMonthDuration-subset Murnoasisnamestcxacml10functionyearMonthDuration-set-equals Murnoasisnamestcxacml10functionx500Name-intersection Murnoasisnamestcxacml10functionx500Name-at-least-one-member-of Murnoasisnamestcxacml10functionx500Name-union Murnoasisnamestcxacml10functionx500Name-subset Murnoasisnamestcxacml10functionx500Name-set-equals Murnoasisnamestcxacml10functionrfc822Name-intersection Murnoasisnamestcxacml10functionrfc822Name-at-least-one-member-of
M
urnoasisnamestcxacml10functionrfc822Name-union Murnoasisnamestcxacml10functionrfc822Name-subset Murnoasisnamestcxacml10functionrfc822Name-set-equals M
oasis--xacml-11pdf 91
182
3366
183
11 References[DS] D Eastlake et al XML-Signature Syntax and Processing
httpwwww3orgTRxmldsig-core World Wide Web Consortium[Hancock] Hancock Polymorphic Type Checking in Simon L Peyton Jones
Implementation of Functional Programming Languages Section 8 Prentice-Hall International 1987
[Haskell] Haskell a purely functional language Available at httpwwwhaskellorg
[Hinton94] Hinton H M Lee E S The Compatibility of Policies Proceedings 2nd ACM Conference on Computer and Communications Security Nov 1994 Fairfax Virginia USA
[IEEE754] IEEE Standard for Binary Floating-Point Arithmetic 1985 ISBN 1-5593-7653-8 IEEE Product No SH10116-TBR
[Kudo00] Kudo M and Hada S XML document security based on provisional authorization Proceedings of the Seventh ACM Conference on Computer and Communications Security Nov 2000 Athens Greece pp 87-96
[LDAP-1] RFC2256 A summary of the X500(96) User Schema for use with LDAPv3 Section 5 M Wahl December 1997 httpwwwietforgrfcrfc2798txt
[LDAP-2] RFC2798 Definition of the inetOrgPerson M Smith April 2000 httpwwwietforgrfcrfc2798txt
[MathML] Mathematical Markup Language (MathML) Version 20 W3C Recommendation 21 February 2001 Available at httpwwww3orgTRMathML2
[Perritt93] Perritt H Knowbots Permissions Headers and Contract Law Conference on Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment April 1993 Available at httpwwwiflaorgdocumentsinfopolcopyrightperh2txt
[RBAC] Role-Based Access Controls David Ferraiolo and Richard Kuhn 15th National Computer Security Conference 1992 Available at httpcsrcnistgovrbac
[RegEx] XML Schema Part 0 Primer W3C Recommendation 2 May 2001 Appendix D Available at httpwwww3orgTRxmlschema-0
[RFC2119] S Bradner Key words for use in RFCs to Indicate Requirement Levels httpwwwietforgrfcrfc2119txt IETF RFC 2119 March 1997
[SAML] Security Assertion Markup Language available from httpwwwoasis-openorgcommitteessecuritydocuments
[Sloman94] Sloman M Policy Driven Management for Distributed Systems Journal of Network and Systems Management Volume 2 part 4 Plenum Press 1994
[XF] XQuery 10 and XPath 20 Functions and Operators W3C Working Draft 16 August 2002 Available at httpwwww3orgTR2002WD-xquery-operators-20020816
[XS] XML Schema parts 1 and 2 Available at httpwwww3orgTRxmlschema-1 and httpwwww3orgTRxmlschema-2
[XPath] XML Path Language (XPath) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxpath
oasis--xacml-11pdf 92
184
336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396
33973398
3399340034013402340334043405
340634073408
34093410341134123413
185
[XSLT] XSL Transformations (XSLT) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxslt
oasis--xacml-11pdf 93
186
341434153416
187
Appendix A Standard data-types functions and their semantics (normative)
A1 IntroductionThis section contains a specification of the data-types and functions used in XACML to create predicates for a rulersquos condition and target matches
This specification combines the various standards set forth by IEEE and ANSI for string representation of numeric values as well as the evaluation of arithmetic functions
This section describes the primitive data-types bags and construction of expressions using XACML constructs Finally each standard function is named and its operational semantics are described
A2 Primitive typesAlthough XML instances represent all data-types as strings an XACML PDP must reason about types of data that while they have string representations are not just strings Types such as boolean integer and double MUST be converted from their XML string representations to values that can be compared with values in their domain of discourse such as numbers The following primitive data-types are specified for use with XACML and have explicit data representations
httpwwww3org2001XMLSchemastring
httpwwww3org2001XMLSchemaboolean
httpwwww3org2001XMLSchemainteger
httpwwww3org2001XMLSchemadouble
httpwwww3org2001XMLSchematime
httpwwww3org2001XMLSchemadate
httpwwww3org2001XMLSchemadateTime
httpwwww3org2001XMLSchemaanyURI
httpwwww3org2001XMLSchemahexBinary
httpwwww3org2001XMLSchemabase64Binary
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
urnoasisnamestcxacml10data-typex500Name
urnoasisnamestcxacml10data-typerfc822Name
oasis--xacml-11pdf 94
188
3417
3418
3419
34203421
34223423
342434253426
3427
34283429343034313432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
189
A3 Structured typesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type for example ltdsKeyInfogt XACML 10 supports several ways for comparing such ltAttributeValuegt elements
1 In some cases such an ltAttributeValuegt element MAY be compared using one of the XACML string functions such as ldquoregexp-string-matchrdquo described below This requires that the structured data ltAttributeValuegt be given the DataType=httpwwww3org2001XMLSchemastring For example a structured data-type that is actually a dsKeyInfoKeyName would appear in the Context as
ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgtampltdsKeyNameampgtjhibbert-keyampltdsKeyNameampgt
ltAttributeValuegt
In general this method will not be adequate unless the structured data-type is quite simple
2 An ltAttributeSelectorgt element MAY be used to select the value of a leaf sub-element of the structured data-type by means of an XPath expression That value MAY then be compared using one of the supported XACML functions appropriate for its primitive data-type This method requires support by the PDP for the optional XPath expressions feature
3 An ltAttributeSelectorgt element MAY be used to select the value of any node in the structured data-type by means of an XPath expression This node MAY then be compared using one of the XPath-based functions described in Section A1413 This method requires support by the PDP for the optional XPath expressions and XPath functions features
A4 RepresentationsAn XACML PDP SHALL be capable of converting string representations into various primitive data-types For integers and doubles XACML SHALL use the conversions described in [IEEE754]
This document combines the various standards set forth by IEEE and ANSI for string representation of numeric values
XACML defines two additional data-types these are ldquournoasisnamestcxacml10data-typex500Namerdquo and ldquournoasisnamestcxacml10data-typerfc822Namerdquo These types represent identifiers for subjects and appear in several standard applications such as TLSSSL and electronic mail
The ldquournoasisnamestcxacml10data-typex500Namerdquo primitive type represents an X500 Distinguished Name The string representation of an X500 distinguished name is specified in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names1
The ldquournoasisnamestcxacml10data-typerfc822Namerdquo primitive type represents electronic mail addresses and its string representation is specified by RFC 822
1 An earlier RFC RFC 1779 A String Representation of Distinguished Names is less restrictive so urnoasisnamestcxacml10data-typex500Name uses the syntax in RFC 2253 for better interoperability
oasis--xacml-11pdf 95
190
3447
344834493450
34513452
345334543455345634573458
3459
34603461346234633464
3465346634673468
3469
34703471
34723473
3474347534763477
3478347934803481
34823483
191192193
194
An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive2
A5 BagsXACML defines implicit collections of its primitive types XACML refers to a collection of values that are of a single primitive type as a bag Bags of primitive types are needed because selections of nodes from an XML resource or XACML request context may return more than one value
The ltAttributeSelectorgt element uses an XPath expression to specify the selection of data from an XML resource The result of an XPath expression is termed a node-set which contains all the leaf nodes from the XML resource that match the predicate in the XPath expression Based on the various indexing functions provided in the XPath specification it SHALL be implied that a resultant node-set is the collection of the matching nodes XACML also defines the ltAttributeDesignatorgt element to have the same matching methodology for attributes in the XACML request context
The values in a bag are not ordered and some of the values may be duplicates There SHALL be no notion of a bag containing bags or a bag containing values of differing types Ie a bag in XACML SHALL contain only values that are of the same primitive type
A6 ExpressionsXACML specifies expressions in terms of the following elements of which the ltApplygt and ltConditiongt elements recursively compose greater expressions Valid expressions shall be type correct which means that the types of each of the elements contained within ltApplygt and ltConditiongt elements shall agree with the respective argument types of the function that is named by the FunctionId attribute The resultant type of the ltApplygt or ltConditiongt element shall be the resultant type of the function which may be narrowed to a primitive data-type or a bag of a primitive data-type by type-unification XACML defines an evaluation result of Indeterminate which is said to be the result of an invalid expression or an operational error occurring during the evaluation of the expression
XACML defines the following elements to be legal XACML expressions
ltAttributeValuegt
ltSubjectAttributeDesignatorgt
ltSubjectAttributeSelectorgt
ltResourceAttributeDesignatorgt
ltActionAttributeDesignatorgt
ltEnvironmentAttributeDesignatorgt
ltAttributeSelectorgt
ltApplygt
2 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part However many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This is considered an error by mail-system designers and is not encouraged
oasis--xacml-11pdf 96
195
348434853486
3487
348834893490
34913492349334943495
34963497
349834993500
3501
350235033504350535063507350835093510
3511
3512
3513
3514
3515
3516
3517
3518
3519
196197198
199
ltConditiongt
ltFunctiongt
A7 Element ltAttributeValuegt The ltAttributeValuegt element SHALL represent an explicit value of a primitive type For example
ltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltApplygt
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt
The ltAttributeDesignatorgt and ltAttributeSelectorgt elements SHALL evaluate to a bag of a specific primitive type The type SHALL be inferred from the function in which it appears Each element SHALL contain a URI or XPath expression respectively to identify the required attribute values If an operational error were to occur while finding the values the value of the element SHALL be set to Indeterminate If the required attribute cannot be located then the value of the element SHALL be set to an empty bag of the inferred primitive type
A9 Element ltApplygt XACML function calls are represented by the ltApplygt element The function to be applied is named in the FunctionId attribute of this element The value of the ltApplygt element SHALL be set to either a primitive data-type or a bag of a primitive type whose data-type SHALL be inferred from the FunctionId The arguments of a function SHALL be the values of the XACML expressions that are contained as ordered elements in an ltApplygt element The legal number of arguments within an ltApplygt element SHALL depend upon the functionId
A10Element ltConditiongt The ltConditiongt element MAY appear in the ltRulegt element as the premise for emitting the corresponding effect of the rule The ltConditiongt element has the same structure as the ltApplygt element with the restriction that its result SHALL be of data-type ldquohttpwwww3org2001XMLSchemabooleanrdquo The evaluation of the ltConditiongt element SHALL follow the same evaluation semantics as those of the ltApplygt element
oasis--xacml-11pdf 97
200
3520
3521
3522
35233524352535263527352835293530
3531
3532
353335343535353635373538
3539
354035413542
354335443545
3546
35473548354935503551
201
A11Element ltFunctiongt The ltFunctiongt element names a standard XACML function or an extension function in its FunctionId attribute The ltFunctiongt element MAY be used as an argument in functions that take a function as an argument
A12Matching elementsMatching elements appear in the ltTargetgt element of rules policies and policy sets They are the following
ltSubjectMatchgt
ltResourceMatchgt
ltActionMatchgt
These elements represent boolean expressions over attributes of the subject resource and action respectively A matching element contains a MatchId attribute that specifies the function to be used in performing the match evaluation an attribute value and an ltAttributeDesignatorgt or ltAttributeSelectorgt element that specifies the attribute in the context that is to be matched against the specified value
The MatchId attribute SHALL specify a function that compares two arguments returning a result type of httpwwww3org2001XMLSchemaboolean The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument An element of the bag returned by the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL be supplied to the MatchId function as its second argument The data-type of the attribute value SHALL match the data-type of the first argument expected by the MatchId function The data-type of the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL match the data-type of the second argument expected by the MatchId function
The XACML standard functions that meet the requirements for use as a MatchId attribute value are
urnoasisnamestcxacml10function-type-equal
urnoasisnamestcxacml10function-type-greater-than
urnoasisnamestcxacml10function-type-greater-than-or-equal
urnoasisnamestcxacml10function-type-less-than
urnoasisnamestcxacml10function-type-less-than-or-equal
urnoasisnamestcxacml10function-type-match
In addition functions that are strictly within an extension to XACML MAY appear as a value for the MatchId attribute and those functions MAY use data-types that are also extensions so long as the extension function returns a boolean result and takes an attribute value as its first argument and an ltAttributeDesignatorgt or ltAttributeSelectorgt as its second argument The function used as the value for the MatchId attribute SHOULD be easily indexable Use of non-indexable or complex functions may prevent efficient evaluation of decision requests
The evaluation semantics for a matching element is as follows If an operational error were to occur while evaluating the ltAttributeDesignatorgt or ltAttributeSelectorgt element then
oasis--xacml-11pdf 98
202
3552
355335543555
3556
35573558
3559
3560
3561
35623563356435653566
35673568
356935703571357235733574
35753576
3577
3578
3579
3580
3581
3582
358335843585
358635873588
35893590
203
the result of the entire expression SHALL be Indeterminate If the ltAttributeDesignatorgt or ltAttributeSelectorgt element were to evaluate to an empty bag then the result of the expression SHALL be False Otherwise the MatchId function SHALL be applied between the explicit attribute value and each element of the bag returned from the ltAttributeDesignatorgt or ltAttributeSelectorgt element If at least one of those function applications were to evaluate to True then the result of the entire expression SHALL be True Otherwise if at least one of the function applications results in Indeterminate then the result SHALL be Indeterminate Finally only if all function applications evaluate to False the result of the entire expression SHALL be False
It is possible to express the semantics of a target matching element in a condition For instance the target match expression that compares a ldquosubject-namerdquo starting with the name ldquoJohnrdquo can be expressed as follows
ltSubjectMatch MatchId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegtltSubjectMatchgt
Alternatively the same match semantics can be expressed as an ltApplygt element in a condition by using the ldquournoasisnamestcxacml10functionany-ofrdquo function as follows
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt ltFunctionFunctionId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtltApplygt
This expression of the semantics is NOT normative
A13Arithmetic evaluationIEEE 754 [IEEE 754] specifies how to evaluate arithmetic functions in a context which specifies defaults for precision rounding etc XACML SHALL use this specification for the evaluation of all integer and double functions relying on the Extended Default Context enhanced with double precision
flags - all set to 0
trap-enablers - all set to 0 (IEEE 854 sect7) with the exception of the ldquodivision-by-zerordquo trap enabler which SHALL be set to 1
precision - is set to the designated double precision
rounding - is set to round-half-even (IEEE 854 sect41)
oasis--xacml-11pdf 99
204
359135923593359435953596359735983599
36003601360236033604360536063607360836093610
36113612361336143615361636173618361936203621
3622
3623
3624
3625362636273628
3629
36303631
3632
3633
205
A14XACML standard functionsXACML specifies the following functions that are prefixed with the ldquournoasisnamestcxacml10functionrdquo relative name space identifier
A141Equality predicatesThe following functions are the equality functions for the various primitive types Each function for a particular data-type follows a specified standard convention for that data-type If an argument of one of these functions were to evaluate to Indeterminate then the function SHALL be set to Indeterminate
string-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if and only if the value of both of its arguments are of equal length and each string is determined to be equal byte-by-byte according to the function ldquointeger-equalrdquo
boolean-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemabooleanrdquo and SHALL return True if and only if both values are equal
integer-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on integers according to IEEE 754 [IEEE 754]
double-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on doubles according to IEEE 754 [IEEE 754]
date-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdate-equalrdquo function [XF Section 8311]
time-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquooptime-equalrdquo function [XF Section 8314]
dateTime-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdateTime-equalrdquo function [XF Section 838]
oasis--xacml-11pdf 100
206
3634
36353636
3637
3638363936403641
3642
3643364436453646
3647
364836493650
3651
3652365336543655
3656
3657365836593660
3661
3662366336643665
3666
3667366836693670
3671
3672367336743675
207
dayTimeDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opdayTimeDuration-equal function [XF Section 835] Note that the lexical representation of each argument MUST be converted to a value expressed in fractional seconds [XF Section 822]
yearMonthDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opyearMonthDuration-equal function [XF Section 832] Note that the lexical representation of each argument MUST be converted to a value expressed in integer months [XF Section 821]
anyURI-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaanyURIrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopanyURI-equalrdquo function [XF Section 1021]
x500Name-equal
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if each Relative Distinguished Name (RDN) in the two arguments matches Two RDNs shall be said to match if and only if the result of the following operations is ldquoTruerdquo3
1 Normalize the two arguments according to IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
2 If any RDN contains multiple attributeTypeAndValue pairs re-order the Attribute ValuePairs in that RDN in ascending order when compared as octet strings (described in ITU-T Rec X690 (1997 E) Section 116 Set-of components)
3 Compare RDNs using the rules in IETF RFC 3280 Internet X509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Section 4124 Issuer
rfc822Name-equal
This function SHALL take two arguments of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL determine whether two ldquournoasisnamestcxacml10data-typerfc822Namerdquo arguments are equal An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive Perform the following operations
1 Normalize the domain-part of each argument to lower case
2 Compare the expressions by applying the function ldquournoasisnamestcxacml10functionstring-equalrdquo to the normalized arguments
3 ITU-T Rec X520 contains rules for matching X500 names but these are very complex and require knowledge of the syntax of various AttributeTypes IETF RFC 3280 contains simplified matching rules that the XACML x500Name-equal function uses
oasis--xacml-11pdf 101
208
367636773678367936803681368236833684368536863687368836893690
3691369236933694
3695
36963697369836993700
37013702
370337043705
370637073708
3709
3710371137123713371437153716
3717
37183719
209210211
212
hexBinary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemahexBinaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8215]
base64Binary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemabase64Binaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8216]
A142Arithmetic functionsAll of the following functions SHALL take two arguments of the specified data-type integer or double and SHALL return an element of integer or double data-type respectively However the ldquoaddrdquo functions MAY take more than two arguments Each function evaluation SHALL proceed as specified by their logical counterparts in IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate In the case of the divide functions if the divisor is zero then the function SHALL evaluate to ldquoIndeterminaterdquo
integer-add
This function MAY have two or more arguments
double-add
This function MAY have two or more arguments
integer-subtract
double-subtract
integer-multiply
double-multiply
integer-divide
double-divide
integer-mod
The following functions SHALL take a single argument of the specified data-type The round and floor functions SHALL take a single argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and return data-type ldquohttpwwww3org2001XMLSchemadoublerdquo In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-abs
oasis--xacml-11pdf 102
213
3720
3721372237233724372537263727
3728
3729373037313732373337343735
3736
3737373837393740374137423743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
375537563757375837593760
3761
214
double-abs
round
floor
A143String conversion functionsThe following functions convert between values of the XACML ldquohttpwwww3org2001XMLSchemastringrdquo primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-normalize-space
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by stripping off all leading and trailing whitespace characters
string-normalize-to-lower-case
This function SHALL take one argument of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by converting each upper case character to its lower case equivalent
A144Numeric data-type conversion functionsThe following functions convert between the XACML ldquohttpwwww3org2001XMLSchemaintegerrdquo andrdquo httpwwww3org2001XMLSchemadoublerdquo primitive types In any expression in which the functions defined below are applied if any argument while being evaluated results in Indeterminate the expression SHALL return Indeterminate
double-to-integer
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL truncate its numeric value to a whole number and return an element of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo
integer-to-double
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL promote its value to an element of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo of the same numeric value
A145Logical functionsThis section contains the specification for logical functions that operate on arguments of the ldquohttpwwww3org2001XMLSchemabooleanrdquo data-type
or
This function SHALL return False if it has no arguments and SHALL return True if one of its arguments evaluates to True The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of True if any argument evaluates to True leaving the rest of the arguments unevaluated In an expression that contains any of these
oasis--xacml-11pdf 103
215
3762
3763
3764
3765
3766376737683769
3770
377137723773
3774
377537763777
3778
3779378037813782
3783
3784378537863787
3788
378937903791
3792
37933794
3795
3796
3797379837993800
216
functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
and
This function SHALL return True if it has no arguments and SHALL return False if one of its arguments evaluates to False The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of False if any argument evaluates to False leaving the rest of the arguments unevaluated In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
n-of
The first argument to this function SHALL be of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo specifying the number of the remaining arguments that MUST evaluate to True for the expression to be considered True If the first argument is 0 the result SHALL be True If the number of arguments after the first one is less than the value of the first argument then the expression SHALL result in Indeterminate The order of evaluation SHALL be first evaluate the integer value then evaluate each subsequent argument The evaluation SHALL stop and return True if the specified number of arguments evaluate to True The evaluation of arguments SHALL stop if it is determined that evaluating the remaining arguments will not satisfy the requirement In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
not
This function SHALL take one logical argument If the argument evaluates to True then the result of the expression SHALL be False If the argument evaluates to False then the result of the expression SHALL be True In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
Note For an expression that is an application of AND OR or N-OF it MAY NOT be necessary to attempt a full evaluation of each boolean argument to a truth value in order to determine whether the evaluation of the argument would result in Indeterminate Analysis of the argument regarding its necessary attributes or other analysis regarding errors such as divide-by-zero may render the argument error free Such arguments occurring in the expression in a position after the evaluation is stated to stop need not be processed
A146Arithmetic comparison functionsThese functions form a minimal set for comparing two numbers yielding a boolean result They SHALL comply with the rules governed by IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-greater-than
integer-greater-than-or-equal
integer-less-than
integer-less-than-or-equal
double-greater-than
oasis--xacml-11pdf 104
217
38013802
3803
380438053806380738083809
3810
381138123813381438153816381738183819382038213822
3823
38243825382638273828
382938303831383238333834
3835
3836383738383839
3840
3841
3842
3843
3844
218
double-greater-than-or-equal
double-less-than
double-less-than-or-equal
A147Date and time arithmetic functionsThese functions perform arithmetic operations with the date and time In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
dateTime-add-dayTimeDuration
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is of data-type ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-subtract-dayTimeDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-dayTimeDurationrdquo had been applied to the corresponding positive duration
dateTime-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
date-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It
oasis--xacml-11pdf 105
219
3845
3846
3847
3848
384938503851
3852
385338543855385638573858
3859
386038613862386338643865
3866
386738683869387038713872387338743875
3876
387738783879388038813882388338843885
3886
388738883889
220
return a result of ldquohttpwwww3org2001XMLSchemadaterdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date [XS Appendix E]
date-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadaterdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
A148Non-numeric comparison functionsThese functions perform comparison operations on two arguments of non-numerical types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments that are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is greater than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-equalrdquo
string-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated with the logical function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-greater-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
string-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is less than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-less-thanrdquo
string-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated
oasis--xacml-11pdf 106
221
389038913892
3893
389438953896389738983899390039013902
3903
390439053906
3907
39083909391039113912391339143915
3916
391739183919392039213922
3923
39243925392639273928392939303931
3932
393339343935
222
with the function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-less-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
time-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
dateTime-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
oasis--xacml-11pdf 107
223
393639373938
3939
39403941394239433944
3945
39463947394839493950
3951
39523953395439553956
3957
39583959396039613962
3963
39643965396639673968
3969
39703971397239733974
3975
39763977397839793980
224
dateTime-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchema dateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
date-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
A149Bag functionsThese functions operate on a bag of type values where data-type is one of the primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate Some additional conditions defined for each function below SHALL cause the expression to evaluate to Indeterminate
type-one-and-only
This function SHALL take an argument of a bag of type values and SHALL return a value of data-type It SHALL return the only value in the bag If the bag does not have one and only one value then the expression SHALL evaluate to Indeterminate
type-bag-size
This function SHALL take a bag of type values as an argument and SHALL return an ldquohttpwwww3org2001XMLSchemaintegerrdquo indicating the number of values in the bag
oasis--xacml-11pdf 108
225
3981
3982
39833984398539863987
3988
39893990399139923993
3994
39953996399739983999
4000
40014002400340044005
4006
40074008400940104011
4012
4013401440154016
4017
401840194020
4021
40224023
226
type-is-in
This function SHALL take an argument of data-type type as the first argument and a bag of type values as the second argument The expression SHALL evaluate to True if the first argument matches by the urnoasisnamestcxacml10functiontype-equal to any value in the bag
type-bag
This function SHALL take any number of arguments of a single data-type and return a bag of type values containing the values of the arguments An application of this function to zero arguments SHALL produce an empty bag of the specified data-type
A1410 Set functionsThese functions operate on bags mimicking sets by eliminating duplicate elements from a bag In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
type-intersection
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type values such that it contains only elements that are common between the two bags which is determined by urnoasisnamestcxacml10functiontype-equal No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-at-least-one-member-of
This function SHALL take two arguments that are both a bag of type values The expression SHALL evaluate to True if at least one element of the first argument is contained in the second argument as determined by urnoasisnamestcxacml10functiontype-is-in
type-union
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type such that it contains all elements of both bags No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-subset
This function SHALL take two arguments that are both a bag of type values It SHALL return True if the first argument is a subset of the second argument Each argument is considered to have its duplicates removed as determined by urnoasisnamestcxacml10functiontype-equal before subset calculation
type-set-equals
This function SHALL take two arguments that are both a bag of type values and SHALL return the result of applying urnoasisnamestcxacml10functionand to the application of urnoasisnamestcxacml10functiontype-subset to the first and second arguments and the application of urnoasisnamestcxacml10functiontype-subset to the second and first arguments
oasis--xacml-11pdf 109
227
4024
4025
4026
4027402840294030
4031
403240334034
4035
403640374038
4039
40404041404240434044
4045
4046404740484049
4050
4051405240534054
4055
4056405740584059
4060
40614062406340644065
228
A1411 Higher-order bag functionsThis section describes functions in XACML that perform operations on bags such that functions may be applied to the bags in general
In this section a general-purpose functional language called Haskell [Haskell] is used to formally specify the semantics of these functions Although the English description is adequate a formal specification of the semantics is helpful
For a quick summary in the following Haskell notation a function definition takes the form of clauses that are applied to patterns of structures namely lists The symbol ldquo[]rdquo denotes the empty list whereas the expression ldquo(xxs)rdquo matches against an argument of a non-empty list of which ldquoxrdquo represents the first element of the list and ldquoxsrdquo is the rest of the list which may be an empty list We use the Haskell notion of a list which is an ordered collection of elements to model the XACML bags of values
A simple Haskell definition of a familiar function ldquournoasisnamestcxacml10functionandrdquo that takes a list of booleans is defined as follows
and [Bool] -gt Bool
and [] = True
and (xxs) = x ampamp (and xs)
The first definition line denoted by a ldquordquo formally describes the data-type of the function which takes a list of booleans denoted by ldquo[Bool]rdquo and returns a boolean denoted by ldquoBoolrdquo The second definition line is a clause that states that the function ldquoandrdquo applied to the empty list is True The second definition line is a clause that states that for a non-empty list such that the first element is ldquoxrdquo which is a value of data-type Bool the function ldquoandrdquo applied to x SHALL be combined with using the logical conjunction function which is denoted by the infix symbol ldquoampamprdquo the result of recursively applying the function ldquoandrdquo to the rest of the list Of course an application of the ldquoandrdquo function is True if and only if the list to which it is applied is empty or every element of the list is True For example the evaluation of the following Haskell expressions
(and []) (and [True]) (and [TrueTrue]) (and [TrueTrueFalse])
evaluate to True True True and False respectively
In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
any-of
This function applies a boolean function between a specific primitive value and a bag of values and SHALL return True if and only if the predicate is True for at least one element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element is applied to the second argument and each element of the third argument (the bag) and the results are combined with ldquournoasisnamestcxacml10functionorrdquo
In Haskell the semantics of this operation are as follows
oasis--xacml-11pdf 110
229
4066
40674068
406940704071
407240734074407540764077
40784079
4080
4081
4082
408340844085408640874088408940904091
4092
4093
40944095
4096
409740984099
4100410141024103
410441054106
4107
230
any_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolany_of f a [] = Falseany_of f a (xxs) = (f a x) || (any_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL return TrueltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is equal to at least one of the elements of the bag
all-of
This function applies a boolean function between a specific primitive value and a bag of values and returns True if and only if the predicate is True for every element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to the second argument and each element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo
In Haskell the semantics of this operation are as follows
all_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolall_of f a [] = Falseall_of f a (xxs) = (f a x) ampamp (all_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 111
231
410841094110
41114112
4113411441154116411741184119412041214122412341244125412641274128
41294130
4131
41324133
4134413541364137
413841394140
4141
414241434144
41454146
4147
232
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-ofrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt9ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is greater than all of the elements of the bag
any-of-any
This function applies a boolean function between each element of a bag of values and each element of another bag of values and returns True if and only if the predicate is True for at least one comparison
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any comparison of elements from the two bags
In Haskell taking advantage of the ldquoany_ofrdquo function defined above the semantics of the ldquoany_of_anyrdquo function are as follows
any_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_any f [] ys = Falseany_of_any f (xxs) ys = (any_of f x ys) || (any_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 112
233
4148414941504151415241534154415541564157415841594160416141624163
41644165
4166
416741684169
4170417141724173
41744175417641774178
41794180
418141824183
41844185
4186
234
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtMaryltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one of the elements of the first bag namely ldquoRingordquo is equal to at least one of the string values of the second bag
all-of-any
This function applies a boolean function between the elements of two bags The expression is True if and only if the predicate is True between each and all of the elements of the first bag collectively against at least one element of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for each element of the first bag and any element of the second bag
In Haskell taking advantage of the ldquoany_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_anyrdquo function are as follows
all_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_any f [] ys = Falseall_of_any f (xxs) ys = (any_of f x ys) ampamp (all_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 113
235
4187418841894190419141924193419441954196419741984199420042014202420342044205
42064207
4208
420942104211
4212421342144215
42164217421842194220
42214222
422342244225
42264227
4228
236
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt20ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt21ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all of the elements of the first bag each ldquo10rdquo and ldquo20rdquo are greater than at least one of the integer values ldquo1rdquo rdquo3rdquo rdquo5rdquo rdquo21rdquo of the second bag
any-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between at least one of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any element of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoany_of_allrdquo function are as follows
any_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_all f [] ys = Falseany_of_all f (xxs) ys = (all_of f x ys) || ( any_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 114
237
42294230423142324233423442354236423742384239424042414242424342444245424642474248
42494250
4251
425242534254
4255425642574258
42594260426142624263
42644265
426642674268
42694270
4271
238
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one element of the first bag namely ldquo5rdquo is greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
all-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between each and all of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression is evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression is True if and only if the applied predicate is True for all elements of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_allrdquo function is as follows
all_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_all f [] ys = Falseall_of_all f (xxs) ys = (all_of f x ys) ampamp (all_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 115
239
42724273427442754276427742784279428042814282428342844285428642874288428942904291
42924293
4294
429542964297
4298429943004301
43024303430443054306
43074308
430943104311
43124313
4314
240
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt6ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all elements of the first bag ldquo5rdquo and ldquo6rdquo are each greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
map
This function converts a bag of values to another bag of values
This function SHALL take two arguments The first function SHALL be a ltFunctiongt element naming a function that takes a single argument of a primitive data-type and returns a value of a primitive data-type The second argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to each element in the bag resulting in a bag of the converted value The result SHALL be a bag of the primitive data-type that is the same data-type that is returned by the function named in the ltFunctiongt element
In Haskell this function is defined as follows
map (a -gt b) -gt [a] -gt [b]
map f [] = []
map f (xxs) = (f x) (map f xs)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expressionltApply FunctionId=rdquournoasisnamestcxacml10functionmaprdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-normalize-to-lower-caserdquogt
ltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtHelloltAttributeValuegtltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtWorld
ltAttributeValuegtltApplygt
ltApplygt
evaluates to a bag containing ldquohellordquo and ldquoworldrdquo
oasis--xacml-11pdf 116
241
43154316431743184319432043214322432343244325432643274328432943304331433243334334
43354336
4337
4338
433943404341
434243434344
4345
4346
4347
4348
4349
43504351
43524353435443554356435743584359436043614362
4363
242
A1412 Special match functionsThese functions operate on various types and evaluate to ldquohttpwwww3org2001XMLSchemabooleanrdquo based on the specified standard matching algorithm In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
regexp-string-match
This function decides a regular expression match It SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The first argument SHALL be a regular expression and the second argument SHALL be a general string The function specification SHALL be that of the ldquoxfmatchesrdquo function with the arguments reversed [XF Section 6315]
x500Name-match
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if the first argument matches some terminal sequence of RDNs from the second argument when compared using x500Name-equal
rfc822Name-match
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and the second is of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if the first argument matches the second argument according to the following specification
An RFC822 name consists of a local-part followed by followed by domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS name) is not case-sensitive4
The second argument contains a complete rfc822Name The first argument is a complete or partial rfc822Name used to select appropriate values in the second argument as follows
In order to match a particular mailbox in the second argument the first argument must specify the complete mail address to be matched For example if the first argument is ldquoAndersonsuncomrdquo this matches a value in the second argument of ldquoAndersonsuncomrdquo and ldquoAndersonSUNCOMrdquo but not ldquoAnneAndersonsuncomrdquo ldquoandersonsuncomrdquo or ldquoAndersoneastsuncomrdquo
In order to match any mail address at a particular domain in the second argument the first argument must specify only a domain name (usually a DNS name) For example if the first argument is ldquosuncomrdquo this matches a value in the first argument of ldquoAndersonsuncomrdquo or ldquoBaxterSUNCOMrdquo but not ldquoAndersoneastsuncomrdquo
In order to match any mail address in a particular domain in the second argument the first argument must specify the desired domain-part with a leading For example if the first argument is ldquoeastsuncomrdquo this matches a value in the second argument of Andersoneastsuncom and anneandersonISRGEASTSUNCOM but not Andersonsuncom
4 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part Many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This anomaly is considered an error by mail-system designers and is not encouraged For this reason rfc822Name-match treats local-part as case sensitive
oasis--xacml-11pdf 117
243
4364
4365436643674368
4369
437043714372437343744375
4376
4377437843794380
4381
43824383438443854386
438743884389
43904391
43924393439443954396
4397439843994400
44014402440344044405
244245246247
248
A1413 XPath-based functionsThis section specifies functions that take XPath expressions for arguments An XPath expression evaluates to a node-set which is a set of XML nodes that match the expression A node or node-set is not in the formal data-type system of XACML All comparison or other operations on node-sets are performed in the isolation of the particular function specified The XPath expressions in these functions are restricted to the XACML request context The ltxacml-contextRequestgt element is a context node for every XPath expression The following functions are defined
xpath-node-count
This function SHALL take an ldquohttpwwww3org2001XMLSchemastringrdquo as an argument which SHALL be interpreted as an XPath expression and evaluates to an ldquohttpwwww3org2001XMLSchemaintegerrdquo The value returned from the function SHALL be the count of the nodes within the node-set that matches the given XPath expression
xpath-node-equal
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if any XML node from the node-set matched by the first argument equals according to the ldquoopnode-equalrdquo function [XF Section 1316] any XML node from the node-set matched by the second argument
xpath-node-match
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if either of the following two conditions is satisfied (1) Any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument (2) Any attribute and element node below any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument
NOTE The first condition is equivalent to xpath-node-equal and guarantees that xpath-node-equal is a special case of xpath-node-match
A1414 Extension functions and primitive typesFunctions and primitive types are specified by string identifiers allowing for the introduction of functions in addition to those specified by XACML This approach allows one to extend the XACML module with special functions and special primitive data-types
In order to preserve some integrity to the XACML evaluation strategy the result of all function applications SHALL depend only on the values of its arguments Global and hidden parameters SHALL NOT affect the evaluation of an expression Functions SHALL NOT have side effects as evaluation order cannot be guaranteed in a standard way
oasis--xacml-11pdf 118
249
4406
4407440844094410
44114412
4413
44144415441644174418
4419
442044214422442344244425
4426
442744284429443044314432443344344435
44364437
4438
443944404441
4442444344444445
250
Appendix B XACML identifiers (normative)This section defines standard identifiers for commonly used entities All XACML-defined identifiers have the common base
urnoasisnamestcxacml10
B1 XACML namespacesThere are currently two defined XACML namespaces
Policies are defined using this identifierurnoasisnamestcxacml10policy
Request and response contexts are defined using this identifierurnoasisnamestcxacml10context
B2 Access subject categoriesThis identifier indicates the system entity that initiated the access request That is the initial entity in a request chain If subject category is not specified this is the default value
urnoasisnamestcxacml10subject-categoryaccess-subject
This identifier indicates the system entity that will receive the results of the request Used when it is distinct from the access-subject
urnoasisnamestcxacml10subject-categoryrecipient-subject
This identifier indicates a system entity through which the access request was passed There may be more than one No means is provided to specify the order in which they passed the message
urnoasisnamestcxacml10subject-categoryintermediary-subject
This identifier indicates a system entity associated with a local or remote codebase that generated the request Corresponding subject attributes might include the URL from which it was loaded andor the identity of the code-signer There may be more than one No means is provided to specify the order they processed the request
urnoasisnamestcxacml10subject-categorycodebase
This identifier indicates a system entity associated with the computer that initiated the access request An example would be an IPsec identity
urnoasisnamestcxacml10subject-categoryrequesting-machine
B3 XACML functionsThis identifier is the base for all the identifiers in the table of functions See Section A1
urnoasisnamestcxacml10function
B4 Data-typesThe following identifiers indicate useful data-types
X500 distinguished name
oasis--xacml-11pdf 119
251
4446
44474448
4449
4450
4451
44524453
44544455
4456
44574458
4459
44604461
4462
44634464
4465
4466446744684469
4470
44714472
4473
4474
44754476
4477
4478
4479
252
urnoasisnamestcxacml10data-typex500Name
An x500Name contains an ITU-T Rec X520 Distinguished Name The valid syntax for such a name is described in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
RFC822 Nameurnoasisnamestcxacml10data-typerfc822Name
An rfc822Name contains an e-mail name The valid syntax for such a name is described in IETF RFC 2821 Section 412 Command Argument Syntax under the term Mailbox
The following data-type identifiers are defined by XML Schemahttpwwww3org2001XMLSchemastringhttpwwww3org2001XMLSchemabooleanhttpwwww3org2001XMLSchemaintegerhttpwwww3org2001XMLSchemadoublehttpwwww3org2001XMLSchematimehttpwwww3org2001XMLSchemadatehttpwwww3org2001XMLSchemadateTimehttpwwww3org2001XMLSchemaanyURIhttpwwww3org2001XMLSchemahexBinaryhttpwwww3org2001XMLSchemabase64Binary
The following data-type identifiers correspond to the dayTimeDuration and yearMonthDuration data-types defined in [XF Sections 822 and 821 respectively]
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationhttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
B5 Subject attributesThese identifiers indicate attributes of a subject When used they SHALL appear within a ltSubjectgt element of the request context They SHALL be accessed via a ltSubjectAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into a ltSubjectgt element of the request context
At most one of each of these attributes is associated with each subject Each attribute associated with authentication included within a single ltSubjectgt element relates to the same authentication event
This identifier indicates the name of the subject The default format is httpwwww3org2001XMLSchemastring To indicate other formats use DataType attributes listed in B4
urnoasisnamestcxacml10subjectsubject-id
This identifier indicates the subject category ldquoaccess-subjectrdquo is the defaulturnoasisnamestcxacml10subject-category
This identifier indicates the security domain of the subject It identifies the administrator and policy that manages the name-space in which the subject id is administered
urnoasisnamestcxacml10subjectsubject-id-qualifier
This identifier indicates a public key used to confirm the subjectrsquos identityurnoasisnamestcxacml10subjectkey-info
This identifier indicates the time at which the subject was authenticatedurnoasisnamestcxacml10subjectauthentication-time
This identifier indicates the method used to authenticate the subjecturnoasisnamestcxacml10subjectauthentication-method
oasis--xacml-11pdf 120
253
4480
448144824483
44844485
44864487
44884489449044914492449344944495449644974498
44994500
45014502
4503
4504450545064507
450845094510
451145124513
4514
45154516
45174518
4519
45204521
45224523
45244525
254
This identifier indicates the time at which the subject initiated the access request according to the PEP
urnoasisnamestcxacml10subjectrequest-time
This identifier indicates the time at which the subjectrsquos current session began according to the PEP
urnoasisnamestcxacml10subjectsession-start-time
The following identifiers indicate the location where authentication credentials were activated They are intended to support the corresponding entities from the SAML authentication statement
This identifier indicates that the location is expressed as an IP addressurnoasisnamestcxacml10subjectauthn-localityip-address
This identifier indicates that the location is expressed as a DNS nameurnoasisnamestcxacml10subjectauthn-localitydns-name
Where a suitable attribute is already defined in LDAP [LDAP-1 LDAP-2] the XACML identifier SHALL be formed by adding the attribute name to the URI of the LDAP specification For example the attribute name for the userPassword defined in the rfc2256 SHALL be
httpwwwietforgrfcrfc2256txtuserPassword
B6 Resource attributesThese identifiers indicate attributes of the resource When used they SHALL appear within the ltResourcegt element of the request context They SHALL be accessed via a ltResourceAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltResourcegt element of the request context
This identifier indicates the entire URI of the resourceurnoasisnamestcxacml10resourceresource-id
A resource attribute used to indicate values extracted from the resourceurnoasisnamestcxacml10resourceresource-content
This identifier indicates the last (rightmost) component of the file name For example if the URI is ldquofilehomemystatuspointerrdquo the simple-file-name is status
urnoasisnamestcxacml10resourcesimple-file-name
This identifier indicates that the resource is specified by an XPath expressionurnoasisnamestcxacml10resourcexpath
This identifier indicates a UNIX file-system pathurnoasisnamestcxacml10resourceufs-path
This identifier indicates the scope of the resource as described in Section 78urnoasisnamestcxacml10resourcescope
The allowed value for this attribute is of data-type httpwwww3org2001XMLSchemastring and is either Immediate Children or Descendants
B7 Action attributesThese identifiers indicate attributes of the action being requested When used they SHALL appear within the ltActiongt element of the request context They SHALL be accessed via an ltActionAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltActiongt element of the request context
oasis--xacml-11pdf 121
255
45264527
4528
45294530
4531
45324533
45344535
45364537
453845394540
4541
4542
4543454445454546
45474548
45494550
45514552
4553
45544555
45564557
45584559
45604561
4562
4563456445654566
256
urnoasisnamestcxacml10actionaction-id
Action namespaceurnoasisnamestcxacml10actionaction-namespace
Implied action This is the value for action-id attribute when action is impliedurnoasisnamestcxacml10actionimplied-action
B8 Environment attributesThese identifiers indicate attributes of the environment within which the decision request is to be evaluated When used in the decision request they SHALL appear in the ltEnvironmentgt element of the request context They SHALL be accessed via an ltEnvironmentAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltEnvironmentgt element of the request context
This identifier indicates the current time at the PDP In practice it is the time at which the request context was created
urnoasisnamestcxacml10environmentcurrent-timeurnoasisnamestcxacml10environmentcurrent-dateurnoasisnamestcxacml10environmentcurrent-dateTime
B9 Status codesThe following status code identifiers are defined
This identifier indicates successurnoasisnamestcxacml10statusok
This identifier indicates that attributes necessary to make a policy decision were not availableurnoasisnamestcxacml10statusmissing-attribute
This identifier indicates that some attribute value contained a syntax error such as a letter in a numeric field
urnoasisnamestcxacml10statussyntax-error
This identifier indicates that an error occurred during policy evaluation An example would be division by zero
urnoasisnamestcxacml10statusprocessing-error
B10Combining algorithmsThe deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId
urnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
The deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
The permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
The permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
oasis--xacml-11pdf 122
257
4567
45684569
45704571
4572
457345744575
45764577
45784579
458045814582
4583
4584
45854586
45874588
45894590
4591
45924593
4594
4595
45964597
45984599
4600
46014602
46034604
4605
258
The first-applicable rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
The first-applicable policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
The only-one-applicable-policy policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
The ordered-deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overrides
The ordered-deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-deny-overrides
The ordered-permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-permit-overrides
The ordered-permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
oasis--xacml-11pdf 123
259
46064607
46084609
4610
46114612
4613
46144615461646174618
4619462046214622
4623462446254626
46274628
260
Appendix C Combining algorithms (normative)This section contains a description of the rule-combining and policy-combining algorithms specified by XACML
C1 Deny-overridesThe following specification defines the ldquoDeny-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Deny then the result of the rule combination SHALL be Deny If any rule evaluates to Permit and all other rules evaluate to NotApplicable then the result of the rule combination SHALL be Permit In other words Deny takes precedence regardless of the result of evaluating any of the other rules in the combination If all rules are found to be NotApplicable to the decision request then the rule combination SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect value of Deny then the evaluation SHALL continue to evaluate subsequent rules looking for a result of Deny If no other rule evaluates to Deny then the combination SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Permit all other rules that do not have evaluation errors evaluate to Permit or NotApplicable and all rules that do have evaluation errors contain effects of Permit then the result of the combination SHALL be Permit
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision denyOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialDeny = falseBoolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(rules) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Deny)
potentialDeny = truecontinue
oasis--xacml-11pdf 124
261
4629
46304631
4632
4633
463446354636463746384639
4640464146424643
464446454646
4647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677
262
if (potentialDeny)
return Indeterminateif (atLeastOnePermit)
return Permitif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoDeny-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Deny then the result of the policy combination SHALL be Deny In other words Deny takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision denyOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
return Deny
if (atLeastOnePermit)
return Permitreturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
oasis--xacml-11pdf 125
263
4678467946804681468246834684468546864687468846894690469146924693
46944695
46964697469846994700
470147024703
4704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734
4735
264
C2 Ordered-deny-overrides (non-normative)The following specification defines the Ordered-deny-overridesrdquo rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Deny-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-deny-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Deny-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C3 Permit-overridesThe following specification defines the ldquoPermit-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Permit then the result of the rule combination SHALL be Permit If any rule evaluates to Deny and all other rules evaluate to NotApplicable then the policy SHALL evaluate to Deny In other words Permit takes precedence regardless of the result of evaluating any of the other rules in the policy If all rules are found to be NotApplicable to the decision request then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect of Permit then the evaluation SHALL continue looking for a result of Permit If no other rule evaluates to Permit then the policy SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Deny all other rules that do not have evaluation errors evaluate to Deny or NotApplicable and all rules that do have evaluation errors contain an effect value of Deny then the policy SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision permitOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialPermit = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(rule) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 126
265
4736
47374738
473947404741
47424743
474447454746
4747
4748
474947504751475247534754
4755475647574758
475947604761
476247634764476547664767476847694770477147724773477447754776477747784779478047814782
266
if (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Permit)
potentialPermit = truecontinue
if (potentialPermit)
return Indeterminateif (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoPermit-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Permit then the result of the policy combination SHALL be Permit In other words Permit takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status provided no other policies evaluate to Permit or Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision permitOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOneError = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 127
267
47834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808
48094810
48114812481348144815
4816481748184819
482048214822482348244825482648274828482948304831483248334834483548364837483848394840
268
if (decision == Indeterminate)
atLeastOneError = truecontinue
if (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
C4 Ordered-permit-overrides (non-normative)The following specification defines the Ordered-permit-overrides rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Permit-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-permit-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Permit-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C5 First-applicable The following specification defines the First-Applicable rule-combining algorithm of a policy
Each rule SHALL be evaluated in the order in which it is listed in the policy For a particular rule if the target matches and the condition evaluates to True then the evaluation of the policy SHALL halt and the corresponding effect of the rule SHALL be the result of the evaluation of the policy (ie Permit or Deny) For a particular rule selected in the evaluation if the target evaluates to False or the condition evaluates to False then the next rule in the order SHALL be evaluated If no further rule in the order exists then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule then the evaluation SHALL halt and the policy shall evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision firstApplicableEffectRuleCombiningAlgorithm(Rule rule[])
for( i = 0 i lt lengthOf(rule) i++ )
oasis--xacml-11pdf 128
269
4841484248434844484548464847484848494850485148524853485448554856
4857
4858
48594860
486148624863
48644865
486648674868
4869
4870
4871487248734874487548764877
487848794880
48814882488348844885
270
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
return Permitif (decision == NotApplicable)
continueif (decision == Indeterminate)
return Indeterminate
return NotApplicable
The following specification defines the ldquoFirst-applicablerdquo policy-combining algorithm of a policy set
Each policy is evaluated in the order that it appears in the policy set For a particular policy if the target evaluates to True and the policy evaluates to a determinate value of Permit or Deny then the evaluation SHALL halt and the policy set SHALL evaluate to the effect value of that policy For a particular policy if the target evaluate to False or the policy evaluates to NotApplicable then the next policy in the order SHALL be evaluated If no further policy exists in the order then the policy set SHALL evaluate to NotApplicable
If an error were to occur when evaluating the target or when evaluating a specific policy the reference to the policy is considered invalid or the policy itself evaluates to Indeterminate then the evaluation of the policy-combining algorithm shall halt and the policy set shall evaluate to Indeterminate with an appropriate error status
The following pseudo-code represents the evaluation strategy of this policy-combination algorithm
Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policy[]) for( i = 0 i lt lengthOf(policy) i++ ) Decision decision = evaluate(policy[i]) if(decision == Deny) return Deny if(decision == Permit) return Permit if (decision == NotApplicable) continue if (decision == Indeterminate) return Indeterminate return NotApplicable
oasis--xacml-11pdf 129
271
48864887488848894890489148924893489448954896489748984899490049014902490349044905
49064907
4908490949104911491249134914
4915491649174918
4919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943
272
Obligations of the individual policies shall be combined as described in Section 711
C6 Only-one-applicableThe following specification defines the ldquoOnly-one-applicable policy-combining algorithm of a policy set
In the entire set of policies in the policy set if no policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be NotApplicable If more than one policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be Indeterminate
If only one policy is considered applicable by evaluation of the policy targets then the result of the policy-combining algorithm SHALL be the result of evaluating the policy
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this policy combining algorithmDecision onlyOneApplicablePolicyPolicyCombiningAlogrithm(Policy policy[]) Boolean atLeastOne = false Policy selectedPolicy = null ApplicableResult appResult
for ( i = 0 i lt lengthOf(policy) i++ ) appResult = isApplicable(policy[I])
if ( appResult == Indeterminate ) return Indeterminate if( appResult == Applicable ) if ( atLeastOne ) return Indeterminate else atLeastOne = true selectedPolicy = policy[i] if ( appResult == NotApplicable ) continue if ( atLeastOne ) return evaluate(selectedPolicy) else return NotApplicable
oasis--xacml-11pdf 130
273
4944
4945
4946
49474948
4949495049514952
49534954
495549564957
495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996
274
oasis--xacml-11pdf 131
275
49974998
4999
276
Appendix D AcknowledgmentsThe following individuals contributed to the development of the specification
Anne AndersonBill ParducciCarlisle AdamsDaniel EngovatovDon FlinnErnesto DamianiGerald BroseHal LockhartJames MacLeanJohn MerrellsKen YagenKonstantin BeznosovMichiharu KudoPierangela SamaratiPirasenna Velandai ThiyagarajanPolar HumennSatoshi HadaSekhar VajjhalaSeth ProctorSimon GodikSteve AndersonSteve CrockerSuresh DamodaranTim Moses
oasis--xacml-11pdf 132
277
5000
5001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025
5026
278
Appendix E Revision historyRev Date By whom What
OS V10 18 Feb 2003 XACML Technical Committee
OASIS Standard
oasis--xacml-11pdf 133
279
5027
5028
280
Appendix F NoticesOASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available neither does it represent that it has made any effort to identify any such rights Information on OASISs procedures with respect to rights in OASIS specifications can be found at the OASIS website Copies of claims of rights made available for publication and any assurances of licenses to be made available or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the OASIS Executive Director
OASIS has been notified of intellectual property rights claimed in regard to some or all of the contents of this specification For more information consult the online list of claimed rights
OASIS invites any interested party to bring to its attention any copyrights patents or patent applications or other proprietary rights which may cover technology that may be required to implement this specification Please address the information to the OASIS Executive Director
Copyright (C) OASIS Open 2003 All Rights Reserved
This document and translations of it may be copied and furnished to others and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared copied published and distributed in whole or in part without restriction of any kind provided that the above copyright notice and this paragraph are included on all such copies and derivative works However this document itself may not be modified in any way such as by removing the copyright notice or references to OASIS except as needed for the purpose of developing OASIS specifications in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed or as required to translate it into languages other than English
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns
This document and the information contained herein is provided on an ldquoAS ISrdquo basis and OASIS DISCLAIMS ALL WARRANTIES EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
oasis--xacml-11pdf 134
281
5029
503050315032503350345035503650375038
50395040
504150425043
5044
50455046504750485049505050515052
50535054
50555056505750585059
282
Table of contents
1 Introduction (non-normative)10
11 Glossary10
111 Preferred terms10
112 Related terms11
12 Notation12
13 Schema organization and namespaces12
2 Background (non-normative)13
21 Requirements13
22 Rule and policy combining14
23 Combining algorithms14
24 Multiple subjects15
25 Policies based on subject and resource attributes15
26 Multi-valued attributes15
27 Policies based on resource contents16
28 Operators16
29 Policy distribution17
210 Policy indexing17
211 Abstraction layer17
212 Actions performed in conjunction with enforcement18
3 Models (non-normative)18
31 Data-flow model18
32 XACML context20
33 Policy language model20
331 Rule21
332 Policy 23
333 Policy set24
4 Examples (non-normative)25
41 Example one25
411 Example policy25
412 Example request context27
413 Example response context28
42 Example two28
421 Example medical record instance29
422 Example request context30
423 Example plain-language rules32
424 Example XACML rule instances32
oasis--xacml-11pdf 3
6
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
7
5 Policy syntax (normative with the exception of the schema fragments)46
51 Element ltPolicySetgt46
52 Element ltDescriptiongt47
53 Element ltPolicySetDefaultsgt47
54 Element ltXPathVersiongt48
55 Element ltTargetgt48
56 Element ltSubjectsgt49
57 Element ltSubjectgt49
58 Element ltAnySubjectgt49
59 Element ltSubjectMatchgt49
510 Element ltResourcesgt50
511 Element ltResourcegt50
512 Element ltAnyResourcegt51
513 Element ltResourceMatchgt51
514 Element ltActionsgt52
515 Element ltActiongt52
516 Element ltAnyActiongt52
517 Element ltActionMatchgt52
518 Element ltPolicySetIdReferencegt53
519 Element ltPolicyIdReferencegt53
520 Element ltPolicygt53
521 Element ltPolicyDefaultsgt55
522 Element ltRulegt55
523 Simple type EffectType56
524 Element ltConditiongt56
525 Element ltApplygt56
526 Element ltFunctiongt57
527 Complex type AttributeDesignatorType57
528 Element ltSubjectAttributeDesignatorgt58
529 Element ltResourceAttributeDesignatorgt59
530 Element ltActionAttributeDesignatorgt60
531 Element ltEnvironmentAttributeDesignatorgt60
532 Element ltAttributeSelectorgt61
533 Element ltAttributeValuegt62
534 Element ltObligationsgt63
535 Element ltObligationgt63
536 Element ltAttributeAssignmentgt64
oasis--xacml-11pdf 4
8
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
9
6 Context syntax (normative with the exception of the schema fragments)64
61 Element ltRequestgt64
62 Element ltSubjectgt65
63 Element ltResourcegt66
64 Element ltResourceContentgt66
65 Element ltActiongt67
66 Element ltEnvironmentgt67
67 Element ltAttributegt67
68 Element ltAttributeValuegt68
69 Element ltResponsegt68
610 Element ltResultgt69
611 Element ltDecisiongt70
612 Element ltStatusgt70
613 Element ltStatusCodegt71
614 Element ltStatusMessagegt71
615 Element ltStatusDetailgt71
7 Functional requirements (normative)72
71 Policy enforcement point72
72 Base policy72
73 Target evaluation73
74 Condition evaluation73
75 Rule evaluation73
76 Policy evaluation73
77 Policy Set evaluation74
78 Hierarchical resources75
79 Attributes76
791 Attribute Matching76
792 Attribute Retrieval76
793 Environment Attributes77
710 Authorization decision77
711 Obligations 77
712 Unsupported functionality78
713 Syntax and type errors78
8 XACML extensibility points (non-normative)78
81 Extensible XML attribute types78
82 Structured attributes79
9 Security and privacy considerations (non-normative)79
oasis--xacml-11pdf 5
10
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
11
91 Threat model 79
911 Unauthorized disclosure80
912 Message replay80
913 Message insertion80
914 Message deletion80
915 Message modification80
916 NotApplicable results81
917 Negative rules81
92 Safeguards82
921 Authentication82
922 Policy administration82
923 Confidentiality82
924 Policy integrity83
925 Policy identifiers83
926 Trust model84
927 Privacy 84
10 Conformance (normative)84
101 Introduction84
102 Conformance tables84
1021 Schema elements85
1022 Identifier Prefixes86
1023 Algorithms86
1024 Status Codes86
1025 Attributes87
1026 Identifiers87
1027 Data-types87
1028 Functions88
11 References 92
Appendix A Standard data-types functions and their semantics (normative)94
A1 Introduction 94
A2 Primitive types 94
A3 Structured types 95
A4 Representations 95
A5 Bags 96
A6 Expressions 96
A7 Element ltAttributeValuegt97
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt97
oasis--xacml-11pdf 6
12
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
13
A9 Element ltApplygt97
A10 Element ltConditiongt97
A11 Element ltFunctiongt98
A12 Matching elements98
A13 Arithmetic evaluation99
A14 XACML standard functions100
A141 Equality predicates100
A142 Arithmetic functions102
A143 String conversion functions103
A144 Numeric data-type conversion functions103
A145 Logical functions103
A146 Arithmetic comparison functions104
A147 Date and time arithmetic functions105
A148 Non-numeric comparison functions106
A149 Bag functions108
A1410 Set functions109
A1411 Higher-order bag functions110
A1412 Special match functions117
A1413 XPath-based functions118
A1414 Extension functions and primitive types118
Appendix B XACML identifiers (normative)119
B1 XACML namespaces119
B2 Access subject categories119
B3 XACML functions119
B4 Data-types 119
B5 Subject attributes120
B6 Resource attributes121
B7 Action attributes 121
B8 Environment attributes122
B9 Status codes 122
B10 Combining algorithms122
Appendix C Combining algorithms (normative)124
C1 Deny-overrides124
C2 Ordered-deny-overrides (non-normative)126
C3 Permit-overrides126
C4 Ordered-permit-overrides (non-normative)128
C5 First-applicable128
oasis--xacml-11pdf 7
14
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
15
C6 Only-one-applicable130
Appendix D Acknowledgments132
Appendix E Revision history133
Appendix F Notices134
oasis--xacml-11pdf 8
16
221
222
223
224225
226
17
Errata
Errata can be found at the following location
httpwwwoasis-openorgcommitteesxacmlrepositoryerrata-001pdf
oasis--xacml-11pdf 9
18
227
228
229
19
1 Introduction (non-normative)
11 Glossary
111 Preferred terms
Access - Performing an action
Access control - Controlling access in accordance with a policy
Action - An operation on a resource
Applicable policy - The set of policies and policy sets that governs access for a specific decision request
Attribute - Characteristic of a subject resource action or environment that may be referenced in a predicate or target
Authorization decision - The result of evaluating applicable policy returned by the PDP to the PEP A function that evaluates to Permitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicable and (optionally) a set of obligations
Bag ndash An unordered collection of values in which there may be duplicate values
Condition - An expression of predicates A function that evaluates to True False or ldquoIndeterminaterdquo
Conjunctive sequence - a sequence of boolean elements combined using the logical lsquoANDrsquo operation
Context - The canonical representation of a decision request and an authorization decision
Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format
Decision ndash The result of evaluating a rule policy or policy set
Decision request - The request by a PEP to a PDP to render an authorization decision
Disjunctive sequence - a sequence of boolean elements combined using the logical lsquoORrsquo operation
Effect - The intended consequence of a satisfied rule (either Permit or Deny)
Environment - The set of attributes that are relevant to an authorization decision and are independent of a particular subject resource or action
oasis--xacml-11pdf 10
20
230
231
232
233
234
235
236
237238
239240
241242243
244
245246
247248
249
250251252
253
254
255256
257
258259
21
Obligation - An operation specified in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision
Policy - A set of rules an identifier for the rule-combining algorithm and (optionally) a set of obligations May be a component of a policy set
Policy administration point (PAP) - The system entity that creates a policy or policy set
Policy-combining algorithm - The procedure for combining the decision and obligations from multiple policies
Policy decision point (PDP) - The system entity that evaluates applicable policy and renders an authorization decision
Policy enforcement point (PEP) - The system entity that performs access control by making decision requests and enforcing authorization decisions
Policy information point (PIP) - The system entity that acts as a source of attribute values
Policy set - A set of policies other policy sets a policy-combining algorithm and (optionally) a set of obligations May be a component of another policy set
Predicate - A statement about attributes whose truth can be evaluated
Resource - Data service or system component
Rule - A target an effect and a condition A component of a policy
Rule-combining algorithm - The procedure for combining decisions from multiple rules
Subject - An actor whose attributes may be referenced by a predicate
Target - The set of decision requests identified by definitions for resource subject and action that a rule policy or policy set is intended to evaluate
Type Unification - The method by which two type expressions are unified The type expressions are matched along their structure Where a type variable appears in one expression it is then unified to represent the corresponding structure element of the other expression be it another variable or subexpression All variable assignments must remain consistent in both structures Unification fails if the two expressions cannot be aligned either by having dissimilar structure or by having instance conflicts such as a variable needs to represent both xsstring and xsinteger For a full explanation of type unification please see [Hancock]
112 Related termsIn the field of access control and authorization there are several closely related terms in common use For purposes of precision and clarity certain of these terms are not used in this specification
For instance the term attribute is used in place of the terms group and role
In place of the terms privilege permission authorization entitlement and right we use the term rule
The term object is also in common use but we use the term resource in this specification
Requestors and initiators are covered by the term subject
oasis--xacml-11pdf 11
22
260261
262263
264
265266
267268
269270
271
272273
274
275
276
277
278
279280
281282283284285286287
288
289290
291
292293
294
295
23
12 NotationThis specification contains schema conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded policy statements
The key words MUST MUST NOT REQUIRED SHALL SHALL NOT SHOULD SHOULD NOT RECOMMENDED MAY and OPTIONAL in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119]
they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (eg limiting retransmissions)
These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations When these words are not capitalized they are meant in their natural-language sense
Listings of XACML schemas appear like this
Example code listings appear like this
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows whether or not a namespace declaration is present in the example
The prefix xacml stands for the XACML policy namespace
The prefix xacml-context stands for the XACML context namespace
The prefix ds stands for the W3C XML Signature namespace [DS]
The prefix xs stands for the W3C XML Schema namespace [XS]
The prefix xf stands for the XQuery 10 and XPath 20 Function and Operators specification namespace [XF]
This specification uses the following typographical conventions in text ltXACMLElementgt ltnsForeignElementgt Attribute Datatype OtherCode Terms in italic bold-face are intended to have the meaning defined in the Glossary
13 Schema organization and namespacesThe XACML policy syntax is defined in a schema associated with the following XML namespace
urnoasisnamestcxacml10policy
The XACML context syntax is defined in a schema associated with the following XML namespaceurnoasisnamestcxacml10context
The XML Signature [DS] is imported into the XACML schema and is associated with the following XML namespace
httpwwww3org200009xmldsig
2 Background (non-normative)The economics of scale have driven computing platform vendors to develop products with very generalized functionality so that they can be used in the widest possible range of situations Out
oasis--xacml-11pdf 12
24
296
297298
299300301
302303
304305306307308309310
311312313
314
315
316
317
318319
320321322
323
324325
326327
328329330
331
332333
25
of the box these products have the maximum possible privilege for accessing data and executing software so that they can be used in as many application environments as possible including those with the most permissive security policies In the more common case of a relatively restrictive security policy the platforms inherent privileges must be constrained by configuration
The security policy of a large enterprise has many elements and many points of enforcement Elements of policy may be managed by the Information Systems department by Human Resources by the Legal department and by the Finance department And the policy may be enforced by the extranet mail WAN and remote-access systems platforms which inherently implement a permissive security policy The current practice is to manage the configuration of each point of enforcement independently in order to implement the security policy as accurately as possible Consequently it is an expensive and unreliable proposition to modify the security policy And it is virtually impossible to obtain a consolidated view of the safeguards in effect throughout the enterprise to enforce the policy At the same time there is increasing pressure on corporate and government executives from consumers shareholders and regulators to demonstrate best practice in the protection of the information assets of the enterprise and its customers
For these reasons there is a pressing need for a common language for expressing security policy If implemented throughout an enterprise a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems Managing security policy may include some or all of the following steps writing reviewing testing approving issuing combining analyzing modifying withdrawing retrieving and enforcing policy
XML is a natural choice as the basis for the common security-policy language due to the ease with which its syntax and semantics can be extended to accommodate the unique requirements of this application and the widespread support that it enjoys from all the main platform and tool vendors
21 RequirementsThe basic requirements of a policy language for expressing information system security policy are
To provide a method for combining individual rules and policies into a single policy set that applies to a particular decision request
To provide a method for flexible definition of the procedure by which rules and policies are combined
To provide a method for dealing with multiple subjects acting in different capacities
To provide a method for basing an authorization decision on attributes of the subject and resource
To provide a method for dealing with multi-valued attributes
To provide a method for basing an authorization decision on the contents of an information resource
To provide a set of logical and mathematical operators on attributes of the subject resource and environment
To provide a method for handling a distributed set of policy components while abstracting the method for locating retrieving and authenticating the policy components
To provide a method for rapidly identifying the policy that applies to a given action based upon the values of attributes of the subjects resource and action
oasis--xacml-11pdf 13
26
334335336337
338339340341342343344345346347348
349350351352353354
355356357
358
359
360361
362363
364
365366
367
368369
370371
372373
374375
27
To provide an abstraction-layer that insulates the policy-writer from the details of the application environment
To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement
The motivation behind XACML is to express these well-established ideas in the field of access-control policy using an extension language of XML The XACML solutions for each of these requirements are discussed in the following sections
22 Rule and policy combiningThe complete policy applicable to a particular decision request may be composed of a number of individual rules or policies For instance in a personal privacy application the owner of the personal information may define certain aspects of disclosure policy whereas the enterprise that is the custodian of the information may define certain other aspects In order to render an authorization decision it must be possible to combine the two separate policies to form the single policy applicable to the request
XACML defines three top-level policy elements ltRulegt ltPolicygt and ltPolicySetgt The ltRulegt element contains a boolean expression that can be evaluated in isolation but that is not intended to be accessed in isolation by a PDP So it is not intended to form the basis of an authorization decision by itself It is intended to exist in isolation only within an XACML PAP where it may form the basic unit of management and be re-used in multiple policies
The ltPolicygt element contains a set of ltRulegt elements and a specified procedure for combining the results of their evaluation It is the basic unit of policy used by the PDP and so it is intended to form the basis of an authorization decision
The ltPolicySetgt element contains a set of ltPolicygt or other ltPolicySetgt elements and a specified procedure for combining the results of their evaluation It is the standard means for combining separate policies into a single combined policy
Hinton et al [Hinton94] discuss the question of the compatibility of separate policies applicable to the same decision request
23 Combining algorithmsXACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the ltPolicygt or ltPolicySetgt elements respectively The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules Similarly the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies Standard combining algorithms are defined for
Deny-overrides (Ordered and Unordered)
Permit-overrides (Ordered and Unordered)
First applicable and
Only-one-applicable
oasis--xacml-11pdf 14
28
376377
378379
380381382
383
384385386387388389
390391392393394
395396397
398399400
401402
403
404405406407408409410
411
412
413
414
29
In the first case if a single ltRulegt or ltPolicygt element is encountered that evaluates to Deny then regardless of the evaluation result of the other ltRulegt or ltPolicygt elements in the applicable policy the combined result is Deny Likewise in the second case if a single Permit result is encountered then the combined result is Permit In the case of the ldquoFirst-applicablerdquo combining algorithm the combined result is the same as the result of evaluating the first ltRulegt ltPolicygt or ltPolicySetgt element in the list of rules whose target is applicable to the decision request The Only-one-applicable policy-combining algorithm only applies to policies The result of this combining algorithm ensures that one and only one policy or policy set is applicable by virtue of their targets If no policy or policy set applies then the result is NotApplicable but if more than one policy or policy set is applicable then the result is Indeterminate When exactly one policy or policy set is applicable the result of the combining algorithm is the result of evaluating the single applicable policy or policy set
Users of this specification may if necessary define their own combining algorithms
24 Multiple subjectsAccess-control policies often place requirements on the actions of more than one subject For instance the policy governing the execution of a high-value financial transaction may require the approval of more than one individual acting in different capacities Therefore XACML recognizes that there may be more than one subject relevant to a decision request An attribute called ldquosubject-categoryrdquo is used to differentiate between subjects acting in different capacities Some standard values for this attribute are specified and users may define additional ones
25 Policies based on subject and resource attributesAnother common requirement is to base an authorization decision on some characteristic of the subject other than its identity Perhaps the most common application of this idea is the subjects role [RBAC] XACML provides facilities to support this approach Attributes of subjects may be identified by the ltSubjectAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular subject attribute value by its location in the context (see Section 211 for an explanation of context) XACML provides a standard way to reference the attributes defined in the LDAP series of specifications [LDAP-1 LDAP-2] This is intended to encourage implementers to use standard attribute identifiers for some common subject attributes
Another common requirement is to base an authorization decision on some characteristic of the resource other than its identity XACML provides facilities to support this approach Attributes of resource may be identified by the ltResourceAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular resource attribute value by its location in the context
26 Multi-valued attributesThe most common techniques for communicating attributes (LDAP XPath SAML etc) support multiple values per attribute Therefore when an XACML PDP retrieves the value of a named attribute the result may contain multiple values A collection of such values is called a bag A bag differs from a set in that it may contain duplicate values whereas a set may not Sometimes this situation represents an error Sometimes the XACML rule is satisfied if any one of the attribute values meets the criteria expressed in the rule
oasis--xacml-11pdf 15
30
415416417418
419420421422423424425426
427
428
429430431432433434
435
436437438
439440441442443444445
446447
448449450451
452
453454455456457458
31
XACML provides a set of functions that allow a policy writer to be absolutely clear about how the PDP should handle the case of multiple attribute values These are the ldquohigher-orderrdquo functions
27 Policies based on resource contentsIn many applications it is required to base an authorization decision on data contained in the information resource to which access is requested For instance a common component of privacy policy is that a person should be allowed to read records for which he or she is the subject The corresponding policy must contain a reference to the subject identified in the information resource itself
XACML provides facilities for doing this when the information resource can be represented as an XML document The ltAttributeSelectorgt element may contain an XPath expression over the request context to identify data in the information resource to be used in the policy evaluation
In cases where the information resource is not an XML document specified attributes of the resource can be referenced as described in Section 24
28 OperatorsInformation security policies operate upon attributes of subjects the resource and the action to be performed on the resource in order to arrive at an authorization decision In the process of arriving at the authorization decision attributes of many different types may have to be compared or computed For instance in a financial application a persons available credit may have to be calculated by adding their credit limit to their account balance The result may then have to be compared with the transaction value This sort of situation gives rise to the need for arithmetic operations on attributes of the subject (account balance and credit limit) and the resource (transaction value)
Even more commonly a policy may identify the set of roles that are permitted to perform a particular action The corresponding operation involves checking whether there is a non-empty intersection between the set of roles occupied by the subject and the set of roles identified in the policy Hence the need for set operations
XACML includes a number of built-in functions and a method of adding non-standard functions These functions may be nested to build arbitrarily complex expressions This is achieved with the ltApplygt element The ltApplygt element has an XML attribute called FunctionId that identifies the function to be applied to the contents of the element Each standard function is defined for specific argument data-type combinations and its return data-type is also specified Therefore data-type consistency of the policy can be checked at the time the policy is written or parsed And the types of the data values presented in the request context can be checked against the values expected by the policy to ensure a predictable outcome
In addition to operators on numerical and set arguments operators are defined for date time and duration arguments
Relationship operators (equality and comparison) are also defined for a number of data-types including the RFC822 and X500 name-forms strings URIs etc
Also noteworthy are the operators over boolean data-types which permit the logical combination of predicates in a rule For example a rule may contain the statement that access may be permitted during business hours AND from a terminal on business premises
The XACML method of representing functions borrows from MathML [MathML] and from the XQuery 10 and XPath 20 Functions and Operators specification [XF]
oasis--xacml-11pdf 16
32
459460
461
462463464465466
467468469
470471
472
473474475476477478479480
481482483484
485486
487488489490491492
493494
495496
497498499
500501
33
29 Policy distributionIn a distributed system individual policy statements may be written by several policy writers and enforced at several enforcement points In addition to facilitating the collection and combination of independent policy components this approach allows policies to be updated as required XACML policy statements may be distributed in any one of a number of ways But XACML does not describe any normative way to do this Regardless of the means of distribution PDPs are expected to confirm by examining the policys ltTargetgt element that the policy is applicable to the decision request that it is processing
ltPolicygt elements may be attached to the information resources to which they apply as described by Perritt [Perritt93] Alternatively ltPolicygt elements may be maintained in one or more locations from which they are retrieved for evaluation In such cases the applicable policy may be referenced by an identifier or locator closely associated with the information resource
210 Policy indexingFor efficiency of evaluation and ease of management the overall security policy in force across an enterprise may be expressed as multiple independent policy components In this case it is necessary to identify and retrieve the applicable policy statement and verify that it is the correct one for the requested action before evaluating it This is the purpose of the ltTargetgt element in XACML
Two approaches are supported
1 Policy statements may be stored in a database whose data-model is congruent with that of the ltTargetgt element The PDP should use the contents of the decision request that it is processing to form the database read command by which applicable policy statements are retrieved Nevertheless the PDP should still evaluate the ltTargetgt element of the retrieved policy or policy set statements as defined by the XACML specification
2 Alternatively the PDP may evaluate the ltTargetgt element from each of the policies or policy sets that it has available to it in the context of a particular decision request in order to identify the policies and policy sets that are applicable to that request
The use of constraints limiting the applicability of a policy were described by Sloman [Sloman94]
211 Abstraction layerPEPs come in many forms For instance a PEP may be part of a remote-access gateway part of a Web server or part of an email user-agent etc It is unrealistic to expect that all PEPs in an enterprise do currently or will in the future issue decision requests to a PDP in a common format Nevertheless a particular policy may have to be enforced by multiple PEPs It would be inefficient to force a policy writer to write the same policy several different ways in order to accommodate the format requirements of each PEP Similarly attributes may be contained in various envelope types (eg X509 attribute certificates SAML attribute assertions etc) Therefore there is a need for a canonical form of the request and response handled by an XACML PDP This canonical form is called the XACML Context Its syntax is defined in XML schema
Naturally XACML-conformant PEPs may issue requests and receive responses in the form of an XACML context But where this situation does not exist an intermediate step is required to convert between the requestresponse format understood by the PEP and the XACML context format understood by the PDP
oasis--xacml-11pdf 17
34
502
503504505506507
508509
510511512513
514
515516517
518519
520
521522523
524525
526527528
529
530
531532533534535536537538539
540541542543
35
The benefit of this approach is that policies may be written and analyzed independent of the specific environment in which they are to be enforced
In the case where the native requestresponse format is specified in XML Schema (eg a SAML-conformant PEP) the transformation between the native format and the XACML context may be specified in the form of an Extensible Stylesheet Language Transformation [XSLT]
Similarly in the case where the resource to which access is requested is an XML document the resource itself may be included in or referenced by the request context Then through the use of XPath expressions [XPath] in the policy values in the resource may be included in the policy evaluation
212 Actions performed in conjunction with enforcementIn many applications policies specify actions that MUST be performed either instead of or in addition to actions that MAY be performed This idea was described by Sloman [Sloman94] XACML provides facilities to specify actions that MUST be performed in conjunction with policy evaluation in the ltObligationsgt element This idea was described as a provisional action by Kudo [Kudo00] There are no standard definitions for these actions in version 10 of XACML Therefore bilateral agreement between a PAP and the PEP that will enforce its policies is required for correct interpretation PEPs that conform with v10 of XACML are required to deny access unless they understand all the ltObligationsgt elements associated with the applicable policy ltObligationsgt elements are returned to the PEP for enforcement
3 Models (non-normative)The data-flow model and language model of XACML are described in the following sub-sections
31 Data-flow modelThe major actors in the XACML domain are shown in the data-flow diagram of Figure 1
oasis--xacml-11pdf 18
36
544545
546547548
549550551552
553
554555556
557558559560
561562
563
564
565
566
37
Figure 1 - Data-flow diagram
Note some of the data-flows shown in the diagram may be facilitated by a repository For instance the communications between the context handler and the PIP or the communications between the PDP and the PAP may be facilitated by a repository The XACML specification is not intended to place restrictions on the location of any such repository or indeed to prescribe a particular communication protocol for any of the data-flows
The model operates by the following steps
1 PAPs write policies and policy sets and make them available to the PDP These policies or policy sets represent the complete policy for a specified target
2 The access requester sends a request for access to the PEP
3 The PEP sends the request for access to the context handler in its native request format optionally including attributes of the subjects resource and action The context handler constructs an XACML request context in accordance with steps 456 and 7
4 Subject resource and environment attributes may be requested from a PIP
5 The PIP obtains the requested attributes
6 The PIP returns the requested attributes to the context handler
oasis--xacml-11pdf 19
38
567
568
569570571572573
574
575576
577
578579580
581
582
583
39
7 Optionally the context handler includes the resource in the context
8 The context handler sends a decision request including the target to the PDP The PDP identifies the applicable policy and retrieves the required attributes and (optionally) the resource from the context handler The PDP evaluates the policy
9 The PDP returns the response context (including the authorization decision) to the context handler
10 The context handler translates the response context to the native response format of the PEP The context handler returns the response to the PEP
11 The PEP fulfills the obligations
12 (Not shown) If access is permitted then the PEP permits access to the resource otherwise it denies access
32 XACML contextXACML is intended to be suitable for a variety of application environments The core language is insulated from the application environment by the XACML context as shown in Figure 2 in which the scope of the XACML specification is indicated by the shaded area The XACML context is defined in XML schema describing a canonical representation for the inputs and outputs of the PDP Attributes referenced by an instance of XACML policy may be in the form of XPath expressions on the context or attribute designators that identify the attribute by subject resource action or environment and its identifier Implementations must convert between the attribute representations in the application environment (eg SAML J2SE CORBA and so on) and the attribute representations in the XACML context How this is achieved is outside the scope of the XACML specification In some cases such as SAML this conversion may be accomplished in an automated way through the use of an XSLT transformation
domain-specificinputs
domain-specificoutputs
xacml ContextRequestxml
xacml ContextResponsexmlPDP
xacmlPolicyxml
Figure 2 - XACML context
Note The PDP may be implemented such that it uses a processed form of the XML files
See Section 79 for a more detailed discussion of the request context
33 Policy language modelThe policy language model is shown in Figure 3 The main components of the model are
Rule
Policy and
oasis--xacml-11pdf 20
40
584
585586587
588589
590591
592
593594
595
596597598599600601602603604605606
607
608
609
610
611
612
613
614
41
Policy set
These are described in the following sub-sections
1
1
1
1
1
1
Condition
Target
Rule
1
01
Policy
1
1
Obligations
1
1
1
0
1 01
ActionResourceSubject
PolicySet
1
0
1
1
PolicyCombiningAlogorithm
1
0
RuleCombiningAlgorithm
1
0
1
01
101
Effect
1 1
Figure 3 - Policy language model
331 RuleA rule is the most elementary unit of policy It may exist in isolation only within one of the major actors of the XACML domain In order to exchange rules between major actors they must be encapsulated in a policy A rule can be evaluated on the basis of its contents The main components of a rule are
oasis--xacml-11pdf 21
42
615
616
617
618
619
620621622623
43
a target
an effect and
a condition
These are discussed in the following sub-sections
3311 Rule target
The target defines the set of
resources
subjects and
actions
to which the rule is intended to apply The ltConditiongt element may further refine the applicability established by the target If the rule is intended to apply to all entities of a particular data-type then an empty element named ltAnySubjectgt ltAnyResourcegt or ltAnyActiongt is used An XACML PDP verifies that the subjects resource and action identified in the request context are all present in the target of the rules that it uses to evaluate the decision request Target definitions are discrete in order that applicable rules may be efficiently identified by the PDP
The ltTargetgt element may be absent from a ltRulegt In this case the target of the ltRulegt is the same as that of the parent ltPolicygt element
Certain subject name-forms resource name-forms and certain types of resource are internally structured For instance the X500 directory name-form and RFC 822 name-form are structured subject name-forms whereas an account number commonly has no discernible structure UNIX file-system path-names and URIs are examples of structured resource name-forms And an XML document is an example of a structured resource
Generally the name of a node (other than a leaf node) in a structured name-form is also a legal instance of the name-form So for instance the RFC822 name medicocom is a legal RFC822 name identifying the set of mail addresses hosted by the medicocom mail server And the XPathXPointer value ctxResourceContentmdrecordmdpatient is a legal XPathXPointer value identifying a node-set in an XML document
The question arises how should a name that identifies a set of subjects or resources be interpreted by the PDP whether it appears in a policy or a request context Are they intended to represent just the node explicitly identified by the name or are they intended to represent the entire sub-tree subordinate to that node
In the case of subjects there is no real entity that corresponds to such a node So names of this type always refer to the set of subjects subordinate in the name structure to the identified node Consequently non-leaf subject names should not be used in equality functions only in match functions such as ldquournoasisnamestcxacml10functionrfc822Name-matchrdquo not ldquournoasisnamestcxacml10functionrfc822Name-equalrdquo (see Appendix A)
On the other hand in the case of resource names and resources themselves three options exist The name could refer to
1 the contents of the identified node only
2 the contents of the identified node and the contents of its immediate child nodes or
3 the contents of the identified node and all its descendant nodes
oasis--xacml-11pdf 22
44
624
625
626
627
628
629
630
631
632
633634
635636637638639
640641
642643644645646
647648649
650651
652653654655
656657658659660
661662
663
664
665
45
All three options are supported in XACML
3312 Effect
The effect of the rule indicates the rule-writers intended consequence of a True evaluation for the rule Two values are allowed Permit and Deny
3313 Condition
Condition represents a boolean expression that refines the applicability of the rule beyond the predicates implied by its target Therefore it may be absent
332 Policy From the data-flow model one can see that rules are not exchanged amongst system entities Therefore a PAP combines rules in a policy A policy comprises four main components
a target
a rule-combining algorithm-identifier
a set of rules and
obligations
Rules are described above The remaining components are described in the following sub-sections
3321 Policy target
An XACML ltPolicySetgt ltPolicygt or ltRulegt element contains a ltTargetgt element that specifies the set of subjects resources and actions to which it applies The ltTargetgt of a ltPolicySetgt or ltPolicygt may be declared by the writer of the ltPolicySetgt or ltPolicygt or it may be calculated from the ltTargetgt elements of the ltPolicySetgt ltPolicygt and ltRulegt elements that it contains
A system entity that calculates a ltTargetgt in this way is not defined by XACML but there are two logical methods that might be used In one method the ltTargetgt element of the outer ltPolicySetgt or ltPolicygt (the outer component) is calculated as the union of all the ltTargetgt elements of the referenced ltPolicySetgt ltPolicygt or ltRulegt elements (the inner components) In another method the ltTargetgt element of the outer component is calculated as the intersection of all the ltTargetgt elements of the inner components The results of evaluation in each case will be very different in the first case the ltTargetgt element of the outer component makes it applicable to any decision request that matches the ltTargetgt element of at least one inner component in the second case the ltTargetgt element of the outer component makes it applicable only to decision requests that match the ltTargetgt elements of every inner component Note that computing the intersection of a set of ltTargetgt elements is likely only practical if the target data-model is relatively simple
In cases where the ltTargetgt of a ltPolicygt is declared by the policy writer any component ltRulegt elements in the ltPolicygt that have the same ltTargetgt element as the ltPolicygt element may omit the ltTargetgt element Such ltRulegt elements inherit the ltTargetgt of the ltPolicygt in which they are contained
oasis--xacml-11pdf 23
46
666
667
668669
670
671672
673
674675
676
677
678
679
680681
682
683684685686687
688689690691692693694695696697698699
700701702703
47
3322 Rule-combining algorithm
The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined when evaluating the policy ie the Decision value placed in the response context by the PDP is the value of the policy as defined by the rule-combining algorithm
See Appendix C for definitions of the normative rule-combining algorithms
3323 Obligations
The XACML ltRulegt syntax does not contain an element suitable for carrying obligations therefore if required in a policy obligations must be added by the writer of the policy
When a PDP evaluates a policy containing obligations it returns certain of those obligations to the PEP in the response context Section 711 explains which obligations are to be returned
333 Policy set A policy set comprises four main components
a target
a policy-combining algorithm-identifier
a set of policies and
obligations
The target and policy components are described above The other components are described in the following sub-sections
3331 Policy-combining algorithm
The policy-combining algorithm specifies the procedure by which the results of evaluating the component policies are combined when evaluating the policy set iethe Decision value placed in the response context by the PDP is the result of evaluating the policy set as defined by the policy-combining algorithm
See Appendix C for definitions of the normative policy-combining algorithms
3332 Obligations
The writer of a policy set may add obligations to the policy set in addition to those contained in the component policies and policy sets
When a PDP evaluates a policy set containing obligations it returns certain of those obligations to the PEP in its response context Section 711 explains which obligations are to be returned
oasis--xacml-11pdf 24
48
704
705706707708
709
710
711712
713714
715
716
717
718
719
720
721722
723
724725726727
728
729
730731
732733
734
49
4 Examples (non-normative)This section contains two examples of the use of XACML for illustrative purposes The first example is a relatively simple one to illustrate the use of target context matching functions and subject attributes The second example additionally illustrates the use of the rule-combining algorithm conditions and obligations
41 Example one
411 Example policyAssume that a corporation named Medi Corp (medicocom) has an access control policy that states in English
Any user with an e-mail name in the medicocom namespace is allowed to perform any action on any resource
An XACML policy consists of header information an optional text description of the policy a target one or more rules and an optional set of obligations
The header for this policy is[p01] ltxml version=10 encoding=UTF-8gt[p02] ltPolicy xmlns=urnoasisnamestcxacml10policy[p03] xmlnsxsi=httpwwww3org2001XMLSchema-instance[p04] xsischemaLocation=urnoasisnamestcxacml10policy[p05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-policy-01xsd[p06] PolicyId=identifierexampleSimplePolicy1[p07] RuleCombiningAlgId=identifierrule-combining-algorithmdeny-overridesgt
[p01] is a standard XML document tag indicating which version of XML is being used and what the character encoding is
[p02] introduces the XACML Policy itself
[p03-p05] are XML namespace declarations
[p05] gives a URL to the schema for XACML policies
[p06] assigns a name to this policy instance The name of a policy should be unique for a given PDP so that there is no ambiguity if one policy is referenced from another policy
[p07] specifies the algorithm that will be used to resolve the results of the various rules that may be in the policy The deny-overrides rule-combining algorithm specified here says that if any rule evaluates to ldquoDenyrdquo then that policy must return ldquoDenyrdquo If all rules evaluate to ldquoPermitrdquo then the policy must return ldquoPermitrdquo The rule-combining algorithm which is fully described in Appendix C also says what to do if an error were to occur when evaluating any rule and what to do with rules that do not apply to a particular decision request[p08] ltDescriptiongt[p09] Medi Corp access control policy[p10] ltDescriptiongt
[p08-p10] provide a text description of the policy This description is optional[p11] ltTargetgt[p12] ltSubjectsgt[p13] ltAnySubjectgt[p14] ltSubjectsgt[p15] ltResourcesgt
oasis--xacml-11pdf 25
50
735
736737738739
740
741
742743
744745
746747
748
749750
751
752
753
754755
756757758759760761
762
51
[p16] ltAnyResourcegt[p17] ltResourcesgt[p18] ltActionsgt[p19] ltAnyActiongt[p20] ltActionsgt[p21] ltTargetgt
[p11-p21] describe the decision requests to which this policy applies If the subject resource and action in a decision request do not match the values specified in the target then the remainder of the policy does not need to be evaluated This target section is very useful for creating an index to a set of policies In this simple example the target section says the policy is applicable to any decision request[p22] ltRule[p23] RuleId= urnoasisnamestcxacml10exampleSimpleRule1[p24] Effect=Permitgt
[p22] introduces the one and only rule in this simple policy Just as for a policy each rule must have a unique identifier (at least unique for any PDP that will be using the policy)
[p23] specifies the identifier for this rule
[p24] says what effect this rule has if the rule evaluates to ldquoTruerdquo Rules can have an effect of either ldquoPermitrdquo or ldquoDenyrdquo In this case the rule will evaluate to ldquoPermitrdquo meaning that as far as this one rule is concerned the requested access should be permitted If a rule evaluates to ldquoFalserdquo then it returns a result of ldquoNotApplicablerdquo If an error occurs when evaluating the rule the rule returns a result of ldquoIndeterminaterdquo As mentioned above the rule-combining algorithm for the policy tells how various rule values are combined into a single policy value[p25] ltDescriptiongt[p26] Any subject with an e-mail name in the medicocom domain[p27] can perform any action on any resource[p28] ltDescriptiongt
[p25-p28] provide a text description of this rule This description is optional[p29] ltTargetgt
[p29] introduces the target of the rule As described above for the target of a policy the target of a rule describes the decision requests to which this rule applies If the subject resource and action in a decision request do not match the values specified in the rule target then the remainder of the rule does not need to be evaluated and a value of ldquoNotApplicablerdquo is returned to the policy evaluation[p30] ltSubjectsgt[p31] ltSubjectgt[p32] ltSubjectMatch MatchId=
urnoasisnamestcxacml10functionrfc822Name-matchgt[p33] ltSubjectAttributeDesignator[p34]
AttributeId=urnoasisnamestcxacml10subjectsubject-id[p35] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[p36] ltAttributeValue[p37] DataType=urnoasisnamestcxacml10data-
typerfc822Namegtmedicocom[p38] ltAttributeValuegt[p39] ltSubjectMatchgt[p40] ltSubjectgt[p41] ltSubjectsgt[p42] ltResourcesgt[p43] ltAnyResourcegt[p44] ltResourcesgt[p45] ltActionsgt[p46] ltAnyActiongt[p47] ltActionsgt[p48] ltTargetgt
oasis--xacml-11pdf 26
52
763764765766767
768769
770
771772773774775776
777
778779780781782
53
The rule target is similar to the target of the policy itself but with one important difference [p32-p41] do not say ltAnySubjectgt but instead spell out a specific value that the subject in the decision request must match The ltSubjectMatchgt element specifies a matching function in the MatchId attribute a pointer to a specific subject attribute in the request context by means of the ltSubjectAttributeDesignatorgt element and a literal value of ldquomedicocomrdquo The matching function will be used to compare the value of the subject attribute with the literal value Only if the match returns ldquoTruerdquo will this rule apply to a particular decision request If the match returns ldquoFalserdquo then this rule will return a value of ldquoNotApplicablerdquo[p49] ltRulegt[p50] lt Policygt
[p49] closes the rule we have been examining In this rule all the work is done in the ltTargetgt element In more complex rules the ltTargetgt may have been followed by a ltConditiongt (which could also be a set of conditions to be ANDed or ORed together)
[p50] closes the policy we have been examining As mentioned above this policy has only one rule but more complex policies may have any number of rules
412 Example request contextLets examine a hypothetical decision request that might be submitted to a PDP using the policy above In English the access request that generates the decision request may be stated as follows
Bart Simpson with e-mail name bssimpsonscom wants to read his medical record at Medi Corp
In XACML the information in the decision request is formatted into a request context statement that looks as follows[c01] ltxml version=10 encoding=UTF-8gt[c02] ltRequest xmlns=urnoasisnamestcxacml10context[c03] Xmlnsxsi=httpwwww3org2001XMLSchema-instance[c04] xsischemaLocation=urnoasisnamestcxacml10context[c05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-01xsdgt
[c01-c05] are the header for the request context and are used the same way as the header for the policy explained above[c06] ltSubjectgt[c07] ltAttribute AttributeId=urnoasisnamestcxacml10subjectsubject-
id[c08] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[c09] ltAttributeValuegtbssimpsonscomltAttributeValuegt[c10] ltAttributegt[c11] ltSubjectgt
The ltSubjectgt element contains one or more attributes of the entity making the access request There can be multiple subjects and each subject can have multiple attributes In this case in [c06-c11] there is only one subject and the subject has only one attribute the subjects identity expressed as an e-mail name is ldquobssimpsonscomrdquo[c12] ltResourcegt[c13] ltAttribute AttributeId=urnoasisnamestcxacml10resourceufs-
path[c14] DataType=httpwwww3org2001XMLSchemaanyURIgt[c15] ltAttributeValuegtmedicorecordpatientBartSimpsonltAttributeValuegt[c16] ltAttributegt[c17] ltResourcegtThe ltResourcegt element contains one or more attributes of the resource to which the subject (or subjects) has requested access There can be only one ltResourcegt
oasis--xacml-11pdf 27
54
783784785786787788789790
791792793
794795
796
797798799
800801
802803
804805
806807808809
810811
55
per decision request Lines [c13-c16] contain the one attribute of the resource to which Bart Simpson has requested access the resource unix file-system path-name which is ldquomedicorecordpatientBartSimpsonrdquo[c18] ltActiongt[c19] ltAttribute AttributeId=urnoasisnamestcxacml10actionaction-id[c20] DataType=httpwwww3org2001XMLSchemastringgt[c21] ltAttributeValuegtreadltAttributeValuegt[c22] ltAttributegt[c23] ltActiongt
The ltActiongt element contains one or more attributes of the action that the subject (or subjects) wishes to take on the resource There can be only one action per decision request [c18-c23] describe the identity of the action Bart Simpson wishes to take which is ldquoreadrdquo[c24] ltRequestgt
[c24] closes the request context A more complex request context may have contained some attributes not associated with the subject the resource or the action These would have been placed in an optional ltEnvironmentgt element following the ltActiongt element
The PDP processing this request context locates the policy in its policy repository It compares the subject resource and action in the request context with the subjects resources and actions in the policy target Since the policy target matches the ltAnySubjectgt ltAnyResourcegt and ltAnyActiongt elements the policy matches this context
The PDP now compares the subject resource and action in the request context with the target of the one rule in this policy The requested resource matches the ltAnyResourcegt element and the requested action matches the ltAnyActiongt element but the requesting subject-id attribute does not match medicocom
413 Example response contextAs a result there is no rule in this policy that returns a Permit result for this request The rule-combining algorithm for the policy specifies that in this case a result of NotApplicable should be returned The response context looks as follows[r01] ltxml version=10 encoding=UTF-8gt[r02] ltResponse xmlns=urnoasisnamestcxacml10context[r03] xsischemaLocation=urnoasisnamestcxacml10context[r04] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-
01xsdgt
[r01-r04] contain the same sort of header information for the response as was described above for a policy[r05] ltResultgt[r06] ltDecisiongtNotApplicableltDecisiongt[r07] ltResultgt
The ltResultgt element in lines [r05-r07] contains the result of evaluating the decision request against the policy In this case the result is ldquoNotApplicablerdquo A policy can return ldquoPermitrdquo ldquoDenyrdquo ldquoNotApplicablerdquo or ldquoIndeterminaterdquo[r08] ltResponsegt
[r08] closes the response context
42 Example twoThis section contains an example XML document an example request context and example XACML rules The XML document is a medical record Four separate rules are defined These illustrate a rule-combining algorithm conditions and obligations
oasis--xacml-11pdf 28
56
812813
814
815816817
818819
820
821822
823824
825826827828
829
830831832
833834
835836837
838
839
840841842
57
421 Example medical record instanceThe following is an instance of a medical record to which the example XACML rules can be applied The ltrecordgt schema is defined in the registered namespace administered by medicocom
ltxml version=10 encoding=UTF-8gtltrecord xmlns=httpwwwmedicocomschemasrecordxsd xmlnsxsi=httpwwww3org2001XMLSchema-instancerdquogt
ltpatientgtltpatientNamegt
ltfirstgtBartholomewltfirstgtltlastgtSimpsonltlastgt
ltpatientNamegtltpatientContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgt
ltpatientContactgtltpatientDoBgt1992-03-21ltpatientDoBgtltpatientGendergtmaleltpatientGendergtltpatient-numbergt555555ltpatient-numbergt
ltpatientgtltparentGuardiangt
ltparentGuardianIdgtHS001ltparentGuardianIdgtltparentGuardianNamegt
ltfirstgtHomerltfirstgtltlastgtSimpsonltlastgt
ltparentGuardianNamegtltparentGuardianContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgthomersaolcomltemailgt
ltparentGuardianContactgtltparentGuardiangtltprimaryCarePhysiciangt
ltphysicianNamegtltfirstgtJuliusltfirstgtltlastgtHibbertltlastgt
ltphysicianNamegtltphysicianContactgt
ltstreetgt1 First StltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551239012ltphonegtltfaxgt5551239013ltfaxgtltemailgt
ltphysicianContactgtltregistrationIDgtABC123ltregistrationIDgt
ltprimaryCarePhysiciangtltinsurergt
ltnamegtBlue Crossltnamegtltstreetgt1234 Main StltstreetgtltcitygtSpringfieldltcitygt
oasis--xacml-11pdf 29
58
843
844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903
59
ltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551235678ltphonegtltfaxgt5551235679ltfaxgtltemailgt
ltinsurergtltmedicalgt
lttreatmentgtltdruggt
ltnamegtmethylphenidate hydrochlorideltnamegtltdailyDosagegt30mgsltdailyDosagegtltstartDategt1999-01-12ltstartDategt
ltdruggtltcommentgtpatient exhibits side-effects of skin coloration and carpal
degenerationltcommentgtlttreatmentgtltresultgt
lttestgtblood pressurelttestgtltvaluegt12080ltvaluegtltdategt2001-06-09ltdategtltperformedBygtNurse BettyltperformedBygt
ltresultgtltmedicalgt
ltrecordgt
422 Example request contextThe following example illustrates a request context to which the example rules may be applicable It represents a request by the physician Julius Hibbert to read the patient date of birth in the record of Bartholomew Simpson
[01] ltxml version=10 encoding=UTF-8gt[02] ltRequest xmlns=urnoasisnamestcxacml10context[03] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo [04] ltSubject SubjectCategory=urnoasisnamestcxacml10subject-categoryaccess-subjectgt[05] ltAttribute AttributeId=[06] urnoasisnamestcxacml10subjectsubject-id[07] DataType=[08] rdquournoasisnamestcxacml10data-typex500namerdquo[09] Issuer=wwwmedicocom [10] IssueInstant=2001-12-17T093047-0500gt[11] ltAttributeValuegtCN=Julius HibbertltAttributeValuegt[12] ltAttributegt[13] ltAttribute AttributeId=[14] urnoasisnamestcxacml10exampleattributerole[15] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[16] Issuer=wwwmedicocom [17] IssueInstant=2001-12-17T093047-0500gt[18] ltAttributeValuegtphysicianltAttributeValuegt[19] ltAttributegt[20] ltAttribute AttributeId=[21] urnoasisnamestcxacml10exampleattributephysician-id[22] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[23] Issuer=wwwmedicocom [24] IssueInstant=2001-12-17T093047-0500gt[25] ltAttributeValuegtjh1234ltAttributeValuegt[26] ltAttributegt[27] ltSubjectgt[28] ltResourcegt[29] ltResourceContentgt[30] ltmdrecord[31] xmlnsmd=httpwwwmedicocomschemasrecordxsdgt
oasis--xacml-11pdf 30
60
904905906907908909910911912913914915916917918919920921922923924925926927
928
929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963
61
[32] ltmdpatientgt[33] ltmdpatientDoBgt1992-03-21ltmdpatientDoBgt[34] ltmdpatientgt[35] lt-- other fields --gt[36] ltmdrecordgt[37] ltResourceContentgt[38] ltAttribute AttributeId=[39] urnoasisnamestcxacml10resourceresource-id[40] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[41] ltAttributeValuegt[42] medicocomrecordsbart-simpsonxml[43] xmlns(md=httpwwwmedicocomschemasrecordxsd)[44] xpointer(mdrecordmdpatientmdpatientDoB)[45] ltAttributeValuegt[46] ltAttributegt[47] ltAttribute AttributeId=[48] urnoasisnamestcxacml10resourcexpath[49] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[50] ltAttributeValuegt[51] xmlns(md=httpwwwmedicocomschemasrecordxsd)[52] xpointer(mdrecordmdpatientmdpatientDoB)[53] ltAttributeValuegt[54] ltAttributegt[55] ltAttribute AttributeId=[56] rdquournoasisnamestcxacml10resourcetarget-namespacerdquo[57] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[58] ltAttributeValuegt[59] httpwwwmedicocomschemasrecordxsd[60] ltAttributeValuegt[61] ltAttributegt[62] ltResourcegt[63] ltActiongt[64] ltAttribute AttributeId=[65] urnoasisnamestcxacml10actionaction-id[66] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[67] ltAttributeValuegtreadltAttributeValuegt[68] ltAttributegt[69] ltActiongt[70] ltRequestgt
[02]-[03] Standard namespace declarations
[04]-[27] Subject attributes are placed in the Subject section of the Request Each attribute consists of the attribute meta-data and the attribute value
[04] Each Subject element has SubjectCategory xml attribute The value of this attribute describes the role that the subject plays in making the decision request The value of ldquoaccess-subjectrdquo denotes the identity for which the request was issued
[05]-[12] Subject subject-id attribute
[13]-[19] Subject role attribute
[20]-[26] Subject physician-id attribute
[28]-[62] Resource attributes are placed in the Resource section of the Request Each attribute consists of attribute meta-data and an attribute value
[29]-[36] Resource content The XML document that is being requested is placed here
[38]-[46] Resource identifier
oasis--xacml-11pdf 31
62
964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999
100010011002
1003
10041005
100610071008
1009
1010
1011
10121013
1014
1015
63
[47]-[61] The Resource is identified with an Xpointer expression that names the URI of the file that is accessed the target namespace of the document and the XPath location path to the specific element
[47]-[54] The XPath location path in the ldquoresource-idrdquo attribute is extracted and placed in the xpath attribute
[55]-[61] Resource target-namespace attribute
[63]-[69] Action attributes are placed in the Action section of the Request
[64]-[68] Action identifier
423 Example plain-language rulesThe following plain-language rules are to be enforced
Rule 1 A person identified by his or her patient number may read any record for which he or she is the designated patient
Rule 2 A person may read any record for which he or she is the designated parent or guardian and for which the patient is under 16 years of age
Rule 3 A physician may write to any medical element for which he or she is the designated primary care physician provided an email is sent to the patient
Rule 4 An administrator shall not be permitted to read or write to medical elements of a patient record
These rules may be written by different PAPs operating independently or by a single PAP
424 Example XACML rule instances
4241 Rule 1
Rule 1 illustrates a simple rule with a single ltConditiongt element The following XACML ltRulegt instance expresses Rule 1
[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid1[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomschemasrecordxsd namespace[12] for which he or she is a designated patient[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt
oasis--xacml-11pdf 32
64
101610171018
10191020
1021
1022
1023
1024
1025
10261027
10281029
10301031
10321033
1034
1035
1036
10371038
10391040104110421043104410451046104710481049105010511052105310541055105610571058
65
[22] ltResourceMatch MatchId=urnoasisnamestcxacml10functionstring-equalgt
[23] ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] ltActionMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[40] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[41] ltActionAttributeDesignator AttributeId=[42] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[43] ltActionMatchgt[44] ltActiongt[45] ltActionsgt[46] ltTargetgt[47] lt-- compare policy number in the document with [48] policy-number attribute --gt[49] ltCondition FunctionId=urnoasisnamestcxacml10functionstring-
equalgt[50] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[51] lt-- policy-number attribute --gt[52] ltSubjectAttributeDesignator AttributeId=[53] urnoasisnamestcxacml10examplesattributepolicy-number
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[54] ltApplygt[55] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[56] lt-- policy number in the document --gt[57] ltAttributeSelector RequestContextPath=[58] mdrecordmdpatientmdpatient-numbertext()
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[59] ltAttributeSelectorgt[60] ltApplygt[61] ltConditiongt[62] ltRulegt
[02]-[06] XML namespace declarations
[07] Rule identifier
[08] When a rule evaluates to lsquoTruersquo it emits the value of the Effect attribute This value is combined with the Effect values of other rules according to the rule-combining algorithm
oasis--xacml-11pdf 33
66
10591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114
1115
1116
11171118
67
[09]-[13] Free form description of the rule
[14]-[46] A rule target defines a set of decision requests that are applicable to the rule A decision request such that the value of the ldquournoasisnamestcxacml10resourcetarget-namespacerdquo resource attribute is equal to ldquohttpwwwmedicocomschemarecordsxsdrdquo and the value of the ldquournoasisnamestcxacml10resourcexpathrdquo resource attribute matches the XPath expression ldquomdrecordldquo and the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute is equal to ldquoreadrdquo matches the target of this rule
[15]-[17] The Subjects element may contain either a disjunctive sequence of Subject elements or AnySubject element
[16] The AnySubject element is a special element that matches any subject in the request context
[18]-[36] The Resources element may contain either a disjunctive sequence of Resource elements or AnyResource element
[20]-[35] The Resource element encloses the conjunctive sequence of ResourceMatch elements
[22]-[28] The ResourceMatch element compares its first and second child elements according to the matching function A match is positive if the value of the first argument matches any of the values selected by the second argument This match compares the target namespace of the requested document with the value of ldquohttpwwwmedicocomschemarecordsxsdrdquo
[22] The MatchId attribute names the matching function
[23]-[25] Literal attribute value to match
[26]-[27] The ResourceAttributeDesignator element selects the resource attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values
[30]-[34] The ResourceMatch This match compares the results of two XPath expressions The first XPath expression is mdrecord and the second XPath expression is the location path to the requested xml element The ldquoxpath-node-matchrdquo function evaluates to ldquoTruerdquo if the requested XML element is below the mdrecord element
[30] MatchId attribute names the matching function
[31] The literal XPath expression to match The md prefix is resolved using a standard namespace declaration
[32]-[33] The ResourceAttributeDesignator selects the bag of values for the ldquournoasisnamestcxacml10xpathrdquo resource attribute Here there is just one element in the bag which is the location path for the requested XML element
[37]-[45] The Actions element may contain either a disjunctive sequence of Action elements or an AnyAction element
[38]-[44] The Action element contains a conjunctive sequence of ActionMatch elements
[39]-[43] The ActionMatch element compares its first and second child elements according to the matching function Match is positive if the value of the first argument matches any of the values selected by the second argument In this case the value of the action-id action attribute in the request context is compared with the value ldquoreadrdquo
oasis--xacml-11pdf 34
68
1119
11201121
11221123
1124112511261127
11281129
11301131
11321133
11341135
1136113711381139
1140
1141
114211431144
114511461147
1148
1149
11501151
115211531154
11551156
1157
11581159
11601161
69
[39] The MatchId attribute names the matching function
[40] The Attribute value to match This is an action name
[41]-[42] The ActionAttributeDesignator selects action attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values ldquournoasisnamestcxacml10actionaction-idrdquo is the predefined name for the action identifier
[49]-[61] The ltConditiongt element A condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the patient-number subject attribute is equal to the patient-number in the XML document
[49] The FunctionId attribute of the ltConditiongt element names the function to be used for comparison In this case comparison is done with urnoasisnamestcxacml10functionstring-equal this function takes two arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[50] The first argument to the urnoasisnamestcxacml10functionstring-equal in the Condition Functions can take other functions as arguments The Apply element encodes the function call with the FunctionId attribute naming the function Since urnoasisnamestcxacml10functionstring-equal takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and SubjectAttributeDesignator selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[52]-[53] The SubjectAttributeDesignator selects a bag of values for the policy-number subject attribute in the request context
[55] The second argument to the ldquournoasisnamestcxacml10functionstring-equalrdquo in the Condition Functions can take other functions as arguments The Apply element encodes function call with the FunctionId attribute naming the function Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and the AttributeSelector selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[57] The AttributeSelector element selects a bag of values from the request context The AttributeSelector is a free-form XPath pointing device into the request context The RequestContextPath attribute specifies an XPath expression over the content of the requested XML document selecting the policy number Note that the namespace prefixes in the XPath expression are resolved with the standard XML namespace declarations
4242 Rule 2
Rule 2 illustrates the use of a mathematical function ie the ltApplygt element with functionId urnoasisnamestcxacml10functiondate-add-yearMonthDuration to calculate date It also illustrates the use of predicate expressions with the functionId urnoasisnamestcxacml10functionand
[01] ltxml version=10 encoding=UTF-8gt
oasis--xacml-11pdf 35
70
1162
1163
1164116511661167
116811691170
11711172
11731174
117511761177117811791180118111821183
1184
11851186
11871188118911901191119211931194
1195
11961197119811991200
1201
12021203
120412051206
71
[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid2[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomrecordsxsd namespace[12] for which he or she is the designated parent or guardian [13] and for which the patient is under 16 years of age[14] ltDescriptiongt[15] ltTargetgt[16] ltSubjectsgt[17] ltAnySubjectgt[18] ltSubjectsgt[19] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt[22] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[23] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=rdquournoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] lt-- match read action --gt[40] ltActionMatch
MatchId=rdquournoasisnamestcxacml10functionstring-equalgt[41] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[42] ltActionAttributeDesignator AttributeId=[43] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[44] ltActionMatchgt[45] ltActiongt[46] ltActionsgt[47] ltTargetgt[48] ltCondition FunctionId=ldquournoasisnamestcxacml10functionandgt[49] lt-- compare parent-guardian-id subject attribute with [50] the value in the document --gt[51] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-equalgt[52] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[53] lt-- parent-guardian-id subject attribute --gt
oasis--xacml-11pdf 36
72
120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269
73
[54] ltSubjectAttributeDesignator AttributeId=[55] urnoasisnamestcxacml10examplesattribute[56] parent-guardian-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[57] ltApplygt[58] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[59] lt-- parent-guardian-id element in the document --gt[60] ltAttributeSelector RequestContextPath=[61] mdrecordmdparentGuardianmdparentGuardianIdtext()[62] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[63] ltAttributeSelectorgt[64] ltApplygt[65] ltApplygt[66] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-less-or-
equalrdquogt[67] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-one-
and-onlyrdquogt[68] ltEnvironmentAttributeDesignator AttributeId=[69] rdquournoasisnamestcxacml10environmentcurrent-daterdquo
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[70] ltApplygt[71] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-add-
yearMonthDurationrdquogt[73] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-
one-and-onlyrdquogt[74] lt-- patient dob recorded in the document --gt[75] ltAttributeSelector RequestContextPath=[76] mdrecordmdpatientmdpatientDoBtext()
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[77] ltAttributeSelectorgt[78] ltApplygt[79] ltAttributeValue DataType=rdquohttpwwww3orgTR2002WD-xquery-
operators-20020816yearMonthDurationrdquogt[80] P16Y[81] ltAttributeValuegt[82] ltApplygt[83] ltApplygt[84] ltConditiongt[85] ltRulegt
[02]-[47] Rule declaration and rule target See Rule 1 in Section 4241 for the detailed explanation of these elements
[48]-[82] The Condition element Condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the requestor is the designated parent or guardian and the patient is under 16 years of age
[48] The Condition is using the ldquournoasisnamestcxacml10functionandrdquo function This is a boolean function that takes one or more boolean arguments (2 in this case) and performs the logical ldquoANDrdquo operation to compute the truth value of the expression
[51]-[65] The truth of the first part of the condition is evaluated The requestor is the designated parent or guardian The Apply element contains a function invocation The function name is contained in the FunctionId attribute The comparison is done with ldquournoasisnamestcxacml10functionstring-equalrdquo that takes 2 arguments of ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[52] Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo in
oasis--xacml-11pdf 37
74
1270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309
13101311
131213131314
131513161317
13181319132013211322
1323132413251326
75
the request context contains one and only one value ldquournoasisnamestcxacml10functionstring-equalrdquo takes an argument expression that evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[54] Value of the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo is selected from the request context with the ltSubjectAttributeDesignatorgt element This expression evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[58] ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[60] The value of the mdparentGuardianId element is selected from the resource content with the AttributeSelector element AttributeSelector is a free-form XPath expression pointing into the request context The RequestContextPath XML attribute contains an XPath expression over the request context Note that all namespace prefixes in the XPath expression are resolved with standard namespace declarations The AttributeSelector evaluates to the bag of values of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[66]-[83] The expression ldquothe patient is under 16 years of agerdquo is evaluated The patient is under 16 years of age if the current date is less than the date computed by adding 16 to the patientrsquos date of birth
[66] ldquournoasisnamestcxacml10functiondate-less-or-equalrdquo is used to compute the difference of two dates
[67] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by its argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemadaterdquo
[68]-[69] Current date is evaluated by selecting the ldquournoasisnamestcxacml10environmentcurrent-daterdquo environment attribute
[71] ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo is used to compute the date by adding 16 to the patientrsquos date of birth The first argument is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second argument is an ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo
[73] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type rdquohttpwwww3org2001XMLSchemadaterdquo
[75]-[76] The ltAttributeSelectorgt element selects the patientrsquos date of birth by taking the XPath expression over the document content
[79]-[81] Year Month Duration of 16 years
4243 Rule 3
Rule 3 illustrates the use of an obligation The XACML ltRulegt element syntax does not include an element suitable for carrying an obligation therefore Rule 3 has to be formatted as a ltPolicygt element
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicy
oasis--xacml-11pdf 38
76
1327132813291330
1331133213331334
13351336
1337
1338133913401341
13421343
134413451346
13471348
13491350
1351
13521353
13541355
135613571358
13591360
1361
13621363
1364
1365
13661367
136813691370
77
[03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] PolicyId=urnoasisnamestcxacmlexamplespolicyid3[08] RuleCombiningAlgId=urnoasisnamestcxacml10[09] rule-combining-algorithmdeny-overridesgt[10] ltDescriptiongt[11] Policy for any medical record in the[12] httpwwwmedicocomschemasrecordxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- match document target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomschemasrecordxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltAnyActiongt[32] ltActionsgt[33] ltTargetgt[34] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid3[35] Effect=Permitgt[36] ltDescriptiongt[37] A physician may write any medical element in a record[38] for which he or she is the designated primary care[39] physician provided an email is sent to the patient[40] ltDescriptiongt[41] ltTargetgt[42] ltSubjectsgt[43] ltSubjectgt[44] lt-- match subject group attribute --gt[45] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[46] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtphysicianltAttributeValuegt
[47] ltSubjectAttributeDesignator AttributeId=[48] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[49] ltSubjectMatchgt[50] ltSubjectgt[51] ltSubjectsgt[52] ltResourcesgt[53] ltResourcegt[54] lt-- match requested xml element --gt[55] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[56] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
oasis--xacml-11pdf 39
78
137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433
79
[57] mdrecordmdmedical[58] ltAttributeValuegt[59] ltResourceAttributeDesignator AttributeId=[60] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[61] ltResourceMatchgt[62] ltResourcegt[63] ltResourcesgt[64] ltActionsgt[65] ltActiongt[66] lt-- match action --gt[67] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[68] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwriteltAttributeValuegt[069] ltActionAttributeDesignator AttributeId=[070] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[071] ltActionMatchgt[072] ltActiongt[073] ltActionsgt[074] ltTargetgt[075] ltCondition FunctionId=ldquournoasisnamestcxacml10functionstring-
equalgt[076] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[077] lt-- physician-id subject attribute --gt[078] ltSubjectAttributeDesignator AttributeId=[079] urnoasisnamestcxacml10example[080] attributephysician-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[081] ltApplygt[082] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[083] ltAttributeSelector RequestContextPath=[084] mdrecordmdprimaryCarePhysicianmdregistrationIDtext()[085] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[086] ltApplygt[087] ltConditiongt[089] ltRulegt[090] ltObligationsgt[091] lt-- send e-mail message to the document owner --gt[092] ltObligation ObligationId=[093] urnoasisnamestcxacmlexampleobligationemail[094] FulfillOn=Permitgt[095] ltAttributeAssignment AttributeId=[096] urnoasisnamestcxacml10exampleattributemailto[097] DataType=httpwwww3org2001XMLSchemastringgt[098] ltAttributeSelector RequestContextPath=[099] mdrecordmdpatientmdpatientContactmdemail[100] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[101] ltAttributeAssignmentgt[102] ltAttributeAssignment AttributeId=[103] urnoasisnamestcxacml10exampleattributetext[104] DataType=httpwwww3org2001XMLSchemastringgt[105] ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgt[106] Your medical record has been accessed by[107] ltAttributeValuegt[108] ltAttributeAssignmentgt[109] ltAttributeAssignment AttributeId=[110] urnoasisnamestcxacmlexampleattributetext[111] DataType=httpwwww3org2001XMLSchemastringgt
oasis--xacml-11pdf 40
80
143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496
81
[112] ltSubjectAttributeDesignator AttributeId=[113] urnosasisnamestcxacml10subjectsubject-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[114] ltAttributeAssignmentgt[115] ltObligationgt[116] ltObligationsgt[117] ltPolicygt
[01]-[09] The Policy element includes standard namespace declarations as well as policy specific parameters such as PolicyId and RuleCombiningAlgId
[07] Policy identifier This parameter is used for the inclusion of the Policy in the PolicySet element
[08]-[09] Rule combining algorithm identifier This parameter is used to compute the combined outcome of rule effects for rules that are applicable to the decision request
[10-13] Free-form description of the policy
[14]-[33] Policy target The policy target defines a set of applicable decision requests The structure of the Target element in the Policy is identical to the structure of the Target element in the Rule In this case the policy target is a set of all XML documents conforming to the ldquohttpwwwmedicocomschemasrecordxsdrdquo target namespace For the detailed description of the Target element see Rule 1 Section 4241
[34]-[89] The only Rule element included in this Policy Two parameters are specified in the rule header RuleId and Effect For the detailed description of the Rule structure see Rule 1 Section 4241
[41]-[74] A rule target narrows down a policy target Decision requests with the value of ldquournoasisnamestcxacml10exampeattributerolerdquo subject attribute equal to ldquophysicianrdquo [42]-[51] and that access elements of the medical record that ldquoxpath-node-matchrdquo the ldquomdrecordmdmedicalrdquo XPath expression [52]-[63] and that have the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute equal to ldquoreadrdquo
[65]-[73] match the target of this rule For a detailed description of the rule target see example 1 Section 4241
[75]-[87] The Condition element For the rule to be applicable to the authorization request condition must evaluate to True This rule condition compares the value of the ldquournoasisnamestcxacml10examplesattributephysician-idrdquo subject attribute with the value of the physician id element in the medical record that is being accessed For a detailed explanation of rule condition see Rule 1 Section 4241
[90]-[116] The Obligations element Obligations are a set of operations that must be performed by the PEP in conjunction with an authorization decision An obligation may be associated with a positive or negative authorization decision
[92]-[115] The Obligation element consists of the ObligationId the authorization decision value for which it must fulfill and a set of attribute assignments
[92]-[93] ObligationId identifies an obligation Obligation names are not interpreted by the PDP
[94] FulfillOn attribute defines an authorization decision value for which this obligation must be fulfilled
[95]-[101] Obligation may have one or more parameters The obligation parameter ldquournoasisnamestcxacml10examplesattributemailtordquo is assigned the value from the content of the xml document
oasis--xacml-11pdf 41
82
1497149814991500150115021503
15041505
15061507
15081509
1510
1511151215131514
1515
151615171518
15191520152115221523
15241525
15261527
152815291530
153115321533
15341535
15361537
15381539
154015411542
83
[95-96] AttributeId declares ldquournoasisnamestcxacml10examplesattributemailtordquo obligation parameter
[97] The obligation parameter data-type is defined
[98]-[100] The obligation parameter value is selected from the content of the XML document that is being accessed with the XPath expression over request context
[102]-[108] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of data-type ldquohttpwwww3org2001XMLSchemastringrdquo is assigned the literal value ldquoYour medical record has been accessed byrdquo
[109]-[114] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type is assigned the value of the ldquournoasisnamestcxacml10subjectsubject-idrdquo subject attribute
4244 Rule 4
Rule 4 illustrates the use of the Deny Effect value and a Rule with no Condition element[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexampleruleid4 [08] Effect=Denygt[09] ltDescriptiongt[10] An Administrator shall not be permitted to read or write [11] medical elements of a patient record in the[12] httpwwwmedicocomrecordsxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltSubjectgt[17] lt-- match role subject attribute --gt[18] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[19] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtadministratorltAttributeValuegt
[20] ltSubjectAttributeDesignator AttributeId=[21] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[22] ltSubjectMatchgt[23] ltSubjectgt[24] ltSubjectsgt[25] ltResourcesgt[26] ltResourcegt[27] lt-- match document target namespace --gt[28] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[29] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[30] httpwwwmedicocomschemasrecordxsd[31] ltAttributeValuegt[32] ltResourceAttributeDesignator AttributeId=
oasis--xacml-11pdf 42
84
15431544
1545
15461547
1548154915501551
155215531554
1555
1556
155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595
85
[33] urnoasisnamestcxacml10resourcetarget-namespace DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[34] ltResourceMatchgt[35] lt-- match requested xml element --gt[36] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[37] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[38] mdrecordmdmedical[39] ltAttributeValuegt[40] ltResourceAttributeDesignator AttributeId=[41] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[42] ltResourceMatchgt[43] ltResourcegt[44] ltResourcesgt[45] ltActionsgt[46] ltActiongt[47] lt-- match read action --gt[48] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[49] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtread
ltAttributeValuegt[50] ltActionAttributeDesignator AttributeId=[51] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[52] ltActionMatchgt[53] ltActiongt[54] ltActiongt[55] lt-- match write action --gt[56] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[57] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwrite
ltAttributeValuegt[58] ltActionAttributeDesignator AttributeId=[59] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[60] ltActionMatchgt[61] ltActiongt[62] ltActionsgt[63] ltTargetgt[64] ltRulegt
[01]-[08] The Rule element declaration The most important parameter here is Effect See Rule 1 Section 4241 for a detailed explanation of the Rule structure
[08] Rule Effect Every rule that evaluates to ldquoTruerdquo emits rule effect as its value that will be combined later on with other rule effects according to the rule combining algorithm This rule Effect is ldquoDenyrdquo meaning that according to this rule access must be denied
[09]-[13] Free form description of the rule
[14]-[63] Rule target The Rule target defines a set of decision requests that are applicable to the rule This rule is matched by
a decision request with subject attribute ldquournoasisnamestcxacml10examplesattributerolerdquo equal to ldquoadministratorrdquo
oasis--xacml-11pdf 43
86
1596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641
16421643
16441645
1646
1647
16481649
165016511652
87
the value of resource attribute ldquournoasisnamestcxacml10resourcetarget-namespacerdquo is equal to ldquohttpwwwmedicocomschemasrecordxsdrdquo
the value of the requested XML element matches the XPath expression ldquomdrecordmdmedicalrdquo
the value of action attribute ldquournoasisnamestcxacml10actionaction-idrdquo is equal to ldquoreadrdquo
See Rule 1 Section 4241 for the detailed explanation of the Target element
This rule does not have a Condition element
4245 Example PolicySet
This section uses the examples of the previous sections to illustrate the process of combining policies The policy governing read access to medical elements of a record is formed from each of the four rules described in Section 423 In plain language the combined rule is
Either the requestor is the patient or
the requestor is the parent or guardian and the patient is under 16 or
the requestor is the primary care physician and a notification is sent to the patient and
the requestor is not an administrator
The following XACML ltPolicySetgt illustrates the combined policies Policy 3 is included by reference and policy 2 is explicitly included
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicySet [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] PolicySetId=[06] urnoasisnamestcxacml10examplespolicysetid1[07] PolicyCombiningAlgId=rdquournoasisnamestcxacml10[071] policy-combining-algorithmdeny-overridesrdquogt[08] ltDescriptiongt[09] Example policy set[10] ltDescriptiongt[11] ltTargetgt[12] ltSubjectsgt[13] ltSubjectgt[14] lt-- any subject --gt[15] ltAnySubjectgt[16] ltSubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- any resource in the target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomrecordsxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt
oasis--xacml-11pdf 44
88
165316541655
16561657
16581659
1660
1661
1662
166316641665
1666
1667
1668
1669
167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702
89
[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltActiongt[32] lt-- any action --gt[33] ltAnyActiongt[34] ltActiongt[35] ltActionsgt[36] ltTargetgt[37] lt-- include policy from the example 3 by reference --gt[38] ltPolicyIdReferencegt[39] urnoasisnamestcxacml10examplespolicyid3[40] ltPolicyIdReferencegt[41] lt-- policy 2 combines rules from the examples 1 2 [42] and 4 is included by value --gt[43] ltPolicy [44] PolicyId=urnoasisnamestcxacmlexamplespolicyid2[45] RuleCombiningAlgId=[46] urnoasisnamestcxacml10rule-combining-algorithmdeny-overridesgt[47] ltDescriptiongt[48] Policy for any medical record in the[49] httpwwwmedicocomschemasrecordxsd namespace[50] ltDescriptiongt[51] ltTargetgt ltTargetgt[52] ltRule [53] RuleId=urnoasisnamestcxacmlexamplesruleid1[54] Effect=Permitgt ltRulegt[55] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid2 [56] Effect=Permitgt ltRulegt[57] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid4[58] Effect=Denygt ltRulegt[59] ltObligationsgt ltObligationsgt[60] ltPolicygt[61] ltPolicySetgt
[02]-[07] PolicySet declaration Standard XML namespace declarations are included as well as PolicySetId and policy combining algorithm identifier
[05]-[06] PolicySetId is used for identifying this policy set and for possible inclusion of this policy set into another policy set
[07] Policy combining algorithm identifier Policies in the policy set are combined according to the specified policy combining algorithm identifier when the authorization decision is computed
[08]-[10] Free form description of the policy set
[11]-[36] PolicySet Target element defines a set of decision requests that are applicable to this PolicySet
[38]-[40] PolicyIdReference includes policy by id
[43]-[60] Policy 2 is explicitly included in this policy set
oasis--xacml-11pdf 45
90
17031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737
17381739
17401741
174217431744
1745
17461747
1748
1749
91
5 Policy syntax (normative with the exception of the schema fragments)
51 Element ltPolicySetgtThe ltPolicySetgt element is a top-level element in the XACML policy schema ltPolicySetgt is an aggregation of other policy sets and policies Policy sets MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicySetgt element or indirectly using the ltPolicySetIdReferencegt element Policies MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicygt element or indirectly using the ltPolicyIdReferencegt element
If a ltPolicySetgt element contains references to other policy sets or policies in the form of URLs then these references MAY be resolvable
Policies included in the ltPolicySetgt element MUST be combined using the algorithm specified by the PolicyCombiningAlgId attribute ltPolicySetgt is treated exactly like a ltPolicygt in all the policy combining algorithms
The ltTargetgt element defines the applicability of the ltPolicySetgt to a set of decision requests If the ltTargetgt element within ltPolicySetgt matches the request context then the ltPolicySetgt element MAY be used by the PDP in making its authorization decision
The ltObligationsgt element contains a set of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision If the PEP does not understand any of the obligations then it MUST act as if the PDP had returned a ldquoDenyrdquo authorization decision value
ltxselement name=PolicySet type=xacmlPolicySetTypegtltxscomplexType name=PolicySetTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicySetDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxschoice minOccurs=0 maxOccurs=unboundedgt
ltxselement ref=xacmlPolicySetgtltxselement ref=xacmlPolicygtltxselement ref=xacmlPolicySetIdReferencegtltxselement ref=xacmlPolicyIdReferencegt
ltxschoicegtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicySetId type=xsanyURI use=requiredgtltxsattribute name=PolicyCombiningAlgId type=rdquoxsanyURI
use=requiredgtltxscomplexTypegt
The ltPolicySetgt element is of PolicySetType complex type
The ltPolicySetgt element contains the following attributes and elements
PolicySetId [Required]
Policy set identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy set identifier is in the form of a URL then it MAY be resolvable
oasis--xacml-11pdf 46
92
1750
1751
1752
17531754
1755175617571758
17591760
176117621763
176417651766
176717681769177017711772177317741775177617771778177917801781178217831784178517861787
1788
1789
1790
1791179217931794
1795
93
PolicyCombiningAlgId [Required]
The identifier of the policy-combining algorithm by which the ltPolicySetgt components MUST be combined Standard policy-combining algorithms are listed in Appendix C Standard policy-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the ltPolicySetgt
ltPolicySetDefaultsgt [Optional]
A set of default values applicable to the ltPolicySetgt The scope of the ltPolicySetDefaultsgt element SHALL be the enclosing policy set
ltTargetgt [Required]
The ltTargetgt element defines the applicability of a ltPolicySetgt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicySetgt or it MAY be computed from the ltTargetgt elements of the referenced ltPolicygt elements either as an intersection or as a union
ltPolicySetgt [Any Number]
A policy set component that is included in this policy set
ltPolicygt [Any Number]
A policy component that is included in this policy set
ltPolicySetIdReferencegt [Any Number]
A reference to a ltPolicySetgt component that MUST be included in this policy set If ltPolicySetIdReferencegt is a URL then it MAY be resolvable
ltPolicyIdReferencegt [Any Number]
A reference to a ltPolicygt component that MUST be included in this policy set If the ltPolicyIdReferencegt is a URL then it MAY be resolvable
ltObligationsgt [Optional]
Contains the set of ltObligationgt elements See Section 711 for a description of how the set of obligations to be returned by the PDP shall be determined
52 Element ltDescriptiongtThe ltDescriptiongt element is used for a free-form description of the ltPolicySetgt element ltPolicygt element and ltRulegt element The ltDescriptiongt element is of xsstring simple type
ltxselement name=Description type=xsstringgt
53 Element ltPolicySetDefaultsgtThe ltPolicySetDefaultsgt element SHALL specify default values that apply to the ltPolicySetgt element
oasis--xacml-11pdf 47
94
1796
179717981799
1800
1801
1802
18031804
1805
18061807
180818091810
1811
1812
1813
1814
1815
18161817
1818
18191820
1821
18221823
1824
1825182618271828
1829
18301831
95
ltxselement name=PolicySetDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicySetDefaultsgt element is of DefaultsType complex type
The ltPolicySetDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
54 Element ltXPathVersiongtThe ltXPathVersiongt element SHALL specify the version of the XPath specification to be used by ltAttributeSelectorgt elements
ltxselement name=XPathVersion type=xsanyURIgt
The URI for the XPath 10 specification is ldquohttpwwww3orgTR1999Rec-xpath-19991116rdquo The ltXPathVersiongt element is REQUIRED if the XACML enclosing policy set or policy contains ltAttributeSelectorgt elements or XPath-based functions
55 Element ltTargetgtThe ltTargetgt element identifies the set of decision requests that the parent element is intended to evaluate The ltTargetgt element SHALL appear as a child of ltPolicySetgt ltPolicygt and ltRulegt elements It contains definitions for subjects resources and actions
The ltTargetgt element SHALL contain a conjunctive sequence of ltSubjectsgt ltResourcesgt and ltActionsgt elements For the parent of the ltTargetgt element to be applicable to the decision request there MUST be at least one positive match between each section of the ltTargetgt element and the corresponding section of the ltxacml-contextRequestgt element
ltxselement name=Target type=xacmlTargetTypegtltxscomplexType name=TargetTypegt
ltxssequencegtltxselement ref=xacmlSubjectsgtltxselement ref=xacmlResourcesgtltxselement ref=xacmlActionsgt
ltxssequencegtltxscomplexTypegt
The ltTargetgt element is of TargetType complex type
The ltTargetgt element contains the following elements
ltSubjectsgt [Required]
Matching specification for the subject attributes in the context
ltResourcesgt [Required]
Matching specification for the resource attributes in the context
oasis--xacml-11pdf 48
96
18321833183418351836183718381839
1840
1841
1842
1843
1844
18451846
1847
184818491850
1851
185218531854
185518561857
185818591860186118621863186418651866
1867
1868
1869
1870
1871
1872
1873
97
ltActionsgt [Required]
Matching specification for the action attributes in the context
56 Element ltSubjectsgtThe ltSubjectsgt element SHALL contains a disjunctive sequence of ltSubjectgt elements
ltxselement name=Subjects type=xacmlSubjectsTypegtltxscomplexType name=SubjectsTypegt
ltxschoicegtltxselement ref=xacmlSubject maxOccurs=unboundedgtltxselement ref=xacmlAnySubjectgt
ltxschoicegtltxscomplexTypegt
The ltSubjectsgt element is of SubjectsType complex type
The ltSubjectsgt element contains the following elements
ltSubjectgt [One To Many Required Choice]
See Section 57
ltAnySubjectgt [Required Choice]
See Section 58
57 Element ltSubjectgtThe ltSubjectgt element SHALL contain a conjunctive sequence of ltSubjectMatchgt elements
ltxselement name=Subject type=xacmlSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacmlSubjectMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
ltSubjectMatchgt [One to Many]
A conjunctive sequence of individual matches of the subject attributes in the context and the embedded attribute values
58 Element ltAnySubjectgtThe ltAnySubjectgt element SHALL match any subject attribute in the context
ltxselement name=AnySubjectgt
59 Element ltSubjectMatchgtThe ltSubjectMatchgt element SHALL identify a set of subject-related entities by matching attribute values in a ltxacml-contextSubjectgt element of the context with the embedded attribute value
oasis--xacml-11pdf 49
98
1874
1875
1876
18771878187918801881188218831884
1885
1886
1887
1888
1889
1890
1891
18921893189418951896189718981899
1900
1901
1902
19031904
1905
19061907
1908
190919101911
99
ltxselement name=SubjectMatch type=xacmlSubjectMatchTypegtltxscomplexType name=SubjectMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltSubjectMatchgt element is of SubjectMatchType complex type
The ltSubjectMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltSubjectAttributeDesignatorgt [Required choice]
Identifies one or more attribute values in a ltSubjectgt element of the context
ltAttributeSelectorgt [Required choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in a ltSubjectgt element of the context
510 Element ltResourcesgtThe ltResourcesgt element SHALL contain a disjunctive sequence of ltResourcegt elements
ltxselement name=Resources type=xacmlResourcesTypegtltxscomplexType name=ResourcesTypegt
ltxschoicegtltxselement ref=xacmlResource maxOccurs=unboundedgtltxselement ref=xacmlAnyResourcegt
ltxschoicegtltxscomplexTypegt
The ltResourcesgt element is of ResourcesType complex type
The ltResourcesgt element contains the following elements
ltResourcegt [One To Many Required Choice]
See Section 511
ltAnyResourcegt [Required Choice]
See Section 512
511 Element ltResourcegtThe ltResourcegt element SHALL contain a conjunctive sequence of ltResourceMatchgt elements
oasis--xacml-11pdf 50
100
19121913191419151916191719181919192019211922
1923
1924
1925
19261927
1928
1929
1930
1931
1932
19331934
1935
19361937193819391940194119421943
1944
1945
1946
1947
1948
1949
1950
19511952
101
ltxselement name=Resource type=xacmlResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacmlResourceMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceMatchgt [One to Many]
A conjunctive sequence of individual matches of the resource attributes in the context and the embedded attribute values
512 Element ltAnyResourcegtThe ltAnyResourcegt element SHALL match any resource attribute in the context
ltxselement name=AnyResourcegt
513 Element ltResourceMatchgtThe ltResourceMatchgt element SHALL identify a set of resource-related entities by matching attribute values in the ltxacml-contextResourcegt element of the context with the embedded attribute value
ltxselement name=ResourceMatch type=xacmlResourceMatchTypegtltxscomplexType name=ResourceMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyMatch use=requiredgt
ltxscomplexTypegt
The ltResourceMatchgt element is of ResourceMatchType complex type
The ltResourceMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function Values of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltResourceAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltResourcegt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltResourcegt element of the context
oasis--xacml-11pdf 51
102
195319541955195619571958
1959
1960
1961
19621963
1964
19651966
1967
19681969197019711972197319741975197619771978197919801981
1982
1983
1984
19851986
1987
1988
1989
1990
1991
19921993
103
514 Element ltActionsgtThe ltActionsgt element SHALL contain a disjunctive sequence of ltActiongt elements
ltxselement name=Actions type=xacmlActionsTypegtltxscomplexType name=ActionsTypegt
ltxschoicegtltxselement ref=xacmlAction maxOccurs=unboundedgtltxselement ref=xacmlAnyActiongt
ltxschoicegtltxscomplexTypegt
The ltActionsgt element is of ActionsType complex type
The ltActionsgt element contains the following elements
ltActiongt [One To Many Required Choice]
See Section 515
ltAnyActiongt [Required Choice]
See Section 516
515 Element ltActiongtThe ltActiongt element SHALL contain a conjunctive sequence of ltActionMatchgt elements
ltxselement name=Action type=xacmlActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacmlActionMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltActionMatchgt [One to Many]
A conjunctive sequence of individual matches of the action attributes in the context and the embedded attribute values
516 Element ltAnyActiongtThe ltAnyActiongt element SHALL match any action attribute in the context
ltxselement name=AnyActiongt
517 Element ltActionMatchgtThe ltActionMatchgt element SHALL identify a set of action-related entities by matching attribute values in the ltxacml-contextActiongt element of the context with the embedded attribute value
ltxselement name=ActionMatch type=xacmlActionMatchTypegtltxscomplexType name=ActionMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegt
oasis--xacml-11pdf 52
104
1994
19951996199719981999200020012002
2003
2004
2005
2006
2007
2008
2009
2010201120122013201420152016
2017
2018
2019
20202021
2022
20232024
2025
2026
2027202820292030203120322033
105
ltxschoicegtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltActionMatchgt element is of ActionMatchType complex type
The ltActionMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltActionAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltActiongt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltActiongt element of the context
518 Element ltPolicySetIdReferencegtThe ltPolicySetIdReferencegt element SHALL be used to reference a ltPolicySetgt element by id If ltPolicySetIdReferencegt is a URL then it MAY be resolvable to the ltPolicySetgt The mechanism for resolving a policy set reference to the corresponding policy set is outside the scope of this specification
ltxselement name=PolicySetIdReference type=xsanyURIgt
Element ltPolicySetIdReferencegt is of xsanyURI simple type
519 Element ltPolicyIdReferencegtThe ltxacmlPolicyIdReferencegt element SHALL be used to reference a ltPolicygt element by id If ltPolicyIdReferencegt is a URL then it MAY be resolvable to the ltPolicygt The mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification
ltxselement name=PolicyIdReference type=xsanyURIgt
Element ltPolicyIdReferencegt is of xsanyURI simple type
520 Element ltPolicygtThe ltPolicygt element is the smallest entity that SHALL be presented to the PDP for evaluation
The main components of this element are the ltTargetgt ltRulegt and ltObligationsgt elements and the RuleCombiningAlgId attribute
oasis--xacml-11pdf 53
106
2034203520362037203820392040
2041
2042
2043
20442045
2046
2047
2048
2049
2050
20512052
2053
20542055205620572058
2059
2060
20612062206320642065
2066
2067
2068
20692070
107
The ltTargetgt element SHALL define the applicability of the ltPolicygt to a set of decision requests
Rules included in the ltPolicygt element MUST be combined by the algorithm specified by the RuleCombiningAlgId attribute
The ltObligationsgt element SHALL contain a set of obligations that MUST be fulfilled by the PDP in conjunction with the authorization decision
ltxselement name=Policy type=xacmlPolicyTypegtltxscomplexType name=PolicyTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicyDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxselement ref=xacmlRule minOccurs=0 maxOccurs=unboundedgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicyId type=xsanyURI use=requiredgtltxsattribute name=RuleCombiningAlgId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltPolicygt element is of PolicyType complex type
The ltPolicygt element contains the following attributes and elements
PolicyId [Required]
Policy identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy identifier is in the form of a URL then it MAY be resolvable
RuleCombiningAlgId [Required]
The identifier of the rule-combining algorithm by which the ltPolicygt components MUST be combined Standard rule-combining algorithms are listed in Appendix C Standard rule-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the policy See Section 52 Element ltDescriptiongt
ltPolicyDefaultsgt [Optional]
Defines a set of default values applicable to the policy The scope of the ltPolicyDefaultsgt element SHALL be the enclosing policy
ltTargetgt [Required]
The ltTargetgt element SHALL define the applicability of a ltPolicygt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicygt element or it MAY be computed from the ltTargetgt elements of the referenced ltRulegt elements either as an intersection or as a union
ltRulegt [Any Number]
A sequence of authorizations that MUST be combined according to the RuleCombiningAlgId attribute Rules whose ltTargetgt elements match the decision request MUST be considered Rules whose ltTargetgt elements do not match the decision request SHALL be ignored
oasis--xacml-11pdf 54
108
20712072
20732074
20752076207720782079208020812082208320842085208620872088
2089
2090
2091
209220932094
2095
209620972098
2099
2100
2101
21022103
2104
21052106
210721082109
2110
2111211221132114
109
ltObligationsgt [Optional]
A conjunctive sequence of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision See Section 711 for a description of how the set of obligations to be returned by the PDP SHALL be determined
521 Element ltPolicyDefaultsgtThe ltPolicyDefaultsgt element SHALL specify default values that apply to the ltPolicygt element
ltxselement name=PolicyDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicyDefaultsgt element is of DefaultsType complex type
The ltPolicyDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
522 Element ltRulegtThe ltRulegt element SHALL define the individual rules in the policy The main components of this element are the ltTargetgt and ltConditiongt elements and the Effect attribute
ltxselement name=Rule type=xacmlRuleTypegtltxscomplexType name=RuleTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlTarget minOccurs=0gtltxselement ref=xacmlCondition minOccurs=0gt
ltxssequencegtltxsattribute name=RuleId type=xsanyURI use=requiredgtltxsattribute name=Effect type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltRulegt element is of RuleType complex type
The ltRulegt element contains the following attributes and elements
RuleId [Required]
A URN identifying this rule
Effect [Required]
Rule effect Values of this attribute are either ldquoPermitrdquo or ldquoDenyrdquo
ltDescriptiongt [Optional]
A free-form description of the rule
oasis--xacml-11pdf 55
110
2115
211621172118
2119
2120212121222123212421252126212721282129
2130
2131
2132
2133
2134
21352136
2137213821392140214121422143214421452146
2147
2148
2149
2150
2151
2152
2153
2154
2155
111
ltTargetgt [Optional]
Identifies the set of decision requests that the ltRulegt element is intended to evaluate If this element is omitted then the target for the ltRulegt SHALL be defined by the ltTargetgt element of the enclosing ltPolicygt element See Section 55 for details
ltConditiongt [Optional]
A predicate that MUST be satisfied for the rule to be assigned its Effect value A condition is a boolean function over a combination of subject resource action and environment attributes or other functions
523 Simple type EffectTypeThe EffectType simple type defines the values allowed for the Effect attribute of the ltRulegt element and for the FulfillOn attribute of the ltObligationgt element
ltxssimpleType name=EffectTypegtltxsrestriction base=xsstringgt
ltxsenumeration value=Permitgtltxsenumeration value=Denygt
ltxsrestrictiongtltxssimpleTypegt
524 Element ltConditiongtThe ltConditiongt element is a boolean function over subject resource action and environment attributes or functions of attributes If the ltConditiongt element evaluates to True then the enclosing ltRulegt element is assigned its Effect value
ltxselement name=Condition type=xacmlApplyTypegt
The ltConditiongt element is of ApplyType complex type
525 Element ltApplygtThe ltApplygt element denotes application of a function to its arguments thus encoding a function call The ltApplygt element can be applied to any combination of ltApplygt ltAttributeValuegt ltSubjectAttributeDesignatorgt ltResourceAttributeDesignatorgt ltActionAttributeDesignatorgt ltEnvironmentAttributeDesignatorgt and ltAttributeSelectorgt arguments
ltxselement name=Apply type=xacmlApplyTypegtltxscomplexType name=ApplyTypegt
ltxschoice minOccurs=0 maxOccurs=unboundedgtltxselement ref=rdquoxacmlFunctionrdquogt ltxselement ref=xacmlApplygtltxselement ref=xacmlAttributeValuegtltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlEnvironmentAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxsattribute name=FunctionId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltApplygt element is of ApplyType complex type
The ltApplygt element contains the following attributes and elements
oasis--xacml-11pdf 56
112
2156
215721582159
2160
216121622163
2164
21652166
216721682169217021712172
2173
217421752176
2177
2178
2179
2180218121822183
218421852186218721882189219021912192219321942195219621972198
2199
2200
113
FunctionId [Required]
The URN of a function XACML-defined functions are described in Appendix A
ltFunctiongt [Optional]
The name of a function that is applied to the elements of a bag See Section A1411
ltApplygt [Optional]
A nested function-call argument
ltAttributeValuegt [Optional]
A literal value argument
ltSubjectAttributeDesignatorgt [Optional]
A subject attribute argument
ltResourceAttributeDesignatorgt [Optional]
A resource attribute argument
ltActionAttributeDesignatorgt [Optional]
An action attribute argument
ltEnvironmentAttributeDesignatorgt [Optional]
An environment attribute argument
ltAttributeSelectorgt [Optional]
An attribute selector argument
526 Element ltFunctiongtThe Function element SHALL be used to name a function that is applied by the higher-order bag functions to every element of a bag The higher-order bag functions are described in Section A1411
ltxselement name=rdquoFunctionrdquo type=rdquoxacmlFunctionTyperdquogtltxscomplexType name=rdquoFunctionTyperdquogt
ltxsattribute name=rdquoFunctionIdrdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxscomplexTypegt
The Function element is of FunctionType complex type
The Function element contains the following attributes
FunctionId [Required]
The identifier for the function that is applied to the elements of a bag by the higher-order bag functions
527 Complex type AttributeDesignatorTypeThe AttributeDesignatorType complex type is the type for elements and extensions that identify attributes An element of this type contains properties by which it MAY be matched to attributes in the request context
oasis--xacml-11pdf 57
114
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220222122222223222422252226
2227
2228
2229
22302231
2232
223322342235
115
In addition elements of this type MAY control behaviour in the event that no matching attribute is present in the context
Elements of this type SHALL NOT alter the match semantics of named attributes but MAY narrow the search space
ltxscomplexType name=AttributeDesignatorTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsattribute name=Issuer type=xsstring use=optionalgtltxsattribute name=MustBePresent type=xsboolean use=optional
default=falsegtltxscomplexTypegt
A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and Issuer attributes match The attribute designatorrsquos AttributeId MUST match by URI equality the AttributeId of the attribute The attribute designatorrsquos DataType MUST match by URI equality the DataType of the same attribute
If the Issuer attribute is present in the attribute designator then it MUST match by string equality the Issuer of the same attribute If the Issuer is not present in the attribute designator then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone
The ltAttributeDesignatorTypegt contains the following attributes
AttributeId [Required]
This attribute SHALL specify the AttributeId with which to match the attribute
DataType [Required]
This attribute SHALL specify the data-type with which to match the attribute
Issuer [Optional]
This attribute if supplied SHALL specify the Issuer with which to match the attribute
MustBePresent [Optional]
This attribute governs whether the element returns ldquoIndeterminaterdquo in the case where the named attribute is absent If the named attribute is absent and MustBePresent is ldquoTruerdquo then this element SHALL result in ldquoIndeterminaterdquo The default value SHALL be ldquoFalserdquo
528 Element ltSubjectAttributeDesignatorgtThe ltSubjectAttributeDesignatorgt element is of the SubjectAttributeDesignatorType The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType complex type It is the base type for elements and extensions that refer to named categorized subject attributes A named categorized subject attribute is defined as follows
A subject is represented by a ltSubjectgt element in the ltxacml-contextRequestgt element Each ltSubjectgt element SHALL contain the XML attribute SubjectCategory This attribute is called the subject category attribute
A categorized subject is a subject that is identified by a particular subject category attribute
A subject attribute is an attribute of a particular subject ie contained within a ltSubjectgt element
oasis--xacml-11pdf 58
116
22362237
223822392240224122422243224422452246
2247224822492250
225122522253
2254
2255
2256
2257
2258
2259
2260
2261
2262
226322642265
2266
2267226822692270
227122722273
2274
22752276
117
A named subject attribute is a named attribute for a subject
A named categorized subject attribute is a named subject attribute for a particular categorized subject
The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType with a SubjectCategory attribute The SubjectAttributeDesignatorType extends the match semantics of the AttributeDesignatorType such that it narrows the attribute search space to the specific categorized subject such that the value of this elementrsquos SubjectCategory attribute matches by URI equality the value of the ltRequestgt elementrsquos subject category attribute
If there are multiple subjects with the same SubjectCategory xml attribute then they SHALL be treated as if they were one categorized subject
Elements and extensions of the SubjectAttributeDesignatorType complex type determine the presence of select attribute values associated with named categorized subject attributes Elements and extensions of the SubjectAttributeDesignatorType SHALL NOT alter the match semantics of named categorized subject attributes but MAY narrow the search space
ltxscomplexType name=SubjectAttributeDesignatorTypegtltxscomplexContentgt
ltxsextension base=xacmlAttributeDesignatorTypegt ltxsattribute name=SubjectCategory type=xsanyURI use=optional default= urnoasisnamestcxacml10subject-categoryaccess-subjectgt ltxsextensiongt ltxscomplexContentgtltxscomplexTypegt
The ltSubjectAttributeDesignatorTypegt complex type contains the following attribute in addition to the attributes of the AttributeDesignatorType complex type
SubjectCategory [Optional]
This attribute SHALL specify the categorized subject from which to match named subject attributes If SubjectCategory is not present then its default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used
529 Element ltResourceAttributeDesignatorgtThe ltResourceAttributeDesignatorgt element retrieves a bag of values for a named resource attribute A resource attribute is an attribute contained within the ltResourcegt element of the ltxacml-contextRequestgt element A named resource attribute is a named attribute that matches a resource attribute A named resource attribute SHALL be considered present if there is at least one resource attribute that matches the criteria set out below A resource attribute value is an attribute value that is contained within a resource attribute
The ltResourceAttributeDesignatorgt element SHALL return a bag containing all the resource attribute values that are matched by the named resource attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named resource attribute is absent If the named resource attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named resource attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named
oasis--xacml-11pdf 59
118
2277
22782279
228022812282
22832284
22852286
2287228822892290229122922293229422952296229722982299230023012302
23032304
2305
2306230723082309
2310
231123122313231423152316
23172318
23192320
23212322
23232324
119
resource attribute is present or not in the request context or the value of the named resource attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named resource attribute SHALL match a resource attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltResourceAttributeDesignatorgt MAY appear in the ltResourceMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ResourceAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltResourceAttributeDesignatorgt element is of the AttributeDesignatorType complex type
530 Element ltActionAttributeDesignatorgtThe ltActionAttributeDesignatorgt element retrieves a bag of values for a named action attribute An action attribute is an attribute contained within the ltActiongt element of the ltxacml-contextRequestgt element A named action attribute has specific criteria (described below) with which to match an action attribute A named action attribute SHALL be considered present if there is at least one action attribute that matches the criteria An action attribute value is an attribute value that is contained within an action attribute
The ltActionAttributeDesignatorgt element SHALL return a bag of all the action attribute values that are matched by the named action attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named action attribute is absent If the named action attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named action attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named action attribute is present or not present in the request context or the value of the named action attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named action attribute SHALL match an action attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltActionAttributeDesignatorgt MAY appear in the ltActionMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ActionAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltActionAttributeDesignatorgt element is of the AttributeDesignatorType complex type
531 Element ltEnvironmentAttributeDesignatorgtThe ltEnvironmentAttributeDesignatorgt element retrieves a bag of values for a named environment attribute An environment attribute is an attribute contained within the ltEnvironmentgt element of the ltxacml-contextRequestgt element A named environment attribute has specific criteria (described below) with which to match an environment attribute A named environment attribute SHALL be considered present if there is at least one environment attribute that matches the criteria An environment attribute value is an attribute value that is contained within an environment attribute
oasis--xacml-11pdf 60
120
23252326
23272328
23292330
23312332
23332334
2335
233623372338233923402341
234223432344
23452346
23472348234923502351
23522353
23542355
23562357
23582359
2360
23612362
23632364236523662367
121
The ltEnvironmentAttributeDesignatorgt element SHALL evaluate to a bag of all the environment attribute values that are matched by the named environment attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named environment attribute is absent If the named environment attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named environment attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named environment attribute is present or not present in the request context or the value of the named environment attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named environment attribute SHALL match an environment attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltEnvironmentAttributeDesignatorgt MAY be passed to the ltApplygt element as an argument
ltxselement name=EnvironmentAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltEnvironmentAttributeDesignatorgt element is of the AttributeDesignatorType complex type
532 Element ltAttributeSelectorgtThe AttributeSelector elements RequestContextPath XML attribute SHALL contain a legal XPath expression whose context node is the ltxacml-contextRequestgt element The AttributeSelector element SHALL evaluate to a bag of values whose data-type is specified by the elementrsquos DataType attribute If the DataType specified in the AttributeSelector is a primitive data type defined in [XF] or [XS] then the value returned by the XPath expression SHALL be converted to the DataType specified in the AttributeSelector using the constructor function below [XF Section 4] that corresponds to the DataType If an error results from using the constructor function then the value of the AttributeSelector SHALL be Indeterminate
xsstring() xsboolean() xsinteger() xsdouble() xsdateTime() xsdate() xstime() xshexBinary() xsbase64Binary() xsanyURI() xfyearMonthDuration() xfdayTimeDuration()
If the DataType specified in the AttributeSelector is not one of the preceding primitive DataTypes then the AttributeSelector SHALL return a bag of instances of the specified DataType If there are errors encountered in converting the values returned by the XPath expression to the specified DataType then the result of the AttributeSelector SHALL be Indeterminate
Each selected node by the specified XPath expression MUST be either a text node an attribute node a processing instruction node or a comment node The string representation of the value of each selected node MUST be converted to an attribute value of the specified data type and the
oasis--xacml-11pdf 61
122
23682369
23702371
23722373
2374237523762377
23782379
2380238123822383
23842385
238623872388238923902391
23922393239423952396239723982399240024012402240324042405240624072408
240924102411241224132414241524162417
123
result of the AttributeSelector is the bag of the attribute values generated from all the selected nodes
If the selected node is different from the node types listed above (a text node an attribute node a processing instruction node or a comment node) then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
Support for the ltAttributeSelectorgt element is OPTIONAL
ltxselement name=AttributeSelector type=xacmlAttributeSelectorTypegtltxscomplexType name=AttributeSelectorTypegt
ltxsattribute name=RequestContextPath type=xsstring use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=rdquoMustBePresentrdquo type=rdquoxsbooleanrdquo use=rdquooptionalrdquo
default=rdquofalserdquolt xscomplexTypegt
The ltAttributeSelectorgt element is of AttributeSelectorType complex type
The ltAttributeSelectorgt element has the following attributes
RequestContextPath [Required]
An XPath expression whose context node is the ltxacml-contextRequestgt element There SHALL be no restriction on the XPath syntax
DataType [Required]
The bag of values returned by the AttributeSelector SHALL be of this data type
MustBePresent [Optional]
Whether or not the designated attribute must be present in the context If the XPath expression selects no node and the MustBePresent attribute is TRUE then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusmissing-attribute If the XPath expression selects no node and the MustBePresent attribute is missing or FALSE then the result SHALL be an empty bag If the XPath expression selects at least one node and the selected node(s) could be successfully converted to a bag of values of the specified data-type then the result SHALL be the bag regardless of the value of the MustBePresent attribute If the XPath expression selects at least one node but there is an error in converting one or more of the nodes to values of the specified data-type then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusprocessing-error regardless of the value of the MustBePresent attribute
533 Element ltAttributeValuegtThe ltAttributeValuegt element SHALL contain a literal attribute value
ltxselement name=AttributeValue type=xacmlAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
oasis--xacml-11pdf 62
124
24182419242024212422
242324242425
24262427242824292430243124322433
2434
2435
2436
24372438
2439
2440
2441
244224432444
2445244624472448
244924502451
24522453
2454
2455245624572458245924602461246224632464
125
The ltAttributeValuegt element is of AttributeValueType complex type
The ltAttributeValuegt element has the following attributes
DataType [Required]
The data-type of the attribute value
534 Element ltObligationsgtThe ltObligationsgt element SHALL contain a set of ltObligationgt elements
Support for the ltObligationsgt element is OPTIONALltxselement name=Obligations type=xacmlObligationsTypegtltxscomplexType name=ObligationsTypegt
ltxssequencegtltxselement ref=xacmlObligation maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltObligationsgt element is of ObligationsType complexType
The ltObligationsgt element contains the following element
ltObligationgt [One to Many]
A sequence of obligations
535 Element ltObligationgtThe ltObligationgt element SHALL contain an identifier for the obligation and a set of attributes that form arguments of the action defined by the obligation The FulfillOn attribute SHALL indicate the effect for which this obligation applies
ltxselement name=Obligation type=xacmlObligationTypegtltxscomplexType name=ObligationTypegt
ltxssequencegtltxselement ref=xacmlAttributeAssignment maxOccurs=unboundedgt
ltxssequencegtltxsattribute name=ObligationId type=xsanyURI use=requiredgtltxsattribute name=FulfillOn type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltObligationgt element is of ObligationType complexType See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
The ltObligationgt element contains the following elements and attributes
ObligationId [Required]
Obligation identifier The value of the obligation identifier SHALL be interpreted by the PEP
FulfillOn [Required]
The effect for which this obligation applies
ltAttributeAssignmentgt [One To Many]
Obligation arguments assignment The values of the obligation arguments SHALL be interpreted by the PEP
oasis--xacml-11pdf 63
126
2465
2466
2467
2468
2469
2470
2471247224732474247524762477
2478
2479
2480
2481
2482
24832484248524862487248824892490249124922493
24942495
2496
2497
24982499
2500
2501
2502
25032504
127
536 Element ltAttributeAssignmentgtThe ltAttributeAssignmentgt element SHALL contain an AttributeId and the corresponding attribute value The AttributeId is part of attribute meta-data and is used when the attribute cannot be referenced by its location in the ltxacml-contextRequestgt This situation may arise in an ltObligationgt element if the obligation includes parameters The ltAttributeAssignmentgt element MAY be used in any way consistent with the schema syntax which is a sequence of ldquoanyrdquo The value specified SHALL be understood by the PEP but it is not further specified by XACML See section 711 ldquoObligationsrdquo
ltxselement name=AttributeAssignment type=xacmlAttributeAssignmentTypegt
ltxscomplexType name=AttributeAssignmentType mixed=truegtltxscomplexContentgt
ltxsextension base=xacmlAttributeValueTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgt
ltxsextensiongtltxscomplexContentgt
ltxscomplexTypegt
The ltAttributeAssignmentgt element is of AttributeAssignmentType complex type
The ltAttributeAssignmentgt element contains the following attributes
AttributeId [Required]
The attribute Identifier
6 Context syntax (normative with the exception of the schema fragments)
61 Element ltRequestgtThe ltRequestgt element is a top-level element in the XACML context schema The ltRequestgt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform its decision request into the form of an XACML context ltRequestgt
The ltRequestgt element contains ltSubjectgt ltResourcegt ltActiongt and ltEnvironmentgt elements There may be multiple ltSubjectgt elements Each child element contains a sequence of ltxacml-contextAttributegt elements associated with the subject resource action and environment respectively
ltxselement name=Request type=xacml-contextRequestTypegtltxscomplexType name=RequestTypegt
ltxssequencegtltxselement ref=xacml-contextSubject maxOccurs=unboundedgtltxselement ref=xacml-contextResourcegtltxselement ref=xacml-contextActiongtltxselement ref=xacml-contextEnvironment minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltRequestgt element is of RequestType complex type
The ltRequestgt element contains the following elements
oasis--xacml-11pdf 64
128
2505
2506250725082509251025112512251325142515251625172518251925202521
2522
2523
2524
2525
2526
2527
2528
252925302531
2532
2533253425352536253725382539254025412542254325442545
2546
2547
129
ltSubjectgt [One to Many]
Specifies information about a subject of the request context by listing a sequence of ltAttributegt elements associated with the subject One or more ltSubjectgt elements are allowed A subject is an entity associated with the access request One subject might represent the human user that initiated the application from which the request was issued Another subject might represent the applicationrsquos executable code that created the request Another subject might represent the machine on which the application was executing Another subject might represent the entity that is to be the recipient of the resource Attributes of each of these entities MUST be enclosed in a separate ltSubjectgt element
ltResourcegt [Required]
Specifies information about the resource for which access is being requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include a ltResourceContentgt element
ltActiongt [Required]
Specifies the requested action to be performed on the resource by listing a set of ltAttributegt elements associated with the action
ltEnvironmentgt [Optional]
Contains a set of ltAttributegt elements of the environment These ltAttributegt elements MAY form a part of policy evaluation
62 Element ltSubjectgtThe ltSubjectgt element specifies a subject by listing a sequence of ltAttributegt elements associated with the subject
ltxselement name=Subject type=xacml-contextSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=SubjectCategory type=xsanyURI use=optional
default=urnoasisnamestcxacml10subject-categoryaccess-subjectgtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
SubjectCategory [Optional]
This attribute indicates the role that the parent ltSubjectgt played in the formation of the access request If this attribute is not present in a given ltSubjectgt element then the default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used indicating that the parent ltSubjectgt element represents the entity ultimately responsible for initiating the access request
If more than one ltSubjectgt element contains a urnoasisnamestcxacml10subject-category attribute with the same value then the PDP SHALL treat the contents of those elements as if they were contained in the same ltSubjectgt element
ltAttributegt [Any Number]
oasis--xacml-11pdf 65
130
2548
25492550255125522553255425552556
2557
2558
255925602561
2562
25632564
2565
25662567
2568
25692570257125722573257425752576257725782579
2580
2581
2582
258325842585
25862587
25882589
2590
2591
131
A sequence of attributes that apply to the subject
Typically a ltSubjectgt element will contain an ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10subjectsubject-idrdquo containing the identity of the subject
A ltSubjectgt element MAY contain additional ltAttributegt elements
63 Element ltResourcegtThe ltResourcegt element specifies information about the resource to which access is requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include the resource content
ltxselement name=Resource type=xacml-contextResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacml-contextResourceContent minOccurs=0gtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceContentgt [Optional]
The resource content
ltAttributegt [Any Number]
A sequence of resource attributes The ltResourcegt element MUST contain one and only one ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10resourceresource-idrdquo This attribute specifies the identity of the resource to which access is requested
A ltResourcegt element MAY contain additional ltAttributegt elements
64 Element ltResourceContentgtThe ltResourceContentgt element is a notional placeholder for the resource content If an XACML policy references the contents of the resource then the ltResourceContentgt element SHALL be used as the reference point
ltxscomplexType name=ResourceContentType mixed=rdquotruerdquogtltxssequencegt
ltxsany namespace=any processContents=lax minOccurs=0 maxOccurs=unboundedgt
ltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltResourceContentgt element is of ResourceContentType complex type
The ltResourceContentgt element allows arbitrary elements and attributes
oasis--xacml-11pdf 66
132
2592
25932594
2595
2596
25972598259926002601260226032604260526062607
2608
2609
2610
2611
2612
2613261426152616
2617
2618
2619262026212622262326242625262626272628
2629
2630
133
65 Element ltActiongtThe ltActiongt element specifies the requested action on the resource by listing a set of ltAttributegt elements associated with the action
ltxselement name=Action type=xacml-contextActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltAttributegt [Any Number]
List of attributes of the action to be performed on the resource
66 Element ltEnvironmentgtThe ltEnvironmentgt element contains a set of attributes of the environment These attributes MAY form part of the policy evaluation
ltxselement name=Environment type=xacml-contextEnvironmentTypegtltxscomplexType name=EnvironmentTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltEnvironmentgt element is of EnvironmentType complex type
The ltEnvironmentgt element contains the following elements
ltAttributegt [Any Number]
A list of environment attributes Environment attributes are attributes that are not associated with either the resource the action or any of the subjects of the access request
67 Element ltAttributegtThe ltAttributegt element is the central abstraction of the request context It contains an attribute value and attribute meta-data The attribute meta-data comprises the attribute identifier the attribute issuer and the attribute issue instant Attribute designators and attribute selectors in the policy MAY refer to attributes by means of this meta-data
ltxselement name=Attribute type=xacml-contextAttributeTypegtltxscomplexType name=AttributeTypegt
ltxssequencegtltxselement ref=xacml-contextAttributeValuegt
ltxssequencegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=Issuer type=xsstring use=optionalgt
oasis--xacml-11pdf 67
134
2631
26322633
2634263526362637263826392640
2641
2642
2643
2644
2645
26462647
26482649265026512652265326542655
2656
2657
2658
265926602661
2662
266326642665266626672668266926702671267226732674
135
ltxsattribute name=IssueInstant type=xsdateTime use=optionalgtltxscomplexTypegt
The ltAttributegt element is of AttributeType complex type
The ltAttributegt element contains the following attributes and elements
AttributeId [Required]
Attribute identifier A number of identifiers are reserved by XACML to denote commonly used attributes
DataType [Required]
The data-type of the contents of the ltAttributeValuegt element This SHALL be either a primitive type defined by the XACML 10 specification or a type defined in a namespace declared in the ltxacml-contextgt element
Issuer [Optional]
Attribute issuer This attribute value MAY be an x500Name that binds to a public key or it may be some other identifier exchanged out-of-band by issuing and relying parties
IssueInstant [Optional]
The date and time at which the attribute was issued
ltAttributeValuegt [Required]
Exactly one attribute value The mandatory attribute value MAY have contents that are empty occur once or occur multiple times
68 Element ltAttributeValuegtThe ltAttributeValuegt element contains the value of an attribute
ltxselement name=AttributeValue type=xacml-contextAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltAttributeValuegt element is of AttributeValueType type
The data-type of the ltAttributeValuegt MAY be specified by using the DataType attribute of the parent ltAttributegt element
69 Element ltResponsegtThe ltResponsegt element is a top-level element in the XACML context schema The ltResponsegt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform an XACML context ltResponsegt into the form of its authorization decision
oasis--xacml-11pdf 68
136
26752676
2677
2678
2679
26802681
2682
26832684
2685
2686
26872688
2689
2690
2691
2692
26932694
2695
269626972698269927002701270227032704
2705
27062707
2708
2709271027112712
137
The ltResponsegt element encapsulates the authorization decision produced by the PDP It includes a sequence of one or more results with one ltResultgt element per requested resource Multiple results MAY be returned when the value of the ldquournoasisxacml10resourcescoperdquo resource attribute in the request context is ldquoDescendantsrdquo or ldquoChildrenrdquo Support for multiple results is OPTIONAL
ltxselement name=Response type=xacml-contextResponseTypegtltxscomplexType name=ResponseTypegt
ltxssequencegtltxselement ref=xacml-contextResult maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResponsegt element is of ResponseType complex type
The ltResponsegt element contains the following elements
ltResultgt [One to Many]
An authorization decision result
610 Element ltResultgtThe ltResultgt element represents an authorization decision result for the resource specified by the ResourceId attribute It MAY include a set of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource
ltxselement name=Result type=xacml-contextResultTypegtltxscomplexType name=ResultTypegt
ltxssequencegtltxselement ref=xacml-contextDecisiongtltxselement ref=xacml-contextStatusgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=ResourceId type=xsstring use=optionalgt
ltxscomplexTypegt
The ltResultgt element is of ResultType complex type
The ltResultgt element contains the following attributes and elements
ResourceId [Optional]
The identifier of the requested resource If this attribute is omitted then the resource identity is specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo resource attribute in the corresponding ltRequestgt element
ltDecisiongt [Required]
The authorization decision ldquoPermitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicablerdquo
ltStatusgt [Required]
Indicates whether errors occurred during evaluation of the decision request and optionally information about those errors
ltxacmlObligationsgt [Optional]
oasis--xacml-11pdf 69
138
27132714271527162717271827192720272127222723
2724
2725
2726
2727
2728
2729273027312732
2733273427352736273727382739274027412742
2743
2744
2745
274627472748
2749
2750
2751
27522753
2754
139
A list of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
611 Element ltDecisiongtThe ltDecisiongt element contains the result of policy evaluation
ltxselement name=Decision type=xacml-contextDecisionTypegtltxssimpleType name=DecisionTypegt
ltxsrestriction base=xsstringgtltxsenumeration value=Permitgtltxsenumeration value=Denygtltxsenumeration value=Indeterminategtltxsenumeration value=NotApplicablegt
ltxsrestrictiongtltxssimpleTypegt
The ltDecisiongt element is of DecisionType simple type
The values of the ltDecisiongt element have the following meanings
ldquoPermitrdquo the requested access is permitted
ldquoDenyrdquo the requested access is denied
ldquoIndeterminaterdquo the PDP is unable to evaluate the requested access Reasons for such inability include missing attributes network errors while retrieving policies division by zero during policy evaluation syntax errors in the decision request or in the policy etc
ldquoNotApplicablerdquo the PDP does not have any policy that applies to this decision request
612 Element ltStatusgtThe ltStatusgt element represents the status of the authorization decision result
ltxselement name=Status type=xacml-contextStatusTypegtltxscomplexType name=StatusTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCodegtltxselement ref=xacml-contextStatusMessage minOccurs=0gtltxselement ref=xacml-contextStatusDetail minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltStatusgt element is of StatusType complex type
The ltStatusgt element contains the following elements
ltStatusCodegt [Required]
Status code
ltStatusMessagegt [Optional]
A status message describing the status code
ltStatusDetailgt [Optional]
Additional status information
oasis--xacml-11pdf 70
140
2755275627572758
2759
2760276127622763276427652766276727682769
2770
2771
2772
2773
277427752776
2777
2778
277927802781278227832784278527862787
2788
2789
2790
2791
2792
2793
2794
2795
141
613 Element ltStatusCodegtThe ltStatusCodegt element contains a major status code value and an optional sequence of minor status codes
ltxselement name=StatusCode type=xacml-contextStatusCodeTypegtltxscomplexType name=StatusCodeTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCode minOccurs=0gt
ltxssequencegtltxsattribute name=Value type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltStatusCodegt element is of StatusCodeType complex type
The ltStatusCodegt element contains the following attributes and elements
Value [Required]
See Section B9 for a list of values
ltStatusCodegt [Any Number]
Minor status code This status code qualifies its parent status code
614 Element ltStatusMessagegtThe ltStatusMessagegt element is a free-form description of the status code
ltxselement name=StatusMessage type=xsstringgt
The ltStatusMessagegt element is of xsstring type
615 Element ltStatusDetailgtThe ltStatusDetailgt element qualifies the ltStatusgt element with additional information
ltxselement name=StatusDetail type=xacml-contextStatusDetailTypegtltxscomplexType name=StatusDetailTypegt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltStatusDetailgt element is of StatusDetailType complex type
The ltStatusDetailgt element allows arbitrary XML content
Inclusion of a ltStatusDetailgt element is optional However if a PDP returns one of the following XACML-defined ltStatusCodegt values and includes a ltStatusDetailgt element then the following rules apply
urnoasisnamestcxacml10statusok
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquookrdquo status value
urnoasisnamestcxacml10statusmissing-attribute
A PDP MAY choose not to return any ltStatusDetailgt information or MAY choose to return a ltStatusDetailgt element containing one or more ltxacml-contextAttributegt elements If the PDP includes ltAttributeValuegt elements in the ltAttributegt element then this indicates
oasis--xacml-11pdf 71
142
2796
279727982799280028012802280328042805
2806
2807
2808
2809
2810
2811
2812
28132814
2815
2816
28172818281928202821282228232824
2825
2826
282728282829
2830
2831
2832
283328342835
143
the acceptable values for that attribute If no ltAttributeValuegt elements are included then this indicates the names of attributes that the PDP failed to resolve during its evaluation The list of attributes may be partial or complete There is no guarantee by the PDP that supplying the missing values or attributes will be sufficient to satisfy the policy
urnoasisnamestcxacml10statussyntax-error
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquosyntax-errorrdquo status value A syntax error may represent either a problem with the policy being used or with the request context The PDP MAY return a ltStatusMessagegt describing the problem
urnoasisnamestcxacml10statusprocessing-error
A PDP MUST NOT return ltStatusDetailgt element in conjunction with the ldquoprocessing-errorrdquo status value This status code indicates an internal problem in the PDP For security reasons the PDP MAY choose to return no further information to the PEP In the case of a divide-by-zero error or other computational error the PDP MAY return a ltStatusMessagegt describing the nature of the error
7 Functional requirements (normative)This section specifies certain functional requirements that are not directly associated with the production or consumption of a particular XACML element
71 Policy enforcement pointThis section describes the requirements for the PEPAn application functions in the role of the PEP if it guards access to a set of resources and asks the PDP for an authorization decision The PEP MUST abide by the authorization decision in the following way
A PEP SHALL allow access to the resource only if a valid XACML response of Permit is returned by the PDP The PEP SHALL deny access to the resource in all other cases An XACML response of Permit SHALL be considered valid only if the PEP understands all of the obligations contained in the response
72 Base policyA PDP SHALL represent one policy or policy set called its base policy This base policy MAY be a ltPolicygt element containing a ltTargetgt element that matches every possible decision request or (for instance) it MAY be a ltPolicygt element containing a ltTargetgt element that matches only a specific subject In such cases the base policy SHALL form the root-node of a tree of policies connected by ltPolicyIdReferencegt and ltPolicySetIdReferencegt elements to all the rules that may be applicable to any decision request that the PDP is capable of evaluating
In the case of a PDP that retrieves policies according to the decision request that it is processing the base policy SHALL contain a ltPolicygt element containing a ltTargetgt element that matches every possible decision request and a PolicyCombiningAlgId attribute with the value ldquoOnly-one-applicable In other words the PDP SHALL return an error if it retrieves policies that do not form a single tree
oasis--xacml-11pdf 72
144
2836283728382839
2840
28412842
2843
2844
284528462847
28482849
2850
28512852
28532854285528562857
2858285928602861
2862
2863286428652866
286728682869
28702871287228732874
145
73 Target evaluationThe target value SHALL be Match if the subject resource and action specified in the target all match values in the request context The target value SHALL be No-match if one or more of the subject resource and action specified in the target do not match values in the request context The value of a ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element in which a referenced attribute value cannot be obtained depends on the value of the MustBePresent attribute of the ltAttributeDesignatorgt or ltAttributeSelectorgt element If the MustBePresent attribute is True then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be Indeterminate in this case If the MustBePresent attribute is False or missing then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be No-match
74 Condition evaluationThe condition value SHALL be True if the ltConditiongt element is absent or if it evaluates to True for the attribute values supplied in the request context Its value is False if the ltConditiongt element evaluates to False for the attribute values supplied in the request context If any attribute value referenced in the condition cannot be obtained then the condition SHALL evaluate to Indeterminate
75 Rule evaluationA rule has a value that can be calculated by evaluating its contents Rule evaluation involves separate evaluation of the rules target and condition The rule truth table is shown in Table 1
Target Condition Rule Value
ldquoMatchrdquo ldquoTruerdquo Effect
ldquoMatchrdquo ldquoFalserdquo ldquoNotApplicablerdquo
ldquoMatchrdquo ldquoIndeterminaterdquo ldquoIndeterminaterdquo
ldquoNo-matchrdquo Donrsquot care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot care ldquoIndeterminaterdquo
Table 1 - Rule truth table
If the target value is No-match or ldquoIndeterminaterdquo then the rule value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the condition For these cases therefore the condition need not be evaluated in order to determine the rule value
If the target value is ldquoMatchrdquo and the condition value is ldquoTruerdquo then the effect specified in the rule SHALL determine the rule value
76 Policy evaluationThe value of a policy SHALL be determined only by its contents considered in relation to the contents of the request context A policys value SHALL be determined by evaluation of the policys target and rules according to the specified rule-combining algorithm
oasis--xacml-11pdf 73
146
2875287628772878
2879288028812882288328842885
2886
28872888
288928902891
2892
28932894
2895
2896
2897
289828992900
29012902
2903
290429052906
147
The policys target SHALL be evaluated to determine the applicability of the policy If the target evaluates to Match then the value of the policy SHALL be determined by evaluation of the policys rules according to the specified rule-combining algorithm If the target evaluates to No-match then the value of the policy SHALL be NotApplicable If the target evaluates to Indeterminate then the value of the policy SHALL be Indeterminate
The policy truth table is shown in Table 2
Target Rule values Policy Value
ldquoMatchrdquo At least one rule value is its Effect
Specified by the rule-combining algorithm
ldquoMatchrdquo All rule values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
ldquoMatchrdquo At least one rule value is ldquoIndeterminaterdquo
Specified by the rule-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot-care ldquoIndeterminaterdquo
Table 2 - Policy truth table
A rules value of At least one rule value is its Effect SHALL be used if the ltRulegt element is absent or if one or more of the rules contained in the policy is applicable to the decision request (ie returns a value of ldquoEffectrdquo see Section 75) A rules value of ldquoAll rule values are lsquoNotApplicablersquordquo SHALL be used if no rule contained in the policy is applicable to the request and if no rule contained in the policy returns a value of ldquoIndeterminaterdquo If no rule contained in the policy is applicable to the request but one or more rule returns a value of ldquoIndeterminaterdquo then rules value SHALL evaluate to At least one rule value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the rules For these cases therefore the rules need not be evaluated in order to determine the policy value
If the target value is ldquoMatchrdquo and the rules value is ldquoAt least one rule value is itrsquos Effectrdquo or ldquoAt least one rule value is lsquoIndeterminatersquordquo then the rule-combining algorithm specified in the policy SHALL determine the policy value
77 Policy Set evaluationThe value of a policy set SHALL be determined by its contents considered in relation to the contents of the request context A policy sets value SHALL be determined by evaluation of the policy sets target policies and policy sets according to the specified policy-combining algorithm
The policy sets target SHALL be evaluated to determine the applicability of the policy set If the target evaluates to Match then the value of the policy set SHALL be determined by evaluation of the policy sets policies and policy sets according to the specified policy-combining algorithm If the target evaluates to No-match then the value of the policy set shall be NotApplicable If the target evaluates to Indeterminate then the value of the policy set SHALL be Indeterminate
The policy set truth table is shown in Table 3
Target Policy values Policy Set Value
oasis--xacml-11pdf 74
148
29072908290929102911
2912
2913
2914291529162917291829192920
292129222923
292429252926
2927
2928292929302931
29322933293429352936
2937
149
Match At least one policy value is its Decision
Specified by the policy-combining algorithm
Match All policy values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
Match At least one policy value is ldquoIndeterminaterdquo
Specified by the policy-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
Indeterminate Donrsquot-care ldquoIndeterminaterdquo
Table 3 ndash Policy set truth table
A policies value of At least one policy value is its Decision SHALL be used if there are no contained or referenced policies or policy sets or if one or more of the policies or policy sets contained in or referenced by the policy set is applicable to the decision request (ie returns a value determined by its rule-combining algorithm see Section 76) A policies value of ldquoAll policy values are lsquoNotApplicablersquordquo SHALL be used if no policy or policy set contained in or referenced by the policy set is applicable to the request and if no policy or policy set contained in or referenced by the policy set returns a value of ldquoIndeterminaterdquo If no policy or policy set contained in or referenced by the policy set is applicable to the request but one or more policy or policy set returns a value of ldquoIndeterminaterdquo then policies SHALL evaluate to At least one policy value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy set value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the policies For these cases therefore the policies need not be evaluated in order to determine the policy set value
If the target value is ldquoMatchrdquo and the policies value is ldquoAt least one policy value is itrsquos Decisionrdquo or ldquoAt least one policy value is lsquoIndeterminatersquordquo then the policy-combining algorithm specified in the policy set SHALL determine the policy set value
78 Hierarchical resourcesIt is often the case that a resource is organized as a hierarchy (eg file system XML document) Some access requesters may request access to an entire subtree of a resource specified by a node XACML allows the PEP (or context handler) to specify whether the decision request is just for a single resource or for a subtree below the specified resource The latter is equivalent to repeating a single request for each node in the entire subtree When a request context contains a resource attribute of type
urnoasisnamestcxacml10resourcescope
with a value of Immediate or if it does not contain that attribute then the decision request SHALL be interpreted to apply to just the single resource specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo attribute
When the
urnoasisnamestcxacml10resourcescope
oasis--xacml-11pdf 75
150
2938
2939294029412942294329442945294629472948
294929502951
295229532954
2955
295629572958295929602961
2962
29632964
2965
2966
2967
151
attribute has the value Children the decision request SHALL be interpreted to apply to the specified resource and its immediate children resources
When the
urnoasisnamestcxacml10resourcescope
attribute has the value Descendants the decision request SHALL be interpreted to apply to both the specified resource and all its descendant resources
In the case of Children and Descendants the authorization decision MAY include multiple results for the multiple sub-nodes in the resource sub-tree
An XACML authorization response MAY contain multiple ltResultgt elements
Note that the method by which the PDP discovers whether the resource is hierarchically organized or not is outside the scope of XACML
In the case where a child or descendant resource cannot be accessed the ltResultgt element associated with the parent element SHALL contain a ltStatusCodegt Value of ldquournoasisnamestcxacml10statusprocessing-errorrdquo
79 AttributesAttributes are specified in the request context regardless of whether or not they appeared in the original decision request and are referred to in the policy by subject resource action and environment attribute designators and attribute selectors A named attribute is the term used for the criteria that the specific subject resource action and environment attribute designators and selectors use to refer to attributes in the subject resource action and environment elements of the request context respectively
791 Attribute MatchingA named attribute has specific criteria with which to match attributes in the context An attribute specifies AttributeId DataType and Issuer attributes and each named attribute also specifies AttributeId DataType and optional Issuer attributes A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and optional Issuer attributes match within their particular element eg subject resource action or environment of the context The AttributeId of the named attribute MUST match by URI equality the AttributeId of the context attribute The DataType of the named attribute MUST match by URI equality the DataType of the same context attribute If Issuer is supplied in the named attribute then it MUST match by string equality the Issuer of the same context attribute If Issuer is not supplied in the named attribute then the matching of the context attribute to the named attribute SHALL be governed by AttributeId and DataType alone regardless of the presence absence or actual value of Issuer In the case of an attribute selector the matching of the attribute to the named attribute SHALL be governed by the XPath expression and DataType
792 Attribute RetrievalThe PDP SHALL request the values of attributes in the request context from the context handler The PDP SHALL reference the attributes as if they were in a physical request context document but the context handler is responsible for obtaining and supplying the requested values The context handler SHALL return the values of attributes that match the attribute designator or attribute selector and form them into a bag of values with the specified data-type If no attributes
oasis--xacml-11pdf 76
152
29682969
2970
2971
29722973
29742975
2976
29772978
297929802981
2982
298329842985298629872988
2989
29902991299229932994
29952996299729982999300030013002
3003
3004
30053006300730083009
153
from the request context match then the attribute SHALL be considered missing If the attribute is missing then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an ldquoIndeterminaterdquo result If MustBePresent is ldquoFalserdquo (default value) then a missing attribute SHALL result in an empty bag If MustBePresent is ldquoTruerdquo then a missing attribute SHALL result in ldquoIndeterminaterdquo This ldquoIndeterminaterdquo result SHALL be handled in accordance with the specification of the encompassing expressions rules policies and policy sets If the result is ldquoIndeterminaterdquo then the AttributeId DataType and Issuer of the attribute MAY be listed in the authorization decision as described in Section 710 However a PDP MAY choose not to return such information for security reasons
793 Environment AttributesEnvironment attributes are listed in Section B8 If a value for one of these attributes is supplied in the decision request then the context handler SHALL use that value Otherwise the context handler SHALL supply a value For the date and time attributes the supplied value SHALL have the semantics of date and time that apply to the decision request
710 Authorization decisionGiven a valid XACML policy or policy set a compliant XACML PDP MUST evaluate the policy as specified in Sections 5 and 42 The PDP MUST return a response context with one ltDecisiongt element of value Permit Deny Indeterminate or NotApplicable
If the PDP cannot make a decision then an Indeterminate ltDecisiongt element contents SHALL be returned The PDP MAY return a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
signifying that more information is needed In this case the ltStatusgt element MAY list the names and data-types of any attributes of the subjectsresource action or environment that are needed by the PDP to refine its decision A PEP MAY resubmit a refined request context in response to a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
by adding attribute values for the attribute names that were listed in the previous response When the PDP returns a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
it MUST NOT list the names and data-types of any attribute of the subjectresource action or environment for which values were supplied in the original request Note this requirement forces the PDP to eventually return an authorization decision of Permit Deny or Indeterminate with some other status code in response to successively-refined requests
711 ObligationsA policy or policy set may contain one or more obligations When such a policy or policy set is evaluated an obligation SHALL be passed up to the next level of evaluation (the enclosing or referencing policy set or authorization decision) only if the effect of the policy or policy set being evaluated matches the value of the xacmlFulfillOn attribute of the obligation
As a consequence of this procedure no obligations SHALL be returned to the PEP if the policies or policy sets from which they are drawn are not evaluated or if their evaluated result is
oasis--xacml-11pdf 77
154
301030113012301330143015
301630173018
3019
3020302130223023
3024
30253026
3027
302830293030
3031
303230333034
3035
3036
30373038
3039
3040304130423043
3044304530463047
3048304930503051
155
Indeterminate or NotApplicable or if the decision resulting from evaluating the policy or policy set does not match the decision resulting from evaluating an enclosing policy set
If the PDPs evaluation is viewed as a tree of policy sets and policies each of which returns Permit or Deny then the set of obligations returned by the PDP to the PEP will include only the obligations associated with those paths where the effect at each level of evaluation is the same as the effect being returned by the PDPA PEP that receives a valid XACML response of Permit with obligations SHALL be responsible for fulfilling all of those obligations A PEP that receives an XACML response of Deny with obligations SHALL be responsible for fulfilling all of the obligations that it understands
712 Unsupported functionalityIf the PDP attempts to evaluate a policy set or policy that contains an optional element type or feature that the PDP does not support then the PDP SHALL return a ltDecisiongt value of Indeterminate If a ltStatusCodegt element is also returned then its value SHALL be urnoasisnamestcxacml10statussyntax-error in the case of an unsupported element type and urnoasisnamestcxacml10statusprocessing-error in the case of an unsupported feature
713 Syntax and type errorsIf a policy that contains invalid syntax is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
If a policy that contains invalid static data-types is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statusprocessing-error
8 XACML extensibility points (non-normative)This section describes the points within the XACML model and schema where extensions can be added
81 Extensible XML attribute typesThe following XML attributes have values that are URIs These may be extended by the creation of new URIs associated with new semantics for these attributes
AttributeId
AttributeValue
DataType
FunctionId
MatchId
ObligationId
PolicyCombiningAlgId
RuleCombiningAlgId
oasis--xacml-11pdf 78
156
3052305330543055305630573058305930603061
3062
30633064306530663067
3068
306930703071
307230733074
3075
30763077
3078
30793080
3081
3082
3083
3084
3085
3086
3087
3088
157
StatusCode
SubjectCategory
See Section 5 for definitions of these attribute types
82 Structured attributesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type Section A3 describes a number of standard techniques to identify data items within such a structured attribute Listed here are some additional techniques that require XACML extensions
1 For a given structured data-type a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types Using these new attribute identifiers the PEPs or context handlers used by that community of users can flatten instances of the structured data-type into a sequence of individual ltAttributegt elements Each such ltAttributegt element can be compared using the XACML-defined functions Using this method the structured data-type itself never appears in an ltAttributeValuegt element
2 A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value This method may only be used by PDPs that support the new function
9 Security and privacy considerations (non-normative)
This section identifies possible security and privacy compromise scenarios that should be considered when implementing an XACML-based system The section is informative only It is left to the implementer to decide whether these compromise scenarios are practical in their environment and to select appropriate safeguards
91 Threat modelWe assume here that the adversary has access to the communication channel between the XACML actors and is able to interpret insert delete and modify messages or parts of messages
Additionally an actor may use information from a former transaction maliciously in subsequent transactions It is further assumed that rules and policies are only as reliable as the actors that create and use them Thus it is incumbent on each actor to establish appropriate trust in the other actors upon which it relies Mechanisms for trust establishment are outside the scope of this specification
The messages that are transmitted between the actors in the XACML model are susceptible to attack by malicious third parties Other points of vulnerability include the PEP the PDP and the PAP While some of these entities are not strictly within the scope of this specification their compromise could lead to the compromise of access control enforced by the PEP
It should be noted that there are other components of a distributed system that may be compromised such as an operating system and the domain-name system (DNS) that are outside the scope of this discussion of threat models Compromise in these components may also lead to a policy violation
oasis--xacml-11pdf 79
158
3089
3090
3091
3092
309330943095
3096309730983099
310031013102
310331043105
3106
3107
3108310931103111
3112
31133114
31153116311731183119
3120312131223123
3124312531263127
159
The following sections detail specific compromise scenarios that may be relevant to an XACML system
911 Unauthorized disclosureXACML does not specify any inherent mechanisms for confidentiality of the messages exchanged between actors Therefore an adversary could observe the messages in transit Under certain security policies disclosure of this information is a violation Disclosure of attributes or the types of decision requests that a subject submits may be a breach of privacy policy In the commercial sector the consequences of unauthorized disclosure of personal data may range from embarrassment to the custodian to imprisonment and large fines in the case of medical or financial data
Unauthorized disclosure is addressed by confidentiality mechanisms
912 Message replayA message replay attack is one in which the adversary records and replays legitimate messages between XACML actors This attack may lead to denial of service the use of out-of-date information or impersonation
Prevention of replay attacks requires the use of message freshness mechanisms
Note that encryption of the message does not mitigate a replay attack since the message is just replayed and does not have to be understood by the adversary
913 Message insertionA message insertion attack is one in which the adversary inserts messages in the sequence of messages between XACML actors
The solution to a message insertion attack is to use mutual authentication and a message sequence integrity mechanism between the actors It should be noted that just using SSL mutual authentication is not sufficient This only proves that the other party is the one identified by the subject of the X509 certificate In order to be effective it is necessary to confirm that the certificate subject is authorized to send the message
914 Message deletionA message deletion attack is one in which the adversary deletes messages in the sequence of messages between XACML actors Message deletion may lead to denial of service However a properly designed XACML system should not render an incorrect authorization decision as a result of a message deletion attack
The solution to a message deletion attack is to use a message integrity mechanism between the actors
915 Message modificationIf an adversary can intercept a message and change its contents then they may be able to alter an authorization decision Message integrity mechanisms can prevent a successful message modification attack
oasis--xacml-11pdf 80
160
31283129
3130
3131313231333134313531363137
3138
3139
314031413142
3143
31443145
3146
31473148
31493150315131523153
3154
3155315631573158
31593160
3161316231633164
161
916 NotApplicable resultsA result of NotApplicable means that the PDP did not have a policy whose target matched the information in the decision request In general we highly recommend using a default-deny policy so that when a PDP would have returned NotApplicable a result of Deny is returned instead
In some security models however such as is common in many Web Servers a result of NotApplicable is treated as equivalent to Permit There are particular security considerations that must be taken into account for this to be safe These are explained in the following paragraphs
If NotApplicable is to be treated as Permit it is vital that the matching algorithms used by the policy to match elements in the decision request are closely aligned with the data syntax used by the applications that will be submitting the decision request A failure to match will be treated as Permit so an unintended failure to match may allow unintended access
A common example of this is a Web Server Commercial http responders allow a variety of syntaxes to be treated equivalently The can be used to represent characters by hex value The URL path provides multiple ways of specifying the same value Multiple character sets may be permitted and in some cases the same printed character can be represented by different binary values Unless the matching algorithm used by the policy is sophisticated enough to catch these variations unintended access may be permitted
It is safe to treat NotApplicable as Permit only in a closed environment where all applications that formulate a decision request can be guaranteed to use the exact syntax expected by the policies used by the PDP In a more open environment where decision requests may be received from applications that may use any legal syntax it is strongly recommended that NotApplicable NOT be treated as Permit unless matching rules have been very carefully designed to match all possible applicable inputs regardless of syntax or type variations
917 Negative rulesA negative rule is one that is based on a predicate not being True If not used with care negative rules can lead to policy violation therefore some authorities recommend that they not be used However negative rules can be extremely efficient in certain cases so XACML has chosen to include them Nevertheless it is recommended that they be used with care and avoided if possible
A common use for negative rules is to deny access to an individual or subgroup when their membership in a larger group would otherwise permit them access For example we might want to write a rule that allows all Vice Presidents to see the unpublished financial data except for Joe who is only a Ceremonial Vice President and can be indiscreet in his communications If we have complete control of the administration of subject attributes a superior approach would be to define ldquoVice Presidentrdquo and ldquoCeremonial Vice Presidentrdquo as distinct groups and then define rules accordingly However in some environments this approach may not be feasible (It is worth noting in passing that generally speaking referring to individuals in rules does not scale well Generally shared attributes are preferred)
If not used with care negative rules can lead to policy violation in two common cases They are when attributes are suppressed and when the base group changes An example of suppressed attributes would be if we have a policy that access should be permitted unless the subject is a credit risk If it is possible that the attribute of being a credit risk may be unknown to the PDP for some reason then unauthorized access may be permitted In some environments the subject may be able to suppress the publication of attributes by the application of privacy controls or the server or repository that contains the information may be unavailable for accidental or intentional reasons
oasis--xacml-11pdf 81
162
3165
3166316731683169
3170317131723173
3174317531763177
317831793180318131823183
318431853186318731883189
3190
31913192319331943195
319631973198319932003201320232033204
32053206320732083209321032113212
163
An example of a changing base group would be if there is a policy that everyone in the engineering department may change software source code except for secretaries Suppose now that the department was to merge with another engineering department and the intent is to maintain the same policy However the new department also includes individuals identified as administrative assistants who ought to be treated in the same way as secretaries Unless the policy is altered they will unintentionally be permitted to change software source code Problems of this type are easy to avoid when one individual administers all policies but when administration is distributed as XACML allows this type of situation must be explicitly guarded against
92 Safeguards
921 Authentication Authentication provides the means for one party in a transaction to determine the identity of the other party in the transaction Authentication may be in one direction or it may be bilateral
Given the sensitive nature of access control systems it is important for a PEP to authenticate the identity of the PDP to which it sends decision requests Otherwise there is a risk that an adversary could provide false or invalid authorization decisions leading to a policy violation
It is equally important for a PDP to authenticate the identity of the PEP and assess the level of trust to determine what if any sensitive data should be passed One should keep in mind that even simple Permit or Deny responses could be exploited if an adversary were allowed to make unlimited requests to a PDP
Many different techniques may be used to provide authentication such as co-located code a private network a VPN or digital signatures Authentication may also be performed as part of the communication protocol used to exchange the contexts In this case authentication may be performed at the message level or at the session level
922 Policy administrationIf the contents of policies are exposed outside of the access control system potential subjects may use this information to determine how to gain unauthorized access
To prevent this threat the repository used for the storage of policies may itself require access control In addition the ltStatusgt element should be used to return values of missing attributes only when exposure of the identities of those attributes will not compromise security
923 Confidentiality Confidentiality mechanisms ensure that the contents of a message can be read only by the desired recipients and not by anyone else who encounters the message while it is in transit There are two areas in which confidentiality should be considered one is confidentiality during transmission the other is confidentiality within a ltPolicygt element
9231 Communication confidentiality
In some environments it is deemed good practice to treat all data within an access control system as confidential In other environments policies may be made freely available for distribution inspection and audit The idea behind keeping policy information secret is to make it more difficult for an adversary to know what steps might be sufficient to obtain unauthorized access Regardless of the approach chosen the security of the access control system should not depend on the secrecy of the policy
oasis--xacml-11pdf 82
164
32133214321532163217321832193220
3221
3222
32233224
322532263227
3228322932303231
3232323332343235
3236
32373238
323932403241
3242
324332443245
3246
3247
324832493250325132523253
165
Any security concerns or requirements related to transmitting or exchanging XACML ltPolicygt elements are outside the scope of the XACML standard While it is often important to ensure that the integrity and confidentiality of ltPolicygt elements is maintained when they are exchanged between two parties it is left to the implementers to determine the appropriate mechanisms for their environment
Communications confidentiality can be provided by a confidentiality mechanism such as SSL Using a point-to-point scheme like SSL may lead to other vulnerabilities when one of the end-points is compromised
9232 Statement level confidentiality
In some cases an implementation may want to encrypt only parts of an XACML ltPolicygt element
The XML Encryption Syntax and Processing Candidate Recommendation from W3C can be used to encrypt all or parts of an XML document This specification is recommended for use with XACML
It should go without saying that if a repository is used to facilitate the communication of cleartext (ie unencrypted) policy between the PAP and PDP then a secure repository should be used to store this sensitive data
924 Policy integrityThe XACML policy used by the PDP to evaluate the request context is the heart of the system Therefore maintaining its integrity is essential There are two aspects to maintaining the integrity of the policy One is to ensure that ltPolicygt elements have not been altered since they were originally created by the PAP The other is to ensure that ltPolicygt elements have not been inserted or deleted from the set of policies
In many cases both aspects can be achieved by ensuring the integrity of the actors and implementing session-level mechanisms to secure the communication between actors The selection of the appropriate mechanisms is left to the implementers However when policy is distributed between organizations to be acted on at a later time or when the policy travels with the protected resource it would be useful to sign the policy In these cases the XML Signature Syntax and Processing standard from W3C is recommended to be used with XACML
Digital signatures should only be used to ensure the integrity of the statements Digital signatures should not be used as a method of selecting or evaluating policy That is the PDP should not request a policy based on who signed it or whether or not it has been signed (as such a basis for selection would itself be a matter of policy) However the PDP must verify that the key used to sign the policy is one controlled by the purported issuer of the policy The means to do this are dependent on the specific signature technology chosen and are outside the scope of this document
925 Policy identifiersSince policies can be referenced by their identifiers it is the responsibility of the PAP to ensure that these are unique Confusion between identifiers could lead to misidentification of the applicable policy This specification is silent on whether a PAP must generate a new identifier when a policy is modified or may use the same identifier in the modified policy This is a matter of administrative practice However care must be taken in either case If the identifier is reused there is a danger that other policies or policy sets that reference it may be adversely affected Conversely if a new identifier is used these other policies may continue to use the prior policy unless it is deleted In either case the results may not be what the policy administrator intends
oasis--xacml-11pdf 83
166
32543255
325632573258
325932603261
3262
32633264
326532663267
326832693270
3271
32723273
327432753276
327732783279328032813282
328332843285328632873288
3289
32903291329232933294329532963297
167
926 Trust modelDiscussions of authentication integrity and confidentiality mechanisms necessarily assume an underlying trust model how can one actor come to believe that a given key is uniquely associated with a specific identified actor so that the key can be used to encrypt data for that actor or verify signatures (or other integrity structures) from that actor Many different types of trust model exist including strict hierarchies distributed authorities the Web the bridge and so on
It is worth considering the relationships between the various actors of the access control system in terms of the interdependencies that do and do not exist
None of the entities of the authorization system are dependent on the PEP They may collect data from it for example authentication but are responsible for verifying it
The correct operation of the system depends on the ability of the PEP to actually enforce policy decisions
The PEP depends on the PDP to correctly evaluate policies This in turn implies that the PDP is supplied with the correct inputs Other than that the PDP does not depend on the PEP
The PDP depends on the PAP to supply appropriate policies The PAP is not dependent on other components
927 PrivacyIt is important to be aware that any transactions that occur with respect to access control may reveal private information about the actors For example if an XACML policy states that certain data may only be read by subjects with ldquoGold Card Memberrdquo status then any transaction in which a subject is permitted access to that data leaks information to an adversary about the subjects status Privacy considerations may therefore lead to encryption andor to access control policies surrounding the enforcement of XACML policy instances themselves confidentiality-protected channels for the requestresponse protocol messages protection of subject attributes in storage and in transit and so on
Selection and use of privacy mechanisms appropriate to a given environment are outside the scope of XACML The decision regarding whether how and when to deploy such mechanisms is left to the implementers associated with the environment
10 Conformance (normative)
101 IntroductionThe XACML specification addresses the following aspect of conformance
The XACML specification defines a number of functions etc that have somewhat specialist application therefore they are not required to be implemented in an implementation that claims to conform with the OASIS standard
102Conformance tablesThis section lists those portions of the specification that MUST be included in an implementation of a PDP that claims to conform with XACML v10 A set of test cases has been created to assist in this process These test cases are hosted by Sun Microsystems and can be located from the
oasis--xacml-11pdf 84
168
3298
32993300330133023303
33043305
33063307
33083309
331033113312
33133314
3315
33163317331833193320332133223323
332433253326
3327
3328
3329
333033313332
3333
333433353336
169
XACML Web page The site hosting the test cases contains a full description of the test cases and how to execute them
Note M means mandatory-to-implement O means optional
1021 Schema elementsThe implementation MUST support those schema elements that are marked ldquoMrdquoElement name MOxacml-contextAction Mxacml-contextAttribute Mxacml-contextAttributeValue Mxacml-contextDecision Mxacml-contextEnvironment Mxacml-contextObligations Oxacml-contextRequest Mxacml-contextResource Mxacml-contextResourceContent Oxacml-contextResponse Mxacml-contextResult Mxacml-contextStatus Mxacml-contextStatusCode Mxacml-contextStatusDetail Oxacml-contextStatusMessage Oxacml-contextSubject MxacmlAction MxacmlActionAttributeDesignator MxacmlActionMatch MxacmlActions MxacmlAnyAction MxacmlAnyResource MxacmlAnySubject MxacmlApply MxacmlAttributeAssignment OxacmlAttributeSelector OxacmlAttributeValue MxacmlCondition MxacmlDescription MxacmlEnvironmentAttributeDesignator MxacmlFunction MxacmlObligation OxacmlObligations OxacmlPolicy MxacmlPolicyDefaults OxacmlPolicyIdReference MxacmlPolicySet MxacmlPolicySetDefaults OxacmlPolicySetIdReference MxacmlResource MxacmlResourceAttributeDesignator MxacmlResourceMatch MxacmlResources MxacmlRule MxacmlSubject MxacmlSubjectMatch MxacmlSubjects M
oasis--xacml-11pdf 85
170
33373338
3339
3340
3341
171
xacmlTarget MxacmlXPathVersion O
1022 Identifier PrefixesThe following identifier prefixes are reserved by XACML
Identifierurnoasisnamestcxacml10urnoasisnamestcxacml10conformance-testurnoasisnamestcxacml10contexturnoasisnamestcxacml10exampleurnoasisnamestcxacml10functionurnoasisnamestcxacml10policyurnoasisnamestcxacml10subjecturnoasisnamestcxacml10resourceurnoasisnamestcxacml10action
1023 AlgorithmsThe implementation MUST include the rule- and policy-combining algorithms associated with the following identifiers that are marked M
Algorithm MOurnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
M
urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11rule-combining-algorithmordered-permit-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
1024 Status CodesImplementation support for the urnoasisnamestcxacml10contextstatus element is optional but if the element is supported then the following status codes must be supported and must be used in the way XACML has specified
Identifier MOurnoasisnamestcxacml10statusmissing-attribute Murnoasisnamestcxacml10statusok Murnoasisnamestcxacml10statusprocessing-error M
oasis--xacml-11pdf 86
172
3342
3343
3344
33453346
3347
334833493350
173
urnoasisnamestcxacml10statussyntax-error M
1025 AttributesThe implementation MUST support the attributes associated with the following attribute identifiers as specified by XACML If values for these attributes are not present in the decision request then their values MUST be supplied by the PDP So unlike most other attributes their semantics are not transparent to the PDP
Identifier MOurnoasisnamestcxacml10environmentcurrent-time Murnoasisnamestcxacml10environmentcurrent-date Murnoasisnamestcxacml10environmentcurrent-dateTime M
1026 IdentifiersThe implementation MUST use the attributes associated with the following identifiers in the way XACML has defined This requirement pertains primarily to implementations of a PAP or PEP that use XACML since the semantics of the attributes are transparent to the PDP
Identifier MOurnoasisnamestcxacml10subjectauthn-localitydns-name Ournoasisnamestcxacml10subjectauthn-localityip-address Ournoasisnamestcxacml10subjectauthentication-method Ournoasisnamestcxacml10subjectauthentication-time Ournoasisnamestcxacml10subjectkey-info Ournoasisnamestcxacml10subjectrequest-time Ournoasisnamestcxacml10subjectsession-start-time Ournoasisnamestcxacml10subjectsubject-id Ournoasisnamestcxacml10subjectsubject-id-qualifier Ournoasisnamestcxacml10subject-categoryaccess-subject Murnoasisnamestcxacml10subject-categorycodebase Ournoasisnamestcxacml10subject-categoryintermediary-subject Ournoasisnamestcxacml10subject-categoryrecipient-subject Ournoasisnamestcxacml10subject-categoryrequesting-machine Ournoasisnamestcxacml10resourceresource-location Ournoasisnamestcxacml10resourceresource-id Murnoasisnamestcxacml10resourcescope Ournoasisnamestcxacml10resourcesimple-file-name Ournoasisnamestcxacml10actionaction-id Murnoasisnamestcxacml10actionimplied-action M
1027 Data-typesThe implementation MUST support the data-types associated with the following identifiers marked M
Data-type MOhttpwwww3org2001XMLSchemastring Mhttpwwww3org2001XMLSchemaboolean Mhttpwwww3org2001XMLSchemainteger Mhttpwwww3org2001XMLSchemadouble Mhttpwwww3org2001XMLSchematime Mhttpwwww3org2001XMLSchemadate Mhttpwwww3org2001XMLSchemadateTime Mhttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
M
oasis--xacml-11pdf 87
174
3351
3352335333543355
3356
335733583359
3360
33613362
175
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
M
httpwwww3org2001XMLSchemaanyURI Mhttpwwww3org2001XMLSchemahexBinary Mhttpwwww3org2001XMLSchemabase64Binary Murnoasisnamestcxacml10data-typerfc822Name Murnoasisnamestcxacml10data-typex500Name M
1028 FunctionsThe implementation MUST properly process those functions associated with the identifiers marked with an M
Function MOurnoasisnamestcxacml10functionstring-equal Murnoasisnamestcxacml10functionboolean-equal Murnoasisnamestcxacml10functioninteger-equal Murnoasisnamestcxacml10functiondouble-equal Murnoasisnamestcxacml10functiondate-equal Murnoasisnamestcxacml10functiontime-equal Murnoasisnamestcxacml10functiondateTime-equal Murnoasisnamestcxacml10functiondayTimeDuration-equal Murnoasisnamestcxacml10functionyearMonthDuration-equal Murnoasisnamestcxacml10functionanyURI-equal Murnoasisnamestcxacml10functionx500Name-equal Murnoasisnamestcxacml10functionrfc822Name-equal Murnoasisnamestcxacml10functionhexBinary-equal Murnoasisnamestcxacml10functionbase64Binary-equal Murnoasisnamestcxacml10functioninteger-add Murnoasisnamestcxacml10functiondouble-add Murnoasisnamestcxacml10functioninteger-subtract Murnoasisnamestcxacml10functiondouble-subtract Murnoasisnamestcxacml10functioninteger-multiply Murnoasisnamestcxacml10functiondouble-multiply Murnoasisnamestcxacml10functioninteger-divide Murnoasisnamestcxacml10functiondouble-divide Murnoasisnamestcxacml10functioninteger-mod Murnoasisnamestcxacml10functioninteger-abs Murnoasisnamestcxacml10functiondouble-abs Murnoasisnamestcxacml10functionround Murnoasisnamestcxacml10functionfloor Murnoasisnamestcxacml10functionstring-normalize-space Murnoasisnamestcxacml10functionstring-normalize-to-lower-case Murnoasisnamestcxacml10functiondouble-to-integer Murnoasisnamestcxacml10functioninteger-to-double Murnoasisnamestcxacml10functionor Murnoasisnamestcxacml10functionand Murnoasisnamestcxacml10functionn-of Murnoasisnamestcxacml10functionnot Murnoasisnamestcxacml10functionpresent Murnoasisnamestcxacml10functioninteger-greater-than Murnoasisnamestcxacml10functioninteger-greater-than-or-equal Murnoasisnamestcxacml10functioninteger-less-than Murnoasisnamestcxacml10functioninteger-less-than-or-equal Murnoasisnamestcxacml10functiondouble-greater-than Murnoasisnamestcxacml10functiondouble-greater-than-or-equal Murnoasisnamestcxacml10functiondouble-less-than M
oasis--xacml-11pdf 88
176
3363
33643365
177
urnoasisnamestcxacml10functiondouble-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-add-dayTimeDuration Murnoasisnamestcxacml10functiondateTime-add-yearMonthDuration Murnoasisnamestcxacml10functiondateTime-subtract-dayTimeDuration
M
urnoasisnamestcxacml10functiondateTime-subtract-yearMonthDuration
M
urnoasisnamestcxacml10functiondate-add-yearMonthDuration Murnoasisnamestcxacml10functiondate-subtract-yearMonthDuration Murnoasisnamestcxacml10functionstring-greater-than Murnoasisnamestcxacml10functionstring-greater-than-or-equal Murnoasisnamestcxacml10functionstring-less-than Murnoasisnamestcxacml10functionstring-less-than-or-equal Murnoasisnamestcxacml10functiontime-greater-than Murnoasisnamestcxacml10functiontime-greater-than-or-equal Murnoasisnamestcxacml10functiontime-less-than Murnoasisnamestcxacml10functiontime-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-greater-than Murnoasisnamestcxacml10functiondateTime-greater-than-or-equal Murnoasisnamestcxacml10functiondateTime-less-than Murnoasisnamestcxacml10functiondateTime-less-than-or-equal Murnoasisnamestcxacml10functiondate-greater-than Murnoasisnamestcxacml10functiondate-greater-than-or-equal Murnoasisnamestcxacml10functiondate-less-than Murnoasisnamestcxacml10functiondate-less-than-or-equal Murnoasisnamestcxacml10functionstring-one-and-only Murnoasisnamestcxacml10functionstring-bag-size Murnoasisnamestcxacml10functionstring-is-in Murnoasisnamestcxacml10functionstring-bag Murnoasisnamestcxacml10functionboolean-one-and-only Murnoasisnamestcxacml10functionboolean-bag-size Murnoasisnamestcxacml10functionboolean-is-in Murnoasisnamestcxacml10functionboolean-bag Murnoasisnamestcxacml10functioninteger-one-and-only Murnoasisnamestcxacml10functioninteger-bag-size Murnoasisnamestcxacml10functioninteger-is-in Murnoasisnamestcxacml10functioninteger-bag Murnoasisnamestcxacml10functiondouble-one-and-only Murnoasisnamestcxacml10functiondouble-bag-size Murnoasisnamestcxacml10functiondouble-is-in Murnoasisnamestcxacml10functiondouble-bag Murnoasisnamestcxacml10functiontime-one-and-only Murnoasisnamestcxacml10functiontime-bag-size Murnoasisnamestcxacml10functiontime-is-in Murnoasisnamestcxacml10functiontime-bag Murnoasisnamestcxacml10functiondate-one-and-only Murnoasisnamestcxacml10functiondate-bag-size Murnoasisnamestcxacml10functiondate-is-in Murnoasisnamestcxacml10functiondate-bag Murnoasisnamestcxacml10functiondateTime-one-and-only Murnoasisnamestcxacml10functiondateTime-bag-size Murnoasisnamestcxacml10functiondateTime-is-in Murnoasisnamestcxacml10functiondateTime-bag Murnoasisnamestcxacml10functionanyURI-one-and-only Murnoasisnamestcxacml10functionanyURI-bag-size Murnoasisnamestcxacml10functionanyURI-is-in Murnoasisnamestcxacml10functionanyURI-bag M
oasis--xacml-11pdf 89
178
179
urnoasisnamestcxacml10functionhexBinary-one-and-only Murnoasisnamestcxacml10functionhexBinary-bag-size Murnoasisnamestcxacml10functionhexBinary-is-in Murnoasisnamestcxacml10functionhexBinary-bag Murnoasisnamestcxacml10functionbase64Binary-one-and-only Murnoasisnamestcxacml10functionbase64Binary-bag-size Murnoasisnamestcxacml10functionbase64Binary-is-in Murnoasisnamestcxacml10functionbase64Binary-bag Murnoasisnamestcxacml10functiondayTimeDuration-one-and-only Murnoasisnamestcxacml10functiondayTimeDuration-bag-size Murnoasisnamestcxacml10functiondayTimeDuration-is-in Murnoasisnamestcxacml10functiondayTimeDuration-bag Murnoasisnamestcxacml10functionyearMonthDuration-one-and-only Murnoasisnamestcxacml10functionyearMonthDuration-bag-size Murnoasisnamestcxacml10functionyearMonthDuration-is-in Murnoasisnamestcxacml10functionyearMonthDuration-bag Murnoasisnamestcxacml10functionx500Name-one-and-only Murnoasisnamestcxacml10functionx500Name-bag-size Murnoasisnamestcxacml10functionx500Name-is-in Murnoasisnamestcxacml10functionx500Name-bag Murnoasisnamestcxacml10functionrfc822Name-one-and-only Murnoasisnamestcxacml10functionrfc822Name-bag-size Murnoasisnamestcxacml10functionrfc822Name-is-in Murnoasisnamestcxacml10functionrfc822Name-bag Murnoasisnamestcxacml10functionany-of Murnoasisnamestcxacml10functionall-of Murnoasisnamestcxacml10functionany-of-any Murnoasisnamestcxacml10functionall-of-any Murnoasisnamestcxacml10functionany-of-all Murnoasisnamestcxacml10functionall-of-all Murnoasisnamestcxacml10functionmap Murnoasisnamestcxacml10functionx500Name-match Murnoasisnamestcxacml10functionrfc822Name-match Murnoasisnamestcxacml10functionregexp-string-match Murnoasisnamestcxacml10functionxpath-node-count Ournoasisnamestcxacml10functionxpath-node-equal Ournoasisnamestcxacml10functionxpath-node-match Ournoasisnamestcxacml10functionstring-intersection Murnoasisnamestcxacml10functionstring-at-least-one-member-of Murnoasisnamestcxacml10functionstring-union Murnoasisnamestcxacml10functionstring-subset Murnoasisnamestcxacml10functionstring-set-equals Murnoasisnamestcxacml10functionboolean-intersection Murnoasisnamestcxacml10functionboolean-at-least-one-member-of Murnoasisnamestcxacml10functionboolean-union Murnoasisnamestcxacml10functionboolean-subset Murnoasisnamestcxacml10functionboolean-set-equals Murnoasisnamestcxacml10functioninteger-intersection Murnoasisnamestcxacml10functioninteger-at-least-one-member-of Murnoasisnamestcxacml10functioninteger-union Murnoasisnamestcxacml10functioninteger-subset Murnoasisnamestcxacml10functioninteger-set-equals Murnoasisnamestcxacml10functiondouble-intersection Murnoasisnamestcxacml10functiondouble-at-least-one-member-of Murnoasisnamestcxacml10functiondouble-union Murnoasisnamestcxacml10functiondouble-subset Murnoasisnamestcxacml10functiondouble-set-equals M
oasis--xacml-11pdf 90
180
181
urnoasisnamestcxacml10functiontime-intersection Murnoasisnamestcxacml10functiontime-at-least-one-member-of Murnoasisnamestcxacml10functiontime-union Murnoasisnamestcxacml10functiontime-subset Murnoasisnamestcxacml10functiontime-set-equals Murnoasisnamestcxacml10functiondate-intersection Murnoasisnamestcxacml10functiondate-at-least-one-member-of Murnoasisnamestcxacml10functiondate-union Murnoasisnamestcxacml10functiondate-subset Murnoasisnamestcxacml10functiondate-set-equals Murnoasisnamestcxacml10functiondateTime-intersection Murnoasisnamestcxacml10functiondateTime-at-least-one-member-of Murnoasisnamestcxacml10functiondateTime-union Murnoasisnamestcxacml10functiondateTime-subset Murnoasisnamestcxacml10functiondateTime-set-equals Murnoasisnamestcxacml10functionanyURI-intersection Murnoasisnamestcxacml10functionanyURI-at-least-one-member-of Murnoasisnamestcxacml10functionanyURI-union Murnoasisnamestcxacml10functionanyURI-subset Murnoasisnamestcxacml10functionanyURI-set-equals Murnoasisnamestcxacml10functionhexBinary-intersection Murnoasisnamestcxacml10functionhexBinary-at-least-one-member-of Murnoasisnamestcxacml10functionhexBinary-union Murnoasisnamestcxacml10functionhexBinary-subset Murnoasisnamestcxacml10functionhexBinary-set-equals Murnoasisnamestcxacml10functionbase64Binary-intersection Murnoasisnamestcxacml10functionbase64Binary-at-least-one-member-of
M
urnoasisnamestcxacml10functionbase64Binary-union Murnoasisnamestcxacml10functionbase64Binary-subset Murnoasisnamestcxacml10functionbase64Binary-set-equals Murnoasisnamestcxacml10functiondayTimeDuration-intersection Murnoasisnamestcxacml10functiondayTimeDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functiondayTimeDuration-union Murnoasisnamestcxacml10functiondayTimeDuration-subset Murnoasisnamestcxacml10functiondayTimeDuration-set-equals Murnoasisnamestcxacml10functionyearMonthDuration-intersection Murnoasisnamestcxacml10functionyearMonthDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functionyearMonthDuration-union Murnoasisnamestcxacml10functionyearMonthDuration-subset Murnoasisnamestcxacml10functionyearMonthDuration-set-equals Murnoasisnamestcxacml10functionx500Name-intersection Murnoasisnamestcxacml10functionx500Name-at-least-one-member-of Murnoasisnamestcxacml10functionx500Name-union Murnoasisnamestcxacml10functionx500Name-subset Murnoasisnamestcxacml10functionx500Name-set-equals Murnoasisnamestcxacml10functionrfc822Name-intersection Murnoasisnamestcxacml10functionrfc822Name-at-least-one-member-of
M
urnoasisnamestcxacml10functionrfc822Name-union Murnoasisnamestcxacml10functionrfc822Name-subset Murnoasisnamestcxacml10functionrfc822Name-set-equals M
oasis--xacml-11pdf 91
182
3366
183
11 References[DS] D Eastlake et al XML-Signature Syntax and Processing
httpwwww3orgTRxmldsig-core World Wide Web Consortium[Hancock] Hancock Polymorphic Type Checking in Simon L Peyton Jones
Implementation of Functional Programming Languages Section 8 Prentice-Hall International 1987
[Haskell] Haskell a purely functional language Available at httpwwwhaskellorg
[Hinton94] Hinton H M Lee E S The Compatibility of Policies Proceedings 2nd ACM Conference on Computer and Communications Security Nov 1994 Fairfax Virginia USA
[IEEE754] IEEE Standard for Binary Floating-Point Arithmetic 1985 ISBN 1-5593-7653-8 IEEE Product No SH10116-TBR
[Kudo00] Kudo M and Hada S XML document security based on provisional authorization Proceedings of the Seventh ACM Conference on Computer and Communications Security Nov 2000 Athens Greece pp 87-96
[LDAP-1] RFC2256 A summary of the X500(96) User Schema for use with LDAPv3 Section 5 M Wahl December 1997 httpwwwietforgrfcrfc2798txt
[LDAP-2] RFC2798 Definition of the inetOrgPerson M Smith April 2000 httpwwwietforgrfcrfc2798txt
[MathML] Mathematical Markup Language (MathML) Version 20 W3C Recommendation 21 February 2001 Available at httpwwww3orgTRMathML2
[Perritt93] Perritt H Knowbots Permissions Headers and Contract Law Conference on Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment April 1993 Available at httpwwwiflaorgdocumentsinfopolcopyrightperh2txt
[RBAC] Role-Based Access Controls David Ferraiolo and Richard Kuhn 15th National Computer Security Conference 1992 Available at httpcsrcnistgovrbac
[RegEx] XML Schema Part 0 Primer W3C Recommendation 2 May 2001 Appendix D Available at httpwwww3orgTRxmlschema-0
[RFC2119] S Bradner Key words for use in RFCs to Indicate Requirement Levels httpwwwietforgrfcrfc2119txt IETF RFC 2119 March 1997
[SAML] Security Assertion Markup Language available from httpwwwoasis-openorgcommitteessecuritydocuments
[Sloman94] Sloman M Policy Driven Management for Distributed Systems Journal of Network and Systems Management Volume 2 part 4 Plenum Press 1994
[XF] XQuery 10 and XPath 20 Functions and Operators W3C Working Draft 16 August 2002 Available at httpwwww3orgTR2002WD-xquery-operators-20020816
[XS] XML Schema parts 1 and 2 Available at httpwwww3orgTRxmlschema-1 and httpwwww3orgTRxmlschema-2
[XPath] XML Path Language (XPath) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxpath
oasis--xacml-11pdf 92
184
336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396
33973398
3399340034013402340334043405
340634073408
34093410341134123413
185
[XSLT] XSL Transformations (XSLT) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxslt
oasis--xacml-11pdf 93
186
341434153416
187
Appendix A Standard data-types functions and their semantics (normative)
A1 IntroductionThis section contains a specification of the data-types and functions used in XACML to create predicates for a rulersquos condition and target matches
This specification combines the various standards set forth by IEEE and ANSI for string representation of numeric values as well as the evaluation of arithmetic functions
This section describes the primitive data-types bags and construction of expressions using XACML constructs Finally each standard function is named and its operational semantics are described
A2 Primitive typesAlthough XML instances represent all data-types as strings an XACML PDP must reason about types of data that while they have string representations are not just strings Types such as boolean integer and double MUST be converted from their XML string representations to values that can be compared with values in their domain of discourse such as numbers The following primitive data-types are specified for use with XACML and have explicit data representations
httpwwww3org2001XMLSchemastring
httpwwww3org2001XMLSchemaboolean
httpwwww3org2001XMLSchemainteger
httpwwww3org2001XMLSchemadouble
httpwwww3org2001XMLSchematime
httpwwww3org2001XMLSchemadate
httpwwww3org2001XMLSchemadateTime
httpwwww3org2001XMLSchemaanyURI
httpwwww3org2001XMLSchemahexBinary
httpwwww3org2001XMLSchemabase64Binary
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
urnoasisnamestcxacml10data-typex500Name
urnoasisnamestcxacml10data-typerfc822Name
oasis--xacml-11pdf 94
188
3417
3418
3419
34203421
34223423
342434253426
3427
34283429343034313432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
189
A3 Structured typesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type for example ltdsKeyInfogt XACML 10 supports several ways for comparing such ltAttributeValuegt elements
1 In some cases such an ltAttributeValuegt element MAY be compared using one of the XACML string functions such as ldquoregexp-string-matchrdquo described below This requires that the structured data ltAttributeValuegt be given the DataType=httpwwww3org2001XMLSchemastring For example a structured data-type that is actually a dsKeyInfoKeyName would appear in the Context as
ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgtampltdsKeyNameampgtjhibbert-keyampltdsKeyNameampgt
ltAttributeValuegt
In general this method will not be adequate unless the structured data-type is quite simple
2 An ltAttributeSelectorgt element MAY be used to select the value of a leaf sub-element of the structured data-type by means of an XPath expression That value MAY then be compared using one of the supported XACML functions appropriate for its primitive data-type This method requires support by the PDP for the optional XPath expressions feature
3 An ltAttributeSelectorgt element MAY be used to select the value of any node in the structured data-type by means of an XPath expression This node MAY then be compared using one of the XPath-based functions described in Section A1413 This method requires support by the PDP for the optional XPath expressions and XPath functions features
A4 RepresentationsAn XACML PDP SHALL be capable of converting string representations into various primitive data-types For integers and doubles XACML SHALL use the conversions described in [IEEE754]
This document combines the various standards set forth by IEEE and ANSI for string representation of numeric values
XACML defines two additional data-types these are ldquournoasisnamestcxacml10data-typex500Namerdquo and ldquournoasisnamestcxacml10data-typerfc822Namerdquo These types represent identifiers for subjects and appear in several standard applications such as TLSSSL and electronic mail
The ldquournoasisnamestcxacml10data-typex500Namerdquo primitive type represents an X500 Distinguished Name The string representation of an X500 distinguished name is specified in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names1
The ldquournoasisnamestcxacml10data-typerfc822Namerdquo primitive type represents electronic mail addresses and its string representation is specified by RFC 822
1 An earlier RFC RFC 1779 A String Representation of Distinguished Names is less restrictive so urnoasisnamestcxacml10data-typex500Name uses the syntax in RFC 2253 for better interoperability
oasis--xacml-11pdf 95
190
3447
344834493450
34513452
345334543455345634573458
3459
34603461346234633464
3465346634673468
3469
34703471
34723473
3474347534763477
3478347934803481
34823483
191192193
194
An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive2
A5 BagsXACML defines implicit collections of its primitive types XACML refers to a collection of values that are of a single primitive type as a bag Bags of primitive types are needed because selections of nodes from an XML resource or XACML request context may return more than one value
The ltAttributeSelectorgt element uses an XPath expression to specify the selection of data from an XML resource The result of an XPath expression is termed a node-set which contains all the leaf nodes from the XML resource that match the predicate in the XPath expression Based on the various indexing functions provided in the XPath specification it SHALL be implied that a resultant node-set is the collection of the matching nodes XACML also defines the ltAttributeDesignatorgt element to have the same matching methodology for attributes in the XACML request context
The values in a bag are not ordered and some of the values may be duplicates There SHALL be no notion of a bag containing bags or a bag containing values of differing types Ie a bag in XACML SHALL contain only values that are of the same primitive type
A6 ExpressionsXACML specifies expressions in terms of the following elements of which the ltApplygt and ltConditiongt elements recursively compose greater expressions Valid expressions shall be type correct which means that the types of each of the elements contained within ltApplygt and ltConditiongt elements shall agree with the respective argument types of the function that is named by the FunctionId attribute The resultant type of the ltApplygt or ltConditiongt element shall be the resultant type of the function which may be narrowed to a primitive data-type or a bag of a primitive data-type by type-unification XACML defines an evaluation result of Indeterminate which is said to be the result of an invalid expression or an operational error occurring during the evaluation of the expression
XACML defines the following elements to be legal XACML expressions
ltAttributeValuegt
ltSubjectAttributeDesignatorgt
ltSubjectAttributeSelectorgt
ltResourceAttributeDesignatorgt
ltActionAttributeDesignatorgt
ltEnvironmentAttributeDesignatorgt
ltAttributeSelectorgt
ltApplygt
2 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part However many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This is considered an error by mail-system designers and is not encouraged
oasis--xacml-11pdf 96
195
348434853486
3487
348834893490
34913492349334943495
34963497
349834993500
3501
350235033504350535063507350835093510
3511
3512
3513
3514
3515
3516
3517
3518
3519
196197198
199
ltConditiongt
ltFunctiongt
A7 Element ltAttributeValuegt The ltAttributeValuegt element SHALL represent an explicit value of a primitive type For example
ltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltApplygt
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt
The ltAttributeDesignatorgt and ltAttributeSelectorgt elements SHALL evaluate to a bag of a specific primitive type The type SHALL be inferred from the function in which it appears Each element SHALL contain a URI or XPath expression respectively to identify the required attribute values If an operational error were to occur while finding the values the value of the element SHALL be set to Indeterminate If the required attribute cannot be located then the value of the element SHALL be set to an empty bag of the inferred primitive type
A9 Element ltApplygt XACML function calls are represented by the ltApplygt element The function to be applied is named in the FunctionId attribute of this element The value of the ltApplygt element SHALL be set to either a primitive data-type or a bag of a primitive type whose data-type SHALL be inferred from the FunctionId The arguments of a function SHALL be the values of the XACML expressions that are contained as ordered elements in an ltApplygt element The legal number of arguments within an ltApplygt element SHALL depend upon the functionId
A10Element ltConditiongt The ltConditiongt element MAY appear in the ltRulegt element as the premise for emitting the corresponding effect of the rule The ltConditiongt element has the same structure as the ltApplygt element with the restriction that its result SHALL be of data-type ldquohttpwwww3org2001XMLSchemabooleanrdquo The evaluation of the ltConditiongt element SHALL follow the same evaluation semantics as those of the ltApplygt element
oasis--xacml-11pdf 97
200
3520
3521
3522
35233524352535263527352835293530
3531
3532
353335343535353635373538
3539
354035413542
354335443545
3546
35473548354935503551
201
A11Element ltFunctiongt The ltFunctiongt element names a standard XACML function or an extension function in its FunctionId attribute The ltFunctiongt element MAY be used as an argument in functions that take a function as an argument
A12Matching elementsMatching elements appear in the ltTargetgt element of rules policies and policy sets They are the following
ltSubjectMatchgt
ltResourceMatchgt
ltActionMatchgt
These elements represent boolean expressions over attributes of the subject resource and action respectively A matching element contains a MatchId attribute that specifies the function to be used in performing the match evaluation an attribute value and an ltAttributeDesignatorgt or ltAttributeSelectorgt element that specifies the attribute in the context that is to be matched against the specified value
The MatchId attribute SHALL specify a function that compares two arguments returning a result type of httpwwww3org2001XMLSchemaboolean The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument An element of the bag returned by the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL be supplied to the MatchId function as its second argument The data-type of the attribute value SHALL match the data-type of the first argument expected by the MatchId function The data-type of the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL match the data-type of the second argument expected by the MatchId function
The XACML standard functions that meet the requirements for use as a MatchId attribute value are
urnoasisnamestcxacml10function-type-equal
urnoasisnamestcxacml10function-type-greater-than
urnoasisnamestcxacml10function-type-greater-than-or-equal
urnoasisnamestcxacml10function-type-less-than
urnoasisnamestcxacml10function-type-less-than-or-equal
urnoasisnamestcxacml10function-type-match
In addition functions that are strictly within an extension to XACML MAY appear as a value for the MatchId attribute and those functions MAY use data-types that are also extensions so long as the extension function returns a boolean result and takes an attribute value as its first argument and an ltAttributeDesignatorgt or ltAttributeSelectorgt as its second argument The function used as the value for the MatchId attribute SHOULD be easily indexable Use of non-indexable or complex functions may prevent efficient evaluation of decision requests
The evaluation semantics for a matching element is as follows If an operational error were to occur while evaluating the ltAttributeDesignatorgt or ltAttributeSelectorgt element then
oasis--xacml-11pdf 98
202
3552
355335543555
3556
35573558
3559
3560
3561
35623563356435653566
35673568
356935703571357235733574
35753576
3577
3578
3579
3580
3581
3582
358335843585
358635873588
35893590
203
the result of the entire expression SHALL be Indeterminate If the ltAttributeDesignatorgt or ltAttributeSelectorgt element were to evaluate to an empty bag then the result of the expression SHALL be False Otherwise the MatchId function SHALL be applied between the explicit attribute value and each element of the bag returned from the ltAttributeDesignatorgt or ltAttributeSelectorgt element If at least one of those function applications were to evaluate to True then the result of the entire expression SHALL be True Otherwise if at least one of the function applications results in Indeterminate then the result SHALL be Indeterminate Finally only if all function applications evaluate to False the result of the entire expression SHALL be False
It is possible to express the semantics of a target matching element in a condition For instance the target match expression that compares a ldquosubject-namerdquo starting with the name ldquoJohnrdquo can be expressed as follows
ltSubjectMatch MatchId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegtltSubjectMatchgt
Alternatively the same match semantics can be expressed as an ltApplygt element in a condition by using the ldquournoasisnamestcxacml10functionany-ofrdquo function as follows
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt ltFunctionFunctionId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtltApplygt
This expression of the semantics is NOT normative
A13Arithmetic evaluationIEEE 754 [IEEE 754] specifies how to evaluate arithmetic functions in a context which specifies defaults for precision rounding etc XACML SHALL use this specification for the evaluation of all integer and double functions relying on the Extended Default Context enhanced with double precision
flags - all set to 0
trap-enablers - all set to 0 (IEEE 854 sect7) with the exception of the ldquodivision-by-zerordquo trap enabler which SHALL be set to 1
precision - is set to the designated double precision
rounding - is set to round-half-even (IEEE 854 sect41)
oasis--xacml-11pdf 99
204
359135923593359435953596359735983599
36003601360236033604360536063607360836093610
36113612361336143615361636173618361936203621
3622
3623
3624
3625362636273628
3629
36303631
3632
3633
205
A14XACML standard functionsXACML specifies the following functions that are prefixed with the ldquournoasisnamestcxacml10functionrdquo relative name space identifier
A141Equality predicatesThe following functions are the equality functions for the various primitive types Each function for a particular data-type follows a specified standard convention for that data-type If an argument of one of these functions were to evaluate to Indeterminate then the function SHALL be set to Indeterminate
string-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if and only if the value of both of its arguments are of equal length and each string is determined to be equal byte-by-byte according to the function ldquointeger-equalrdquo
boolean-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemabooleanrdquo and SHALL return True if and only if both values are equal
integer-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on integers according to IEEE 754 [IEEE 754]
double-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on doubles according to IEEE 754 [IEEE 754]
date-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdate-equalrdquo function [XF Section 8311]
time-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquooptime-equalrdquo function [XF Section 8314]
dateTime-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdateTime-equalrdquo function [XF Section 838]
oasis--xacml-11pdf 100
206
3634
36353636
3637
3638363936403641
3642
3643364436453646
3647
364836493650
3651
3652365336543655
3656
3657365836593660
3661
3662366336643665
3666
3667366836693670
3671
3672367336743675
207
dayTimeDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opdayTimeDuration-equal function [XF Section 835] Note that the lexical representation of each argument MUST be converted to a value expressed in fractional seconds [XF Section 822]
yearMonthDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opyearMonthDuration-equal function [XF Section 832] Note that the lexical representation of each argument MUST be converted to a value expressed in integer months [XF Section 821]
anyURI-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaanyURIrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopanyURI-equalrdquo function [XF Section 1021]
x500Name-equal
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if each Relative Distinguished Name (RDN) in the two arguments matches Two RDNs shall be said to match if and only if the result of the following operations is ldquoTruerdquo3
1 Normalize the two arguments according to IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
2 If any RDN contains multiple attributeTypeAndValue pairs re-order the Attribute ValuePairs in that RDN in ascending order when compared as octet strings (described in ITU-T Rec X690 (1997 E) Section 116 Set-of components)
3 Compare RDNs using the rules in IETF RFC 3280 Internet X509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Section 4124 Issuer
rfc822Name-equal
This function SHALL take two arguments of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL determine whether two ldquournoasisnamestcxacml10data-typerfc822Namerdquo arguments are equal An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive Perform the following operations
1 Normalize the domain-part of each argument to lower case
2 Compare the expressions by applying the function ldquournoasisnamestcxacml10functionstring-equalrdquo to the normalized arguments
3 ITU-T Rec X520 contains rules for matching X500 names but these are very complex and require knowledge of the syntax of various AttributeTypes IETF RFC 3280 contains simplified matching rules that the XACML x500Name-equal function uses
oasis--xacml-11pdf 101
208
367636773678367936803681368236833684368536863687368836893690
3691369236933694
3695
36963697369836993700
37013702
370337043705
370637073708
3709
3710371137123713371437153716
3717
37183719
209210211
212
hexBinary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemahexBinaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8215]
base64Binary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemabase64Binaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8216]
A142Arithmetic functionsAll of the following functions SHALL take two arguments of the specified data-type integer or double and SHALL return an element of integer or double data-type respectively However the ldquoaddrdquo functions MAY take more than two arguments Each function evaluation SHALL proceed as specified by their logical counterparts in IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate In the case of the divide functions if the divisor is zero then the function SHALL evaluate to ldquoIndeterminaterdquo
integer-add
This function MAY have two or more arguments
double-add
This function MAY have two or more arguments
integer-subtract
double-subtract
integer-multiply
double-multiply
integer-divide
double-divide
integer-mod
The following functions SHALL take a single argument of the specified data-type The round and floor functions SHALL take a single argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and return data-type ldquohttpwwww3org2001XMLSchemadoublerdquo In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-abs
oasis--xacml-11pdf 102
213
3720
3721372237233724372537263727
3728
3729373037313732373337343735
3736
3737373837393740374137423743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
375537563757375837593760
3761
214
double-abs
round
floor
A143String conversion functionsThe following functions convert between values of the XACML ldquohttpwwww3org2001XMLSchemastringrdquo primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-normalize-space
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by stripping off all leading and trailing whitespace characters
string-normalize-to-lower-case
This function SHALL take one argument of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by converting each upper case character to its lower case equivalent
A144Numeric data-type conversion functionsThe following functions convert between the XACML ldquohttpwwww3org2001XMLSchemaintegerrdquo andrdquo httpwwww3org2001XMLSchemadoublerdquo primitive types In any expression in which the functions defined below are applied if any argument while being evaluated results in Indeterminate the expression SHALL return Indeterminate
double-to-integer
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL truncate its numeric value to a whole number and return an element of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo
integer-to-double
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL promote its value to an element of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo of the same numeric value
A145Logical functionsThis section contains the specification for logical functions that operate on arguments of the ldquohttpwwww3org2001XMLSchemabooleanrdquo data-type
or
This function SHALL return False if it has no arguments and SHALL return True if one of its arguments evaluates to True The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of True if any argument evaluates to True leaving the rest of the arguments unevaluated In an expression that contains any of these
oasis--xacml-11pdf 103
215
3762
3763
3764
3765
3766376737683769
3770
377137723773
3774
377537763777
3778
3779378037813782
3783
3784378537863787
3788
378937903791
3792
37933794
3795
3796
3797379837993800
216
functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
and
This function SHALL return True if it has no arguments and SHALL return False if one of its arguments evaluates to False The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of False if any argument evaluates to False leaving the rest of the arguments unevaluated In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
n-of
The first argument to this function SHALL be of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo specifying the number of the remaining arguments that MUST evaluate to True for the expression to be considered True If the first argument is 0 the result SHALL be True If the number of arguments after the first one is less than the value of the first argument then the expression SHALL result in Indeterminate The order of evaluation SHALL be first evaluate the integer value then evaluate each subsequent argument The evaluation SHALL stop and return True if the specified number of arguments evaluate to True The evaluation of arguments SHALL stop if it is determined that evaluating the remaining arguments will not satisfy the requirement In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
not
This function SHALL take one logical argument If the argument evaluates to True then the result of the expression SHALL be False If the argument evaluates to False then the result of the expression SHALL be True In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
Note For an expression that is an application of AND OR or N-OF it MAY NOT be necessary to attempt a full evaluation of each boolean argument to a truth value in order to determine whether the evaluation of the argument would result in Indeterminate Analysis of the argument regarding its necessary attributes or other analysis regarding errors such as divide-by-zero may render the argument error free Such arguments occurring in the expression in a position after the evaluation is stated to stop need not be processed
A146Arithmetic comparison functionsThese functions form a minimal set for comparing two numbers yielding a boolean result They SHALL comply with the rules governed by IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-greater-than
integer-greater-than-or-equal
integer-less-than
integer-less-than-or-equal
double-greater-than
oasis--xacml-11pdf 104
217
38013802
3803
380438053806380738083809
3810
381138123813381438153816381738183819382038213822
3823
38243825382638273828
382938303831383238333834
3835
3836383738383839
3840
3841
3842
3843
3844
218
double-greater-than-or-equal
double-less-than
double-less-than-or-equal
A147Date and time arithmetic functionsThese functions perform arithmetic operations with the date and time In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
dateTime-add-dayTimeDuration
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is of data-type ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-subtract-dayTimeDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-dayTimeDurationrdquo had been applied to the corresponding positive duration
dateTime-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
date-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It
oasis--xacml-11pdf 105
219
3845
3846
3847
3848
384938503851
3852
385338543855385638573858
3859
386038613862386338643865
3866
386738683869387038713872387338743875
3876
387738783879388038813882388338843885
3886
388738883889
220
return a result of ldquohttpwwww3org2001XMLSchemadaterdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date [XS Appendix E]
date-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadaterdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
A148Non-numeric comparison functionsThese functions perform comparison operations on two arguments of non-numerical types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments that are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is greater than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-equalrdquo
string-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated with the logical function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-greater-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
string-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is less than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-less-thanrdquo
string-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated
oasis--xacml-11pdf 106
221
389038913892
3893
389438953896389738983899390039013902
3903
390439053906
3907
39083909391039113912391339143915
3916
391739183919392039213922
3923
39243925392639273928392939303931
3932
393339343935
222
with the function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-less-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
time-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
dateTime-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
oasis--xacml-11pdf 107
223
393639373938
3939
39403941394239433944
3945
39463947394839493950
3951
39523953395439553956
3957
39583959396039613962
3963
39643965396639673968
3969
39703971397239733974
3975
39763977397839793980
224
dateTime-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchema dateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
date-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
A149Bag functionsThese functions operate on a bag of type values where data-type is one of the primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate Some additional conditions defined for each function below SHALL cause the expression to evaluate to Indeterminate
type-one-and-only
This function SHALL take an argument of a bag of type values and SHALL return a value of data-type It SHALL return the only value in the bag If the bag does not have one and only one value then the expression SHALL evaluate to Indeterminate
type-bag-size
This function SHALL take a bag of type values as an argument and SHALL return an ldquohttpwwww3org2001XMLSchemaintegerrdquo indicating the number of values in the bag
oasis--xacml-11pdf 108
225
3981
3982
39833984398539863987
3988
39893990399139923993
3994
39953996399739983999
4000
40014002400340044005
4006
40074008400940104011
4012
4013401440154016
4017
401840194020
4021
40224023
226
type-is-in
This function SHALL take an argument of data-type type as the first argument and a bag of type values as the second argument The expression SHALL evaluate to True if the first argument matches by the urnoasisnamestcxacml10functiontype-equal to any value in the bag
type-bag
This function SHALL take any number of arguments of a single data-type and return a bag of type values containing the values of the arguments An application of this function to zero arguments SHALL produce an empty bag of the specified data-type
A1410 Set functionsThese functions operate on bags mimicking sets by eliminating duplicate elements from a bag In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
type-intersection
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type values such that it contains only elements that are common between the two bags which is determined by urnoasisnamestcxacml10functiontype-equal No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-at-least-one-member-of
This function SHALL take two arguments that are both a bag of type values The expression SHALL evaluate to True if at least one element of the first argument is contained in the second argument as determined by urnoasisnamestcxacml10functiontype-is-in
type-union
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type such that it contains all elements of both bags No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-subset
This function SHALL take two arguments that are both a bag of type values It SHALL return True if the first argument is a subset of the second argument Each argument is considered to have its duplicates removed as determined by urnoasisnamestcxacml10functiontype-equal before subset calculation
type-set-equals
This function SHALL take two arguments that are both a bag of type values and SHALL return the result of applying urnoasisnamestcxacml10functionand to the application of urnoasisnamestcxacml10functiontype-subset to the first and second arguments and the application of urnoasisnamestcxacml10functiontype-subset to the second and first arguments
oasis--xacml-11pdf 109
227
4024
4025
4026
4027402840294030
4031
403240334034
4035
403640374038
4039
40404041404240434044
4045
4046404740484049
4050
4051405240534054
4055
4056405740584059
4060
40614062406340644065
228
A1411 Higher-order bag functionsThis section describes functions in XACML that perform operations on bags such that functions may be applied to the bags in general
In this section a general-purpose functional language called Haskell [Haskell] is used to formally specify the semantics of these functions Although the English description is adequate a formal specification of the semantics is helpful
For a quick summary in the following Haskell notation a function definition takes the form of clauses that are applied to patterns of structures namely lists The symbol ldquo[]rdquo denotes the empty list whereas the expression ldquo(xxs)rdquo matches against an argument of a non-empty list of which ldquoxrdquo represents the first element of the list and ldquoxsrdquo is the rest of the list which may be an empty list We use the Haskell notion of a list which is an ordered collection of elements to model the XACML bags of values
A simple Haskell definition of a familiar function ldquournoasisnamestcxacml10functionandrdquo that takes a list of booleans is defined as follows
and [Bool] -gt Bool
and [] = True
and (xxs) = x ampamp (and xs)
The first definition line denoted by a ldquordquo formally describes the data-type of the function which takes a list of booleans denoted by ldquo[Bool]rdquo and returns a boolean denoted by ldquoBoolrdquo The second definition line is a clause that states that the function ldquoandrdquo applied to the empty list is True The second definition line is a clause that states that for a non-empty list such that the first element is ldquoxrdquo which is a value of data-type Bool the function ldquoandrdquo applied to x SHALL be combined with using the logical conjunction function which is denoted by the infix symbol ldquoampamprdquo the result of recursively applying the function ldquoandrdquo to the rest of the list Of course an application of the ldquoandrdquo function is True if and only if the list to which it is applied is empty or every element of the list is True For example the evaluation of the following Haskell expressions
(and []) (and [True]) (and [TrueTrue]) (and [TrueTrueFalse])
evaluate to True True True and False respectively
In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
any-of
This function applies a boolean function between a specific primitive value and a bag of values and SHALL return True if and only if the predicate is True for at least one element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element is applied to the second argument and each element of the third argument (the bag) and the results are combined with ldquournoasisnamestcxacml10functionorrdquo
In Haskell the semantics of this operation are as follows
oasis--xacml-11pdf 110
229
4066
40674068
406940704071
407240734074407540764077
40784079
4080
4081
4082
408340844085408640874088408940904091
4092
4093
40944095
4096
409740984099
4100410141024103
410441054106
4107
230
any_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolany_of f a [] = Falseany_of f a (xxs) = (f a x) || (any_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL return TrueltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is equal to at least one of the elements of the bag
all-of
This function applies a boolean function between a specific primitive value and a bag of values and returns True if and only if the predicate is True for every element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to the second argument and each element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo
In Haskell the semantics of this operation are as follows
all_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolall_of f a [] = Falseall_of f a (xxs) = (f a x) ampamp (all_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 111
231
410841094110
41114112
4113411441154116411741184119412041214122412341244125412641274128
41294130
4131
41324133
4134413541364137
413841394140
4141
414241434144
41454146
4147
232
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-ofrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt9ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is greater than all of the elements of the bag
any-of-any
This function applies a boolean function between each element of a bag of values and each element of another bag of values and returns True if and only if the predicate is True for at least one comparison
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any comparison of elements from the two bags
In Haskell taking advantage of the ldquoany_ofrdquo function defined above the semantics of the ldquoany_of_anyrdquo function are as follows
any_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_any f [] ys = Falseany_of_any f (xxs) ys = (any_of f x ys) || (any_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 112
233
4148414941504151415241534154415541564157415841594160416141624163
41644165
4166
416741684169
4170417141724173
41744175417641774178
41794180
418141824183
41844185
4186
234
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtMaryltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one of the elements of the first bag namely ldquoRingordquo is equal to at least one of the string values of the second bag
all-of-any
This function applies a boolean function between the elements of two bags The expression is True if and only if the predicate is True between each and all of the elements of the first bag collectively against at least one element of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for each element of the first bag and any element of the second bag
In Haskell taking advantage of the ldquoany_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_anyrdquo function are as follows
all_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_any f [] ys = Falseall_of_any f (xxs) ys = (any_of f x ys) ampamp (all_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 113
235
4187418841894190419141924193419441954196419741984199420042014202420342044205
42064207
4208
420942104211
4212421342144215
42164217421842194220
42214222
422342244225
42264227
4228
236
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt20ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt21ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all of the elements of the first bag each ldquo10rdquo and ldquo20rdquo are greater than at least one of the integer values ldquo1rdquo rdquo3rdquo rdquo5rdquo rdquo21rdquo of the second bag
any-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between at least one of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any element of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoany_of_allrdquo function are as follows
any_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_all f [] ys = Falseany_of_all f (xxs) ys = (all_of f x ys) || ( any_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 114
237
42294230423142324233423442354236423742384239424042414242424342444245424642474248
42494250
4251
425242534254
4255425642574258
42594260426142624263
42644265
426642674268
42694270
4271
238
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one element of the first bag namely ldquo5rdquo is greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
all-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between each and all of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression is evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression is True if and only if the applied predicate is True for all elements of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_allrdquo function is as follows
all_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_all f [] ys = Falseall_of_all f (xxs) ys = (all_of f x ys) ampamp (all_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 115
239
42724273427442754276427742784279428042814282428342844285428642874288428942904291
42924293
4294
429542964297
4298429943004301
43024303430443054306
43074308
430943104311
43124313
4314
240
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt6ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all elements of the first bag ldquo5rdquo and ldquo6rdquo are each greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
map
This function converts a bag of values to another bag of values
This function SHALL take two arguments The first function SHALL be a ltFunctiongt element naming a function that takes a single argument of a primitive data-type and returns a value of a primitive data-type The second argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to each element in the bag resulting in a bag of the converted value The result SHALL be a bag of the primitive data-type that is the same data-type that is returned by the function named in the ltFunctiongt element
In Haskell this function is defined as follows
map (a -gt b) -gt [a] -gt [b]
map f [] = []
map f (xxs) = (f x) (map f xs)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expressionltApply FunctionId=rdquournoasisnamestcxacml10functionmaprdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-normalize-to-lower-caserdquogt
ltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtHelloltAttributeValuegtltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtWorld
ltAttributeValuegtltApplygt
ltApplygt
evaluates to a bag containing ldquohellordquo and ldquoworldrdquo
oasis--xacml-11pdf 116
241
43154316431743184319432043214322432343244325432643274328432943304331433243334334
43354336
4337
4338
433943404341
434243434344
4345
4346
4347
4348
4349
43504351
43524353435443554356435743584359436043614362
4363
242
A1412 Special match functionsThese functions operate on various types and evaluate to ldquohttpwwww3org2001XMLSchemabooleanrdquo based on the specified standard matching algorithm In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
regexp-string-match
This function decides a regular expression match It SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The first argument SHALL be a regular expression and the second argument SHALL be a general string The function specification SHALL be that of the ldquoxfmatchesrdquo function with the arguments reversed [XF Section 6315]
x500Name-match
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if the first argument matches some terminal sequence of RDNs from the second argument when compared using x500Name-equal
rfc822Name-match
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and the second is of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if the first argument matches the second argument according to the following specification
An RFC822 name consists of a local-part followed by followed by domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS name) is not case-sensitive4
The second argument contains a complete rfc822Name The first argument is a complete or partial rfc822Name used to select appropriate values in the second argument as follows
In order to match a particular mailbox in the second argument the first argument must specify the complete mail address to be matched For example if the first argument is ldquoAndersonsuncomrdquo this matches a value in the second argument of ldquoAndersonsuncomrdquo and ldquoAndersonSUNCOMrdquo but not ldquoAnneAndersonsuncomrdquo ldquoandersonsuncomrdquo or ldquoAndersoneastsuncomrdquo
In order to match any mail address at a particular domain in the second argument the first argument must specify only a domain name (usually a DNS name) For example if the first argument is ldquosuncomrdquo this matches a value in the first argument of ldquoAndersonsuncomrdquo or ldquoBaxterSUNCOMrdquo but not ldquoAndersoneastsuncomrdquo
In order to match any mail address in a particular domain in the second argument the first argument must specify the desired domain-part with a leading For example if the first argument is ldquoeastsuncomrdquo this matches a value in the second argument of Andersoneastsuncom and anneandersonISRGEASTSUNCOM but not Andersonsuncom
4 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part Many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This anomaly is considered an error by mail-system designers and is not encouraged For this reason rfc822Name-match treats local-part as case sensitive
oasis--xacml-11pdf 117
243
4364
4365436643674368
4369
437043714372437343744375
4376
4377437843794380
4381
43824383438443854386
438743884389
43904391
43924393439443954396
4397439843994400
44014402440344044405
244245246247
248
A1413 XPath-based functionsThis section specifies functions that take XPath expressions for arguments An XPath expression evaluates to a node-set which is a set of XML nodes that match the expression A node or node-set is not in the formal data-type system of XACML All comparison or other operations on node-sets are performed in the isolation of the particular function specified The XPath expressions in these functions are restricted to the XACML request context The ltxacml-contextRequestgt element is a context node for every XPath expression The following functions are defined
xpath-node-count
This function SHALL take an ldquohttpwwww3org2001XMLSchemastringrdquo as an argument which SHALL be interpreted as an XPath expression and evaluates to an ldquohttpwwww3org2001XMLSchemaintegerrdquo The value returned from the function SHALL be the count of the nodes within the node-set that matches the given XPath expression
xpath-node-equal
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if any XML node from the node-set matched by the first argument equals according to the ldquoopnode-equalrdquo function [XF Section 1316] any XML node from the node-set matched by the second argument
xpath-node-match
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if either of the following two conditions is satisfied (1) Any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument (2) Any attribute and element node below any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument
NOTE The first condition is equivalent to xpath-node-equal and guarantees that xpath-node-equal is a special case of xpath-node-match
A1414 Extension functions and primitive typesFunctions and primitive types are specified by string identifiers allowing for the introduction of functions in addition to those specified by XACML This approach allows one to extend the XACML module with special functions and special primitive data-types
In order to preserve some integrity to the XACML evaluation strategy the result of all function applications SHALL depend only on the values of its arguments Global and hidden parameters SHALL NOT affect the evaluation of an expression Functions SHALL NOT have side effects as evaluation order cannot be guaranteed in a standard way
oasis--xacml-11pdf 118
249
4406
4407440844094410
44114412
4413
44144415441644174418
4419
442044214422442344244425
4426
442744284429443044314432443344344435
44364437
4438
443944404441
4442444344444445
250
Appendix B XACML identifiers (normative)This section defines standard identifiers for commonly used entities All XACML-defined identifiers have the common base
urnoasisnamestcxacml10
B1 XACML namespacesThere are currently two defined XACML namespaces
Policies are defined using this identifierurnoasisnamestcxacml10policy
Request and response contexts are defined using this identifierurnoasisnamestcxacml10context
B2 Access subject categoriesThis identifier indicates the system entity that initiated the access request That is the initial entity in a request chain If subject category is not specified this is the default value
urnoasisnamestcxacml10subject-categoryaccess-subject
This identifier indicates the system entity that will receive the results of the request Used when it is distinct from the access-subject
urnoasisnamestcxacml10subject-categoryrecipient-subject
This identifier indicates a system entity through which the access request was passed There may be more than one No means is provided to specify the order in which they passed the message
urnoasisnamestcxacml10subject-categoryintermediary-subject
This identifier indicates a system entity associated with a local or remote codebase that generated the request Corresponding subject attributes might include the URL from which it was loaded andor the identity of the code-signer There may be more than one No means is provided to specify the order they processed the request
urnoasisnamestcxacml10subject-categorycodebase
This identifier indicates a system entity associated with the computer that initiated the access request An example would be an IPsec identity
urnoasisnamestcxacml10subject-categoryrequesting-machine
B3 XACML functionsThis identifier is the base for all the identifiers in the table of functions See Section A1
urnoasisnamestcxacml10function
B4 Data-typesThe following identifiers indicate useful data-types
X500 distinguished name
oasis--xacml-11pdf 119
251
4446
44474448
4449
4450
4451
44524453
44544455
4456
44574458
4459
44604461
4462
44634464
4465
4466446744684469
4470
44714472
4473
4474
44754476
4477
4478
4479
252
urnoasisnamestcxacml10data-typex500Name
An x500Name contains an ITU-T Rec X520 Distinguished Name The valid syntax for such a name is described in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
RFC822 Nameurnoasisnamestcxacml10data-typerfc822Name
An rfc822Name contains an e-mail name The valid syntax for such a name is described in IETF RFC 2821 Section 412 Command Argument Syntax under the term Mailbox
The following data-type identifiers are defined by XML Schemahttpwwww3org2001XMLSchemastringhttpwwww3org2001XMLSchemabooleanhttpwwww3org2001XMLSchemaintegerhttpwwww3org2001XMLSchemadoublehttpwwww3org2001XMLSchematimehttpwwww3org2001XMLSchemadatehttpwwww3org2001XMLSchemadateTimehttpwwww3org2001XMLSchemaanyURIhttpwwww3org2001XMLSchemahexBinaryhttpwwww3org2001XMLSchemabase64Binary
The following data-type identifiers correspond to the dayTimeDuration and yearMonthDuration data-types defined in [XF Sections 822 and 821 respectively]
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationhttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
B5 Subject attributesThese identifiers indicate attributes of a subject When used they SHALL appear within a ltSubjectgt element of the request context They SHALL be accessed via a ltSubjectAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into a ltSubjectgt element of the request context
At most one of each of these attributes is associated with each subject Each attribute associated with authentication included within a single ltSubjectgt element relates to the same authentication event
This identifier indicates the name of the subject The default format is httpwwww3org2001XMLSchemastring To indicate other formats use DataType attributes listed in B4
urnoasisnamestcxacml10subjectsubject-id
This identifier indicates the subject category ldquoaccess-subjectrdquo is the defaulturnoasisnamestcxacml10subject-category
This identifier indicates the security domain of the subject It identifies the administrator and policy that manages the name-space in which the subject id is administered
urnoasisnamestcxacml10subjectsubject-id-qualifier
This identifier indicates a public key used to confirm the subjectrsquos identityurnoasisnamestcxacml10subjectkey-info
This identifier indicates the time at which the subject was authenticatedurnoasisnamestcxacml10subjectauthentication-time
This identifier indicates the method used to authenticate the subjecturnoasisnamestcxacml10subjectauthentication-method
oasis--xacml-11pdf 120
253
4480
448144824483
44844485
44864487
44884489449044914492449344944495449644974498
44994500
45014502
4503
4504450545064507
450845094510
451145124513
4514
45154516
45174518
4519
45204521
45224523
45244525
254
This identifier indicates the time at which the subject initiated the access request according to the PEP
urnoasisnamestcxacml10subjectrequest-time
This identifier indicates the time at which the subjectrsquos current session began according to the PEP
urnoasisnamestcxacml10subjectsession-start-time
The following identifiers indicate the location where authentication credentials were activated They are intended to support the corresponding entities from the SAML authentication statement
This identifier indicates that the location is expressed as an IP addressurnoasisnamestcxacml10subjectauthn-localityip-address
This identifier indicates that the location is expressed as a DNS nameurnoasisnamestcxacml10subjectauthn-localitydns-name
Where a suitable attribute is already defined in LDAP [LDAP-1 LDAP-2] the XACML identifier SHALL be formed by adding the attribute name to the URI of the LDAP specification For example the attribute name for the userPassword defined in the rfc2256 SHALL be
httpwwwietforgrfcrfc2256txtuserPassword
B6 Resource attributesThese identifiers indicate attributes of the resource When used they SHALL appear within the ltResourcegt element of the request context They SHALL be accessed via a ltResourceAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltResourcegt element of the request context
This identifier indicates the entire URI of the resourceurnoasisnamestcxacml10resourceresource-id
A resource attribute used to indicate values extracted from the resourceurnoasisnamestcxacml10resourceresource-content
This identifier indicates the last (rightmost) component of the file name For example if the URI is ldquofilehomemystatuspointerrdquo the simple-file-name is status
urnoasisnamestcxacml10resourcesimple-file-name
This identifier indicates that the resource is specified by an XPath expressionurnoasisnamestcxacml10resourcexpath
This identifier indicates a UNIX file-system pathurnoasisnamestcxacml10resourceufs-path
This identifier indicates the scope of the resource as described in Section 78urnoasisnamestcxacml10resourcescope
The allowed value for this attribute is of data-type httpwwww3org2001XMLSchemastring and is either Immediate Children or Descendants
B7 Action attributesThese identifiers indicate attributes of the action being requested When used they SHALL appear within the ltActiongt element of the request context They SHALL be accessed via an ltActionAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltActiongt element of the request context
oasis--xacml-11pdf 121
255
45264527
4528
45294530
4531
45324533
45344535
45364537
453845394540
4541
4542
4543454445454546
45474548
45494550
45514552
4553
45544555
45564557
45584559
45604561
4562
4563456445654566
256
urnoasisnamestcxacml10actionaction-id
Action namespaceurnoasisnamestcxacml10actionaction-namespace
Implied action This is the value for action-id attribute when action is impliedurnoasisnamestcxacml10actionimplied-action
B8 Environment attributesThese identifiers indicate attributes of the environment within which the decision request is to be evaluated When used in the decision request they SHALL appear in the ltEnvironmentgt element of the request context They SHALL be accessed via an ltEnvironmentAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltEnvironmentgt element of the request context
This identifier indicates the current time at the PDP In practice it is the time at which the request context was created
urnoasisnamestcxacml10environmentcurrent-timeurnoasisnamestcxacml10environmentcurrent-dateurnoasisnamestcxacml10environmentcurrent-dateTime
B9 Status codesThe following status code identifiers are defined
This identifier indicates successurnoasisnamestcxacml10statusok
This identifier indicates that attributes necessary to make a policy decision were not availableurnoasisnamestcxacml10statusmissing-attribute
This identifier indicates that some attribute value contained a syntax error such as a letter in a numeric field
urnoasisnamestcxacml10statussyntax-error
This identifier indicates that an error occurred during policy evaluation An example would be division by zero
urnoasisnamestcxacml10statusprocessing-error
B10Combining algorithmsThe deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId
urnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
The deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
The permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
The permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
oasis--xacml-11pdf 122
257
4567
45684569
45704571
4572
457345744575
45764577
45784579
458045814582
4583
4584
45854586
45874588
45894590
4591
45924593
4594
4595
45964597
45984599
4600
46014602
46034604
4605
258
The first-applicable rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
The first-applicable policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
The only-one-applicable-policy policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
The ordered-deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overrides
The ordered-deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-deny-overrides
The ordered-permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-permit-overrides
The ordered-permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
oasis--xacml-11pdf 123
259
46064607
46084609
4610
46114612
4613
46144615461646174618
4619462046214622
4623462446254626
46274628
260
Appendix C Combining algorithms (normative)This section contains a description of the rule-combining and policy-combining algorithms specified by XACML
C1 Deny-overridesThe following specification defines the ldquoDeny-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Deny then the result of the rule combination SHALL be Deny If any rule evaluates to Permit and all other rules evaluate to NotApplicable then the result of the rule combination SHALL be Permit In other words Deny takes precedence regardless of the result of evaluating any of the other rules in the combination If all rules are found to be NotApplicable to the decision request then the rule combination SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect value of Deny then the evaluation SHALL continue to evaluate subsequent rules looking for a result of Deny If no other rule evaluates to Deny then the combination SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Permit all other rules that do not have evaluation errors evaluate to Permit or NotApplicable and all rules that do have evaluation errors contain effects of Permit then the result of the combination SHALL be Permit
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision denyOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialDeny = falseBoolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(rules) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Deny)
potentialDeny = truecontinue
oasis--xacml-11pdf 124
261
4629
46304631
4632
4633
463446354636463746384639
4640464146424643
464446454646
4647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677
262
if (potentialDeny)
return Indeterminateif (atLeastOnePermit)
return Permitif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoDeny-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Deny then the result of the policy combination SHALL be Deny In other words Deny takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision denyOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
return Deny
if (atLeastOnePermit)
return Permitreturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
oasis--xacml-11pdf 125
263
4678467946804681468246834684468546864687468846894690469146924693
46944695
46964697469846994700
470147024703
4704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734
4735
264
C2 Ordered-deny-overrides (non-normative)The following specification defines the Ordered-deny-overridesrdquo rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Deny-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-deny-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Deny-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C3 Permit-overridesThe following specification defines the ldquoPermit-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Permit then the result of the rule combination SHALL be Permit If any rule evaluates to Deny and all other rules evaluate to NotApplicable then the policy SHALL evaluate to Deny In other words Permit takes precedence regardless of the result of evaluating any of the other rules in the policy If all rules are found to be NotApplicable to the decision request then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect of Permit then the evaluation SHALL continue looking for a result of Permit If no other rule evaluates to Permit then the policy SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Deny all other rules that do not have evaluation errors evaluate to Deny or NotApplicable and all rules that do have evaluation errors contain an effect value of Deny then the policy SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision permitOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialPermit = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(rule) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 126
265
4736
47374738
473947404741
47424743
474447454746
4747
4748
474947504751475247534754
4755475647574758
475947604761
476247634764476547664767476847694770477147724773477447754776477747784779478047814782
266
if (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Permit)
potentialPermit = truecontinue
if (potentialPermit)
return Indeterminateif (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoPermit-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Permit then the result of the policy combination SHALL be Permit In other words Permit takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status provided no other policies evaluate to Permit or Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision permitOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOneError = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 127
267
47834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808
48094810
48114812481348144815
4816481748184819
482048214822482348244825482648274828482948304831483248334834483548364837483848394840
268
if (decision == Indeterminate)
atLeastOneError = truecontinue
if (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
C4 Ordered-permit-overrides (non-normative)The following specification defines the Ordered-permit-overrides rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Permit-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-permit-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Permit-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C5 First-applicable The following specification defines the First-Applicable rule-combining algorithm of a policy
Each rule SHALL be evaluated in the order in which it is listed in the policy For a particular rule if the target matches and the condition evaluates to True then the evaluation of the policy SHALL halt and the corresponding effect of the rule SHALL be the result of the evaluation of the policy (ie Permit or Deny) For a particular rule selected in the evaluation if the target evaluates to False or the condition evaluates to False then the next rule in the order SHALL be evaluated If no further rule in the order exists then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule then the evaluation SHALL halt and the policy shall evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision firstApplicableEffectRuleCombiningAlgorithm(Rule rule[])
for( i = 0 i lt lengthOf(rule) i++ )
oasis--xacml-11pdf 128
269
4841484248434844484548464847484848494850485148524853485448554856
4857
4858
48594860
486148624863
48644865
486648674868
4869
4870
4871487248734874487548764877
487848794880
48814882488348844885
270
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
return Permitif (decision == NotApplicable)
continueif (decision == Indeterminate)
return Indeterminate
return NotApplicable
The following specification defines the ldquoFirst-applicablerdquo policy-combining algorithm of a policy set
Each policy is evaluated in the order that it appears in the policy set For a particular policy if the target evaluates to True and the policy evaluates to a determinate value of Permit or Deny then the evaluation SHALL halt and the policy set SHALL evaluate to the effect value of that policy For a particular policy if the target evaluate to False or the policy evaluates to NotApplicable then the next policy in the order SHALL be evaluated If no further policy exists in the order then the policy set SHALL evaluate to NotApplicable
If an error were to occur when evaluating the target or when evaluating a specific policy the reference to the policy is considered invalid or the policy itself evaluates to Indeterminate then the evaluation of the policy-combining algorithm shall halt and the policy set shall evaluate to Indeterminate with an appropriate error status
The following pseudo-code represents the evaluation strategy of this policy-combination algorithm
Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policy[]) for( i = 0 i lt lengthOf(policy) i++ ) Decision decision = evaluate(policy[i]) if(decision == Deny) return Deny if(decision == Permit) return Permit if (decision == NotApplicable) continue if (decision == Indeterminate) return Indeterminate return NotApplicable
oasis--xacml-11pdf 129
271
48864887488848894890489148924893489448954896489748984899490049014902490349044905
49064907
4908490949104911491249134914
4915491649174918
4919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943
272
Obligations of the individual policies shall be combined as described in Section 711
C6 Only-one-applicableThe following specification defines the ldquoOnly-one-applicable policy-combining algorithm of a policy set
In the entire set of policies in the policy set if no policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be NotApplicable If more than one policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be Indeterminate
If only one policy is considered applicable by evaluation of the policy targets then the result of the policy-combining algorithm SHALL be the result of evaluating the policy
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this policy combining algorithmDecision onlyOneApplicablePolicyPolicyCombiningAlogrithm(Policy policy[]) Boolean atLeastOne = false Policy selectedPolicy = null ApplicableResult appResult
for ( i = 0 i lt lengthOf(policy) i++ ) appResult = isApplicable(policy[I])
if ( appResult == Indeterminate ) return Indeterminate if( appResult == Applicable ) if ( atLeastOne ) return Indeterminate else atLeastOne = true selectedPolicy = policy[i] if ( appResult == NotApplicable ) continue if ( atLeastOne ) return evaluate(selectedPolicy) else return NotApplicable
oasis--xacml-11pdf 130
273
4944
4945
4946
49474948
4949495049514952
49534954
495549564957
495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996
274
oasis--xacml-11pdf 131
275
49974998
4999
276
Appendix D AcknowledgmentsThe following individuals contributed to the development of the specification
Anne AndersonBill ParducciCarlisle AdamsDaniel EngovatovDon FlinnErnesto DamianiGerald BroseHal LockhartJames MacLeanJohn MerrellsKen YagenKonstantin BeznosovMichiharu KudoPierangela SamaratiPirasenna Velandai ThiyagarajanPolar HumennSatoshi HadaSekhar VajjhalaSeth ProctorSimon GodikSteve AndersonSteve CrockerSuresh DamodaranTim Moses
oasis--xacml-11pdf 132
277
5000
5001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025
5026
278
Appendix E Revision historyRev Date By whom What
OS V10 18 Feb 2003 XACML Technical Committee
OASIS Standard
oasis--xacml-11pdf 133
279
5027
5028
280
Appendix F NoticesOASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available neither does it represent that it has made any effort to identify any such rights Information on OASISs procedures with respect to rights in OASIS specifications can be found at the OASIS website Copies of claims of rights made available for publication and any assurances of licenses to be made available or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the OASIS Executive Director
OASIS has been notified of intellectual property rights claimed in regard to some or all of the contents of this specification For more information consult the online list of claimed rights
OASIS invites any interested party to bring to its attention any copyrights patents or patent applications or other proprietary rights which may cover technology that may be required to implement this specification Please address the information to the OASIS Executive Director
Copyright (C) OASIS Open 2003 All Rights Reserved
This document and translations of it may be copied and furnished to others and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared copied published and distributed in whole or in part without restriction of any kind provided that the above copyright notice and this paragraph are included on all such copies and derivative works However this document itself may not be modified in any way such as by removing the copyright notice or references to OASIS except as needed for the purpose of developing OASIS specifications in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed or as required to translate it into languages other than English
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns
This document and the information contained herein is provided on an ldquoAS ISrdquo basis and OASIS DISCLAIMS ALL WARRANTIES EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
oasis--xacml-11pdf 134
281
5029
503050315032503350345035503650375038
50395040
504150425043
5044
50455046504750485049505050515052
50535054
50555056505750585059
282
5 Policy syntax (normative with the exception of the schema fragments)46
51 Element ltPolicySetgt46
52 Element ltDescriptiongt47
53 Element ltPolicySetDefaultsgt47
54 Element ltXPathVersiongt48
55 Element ltTargetgt48
56 Element ltSubjectsgt49
57 Element ltSubjectgt49
58 Element ltAnySubjectgt49
59 Element ltSubjectMatchgt49
510 Element ltResourcesgt50
511 Element ltResourcegt50
512 Element ltAnyResourcegt51
513 Element ltResourceMatchgt51
514 Element ltActionsgt52
515 Element ltActiongt52
516 Element ltAnyActiongt52
517 Element ltActionMatchgt52
518 Element ltPolicySetIdReferencegt53
519 Element ltPolicyIdReferencegt53
520 Element ltPolicygt53
521 Element ltPolicyDefaultsgt55
522 Element ltRulegt55
523 Simple type EffectType56
524 Element ltConditiongt56
525 Element ltApplygt56
526 Element ltFunctiongt57
527 Complex type AttributeDesignatorType57
528 Element ltSubjectAttributeDesignatorgt58
529 Element ltResourceAttributeDesignatorgt59
530 Element ltActionAttributeDesignatorgt60
531 Element ltEnvironmentAttributeDesignatorgt60
532 Element ltAttributeSelectorgt61
533 Element ltAttributeValuegt62
534 Element ltObligationsgt63
535 Element ltObligationgt63
536 Element ltAttributeAssignmentgt64
oasis--xacml-11pdf 4
8
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
9
6 Context syntax (normative with the exception of the schema fragments)64
61 Element ltRequestgt64
62 Element ltSubjectgt65
63 Element ltResourcegt66
64 Element ltResourceContentgt66
65 Element ltActiongt67
66 Element ltEnvironmentgt67
67 Element ltAttributegt67
68 Element ltAttributeValuegt68
69 Element ltResponsegt68
610 Element ltResultgt69
611 Element ltDecisiongt70
612 Element ltStatusgt70
613 Element ltStatusCodegt71
614 Element ltStatusMessagegt71
615 Element ltStatusDetailgt71
7 Functional requirements (normative)72
71 Policy enforcement point72
72 Base policy72
73 Target evaluation73
74 Condition evaluation73
75 Rule evaluation73
76 Policy evaluation73
77 Policy Set evaluation74
78 Hierarchical resources75
79 Attributes76
791 Attribute Matching76
792 Attribute Retrieval76
793 Environment Attributes77
710 Authorization decision77
711 Obligations 77
712 Unsupported functionality78
713 Syntax and type errors78
8 XACML extensibility points (non-normative)78
81 Extensible XML attribute types78
82 Structured attributes79
9 Security and privacy considerations (non-normative)79
oasis--xacml-11pdf 5
10
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
11
91 Threat model 79
911 Unauthorized disclosure80
912 Message replay80
913 Message insertion80
914 Message deletion80
915 Message modification80
916 NotApplicable results81
917 Negative rules81
92 Safeguards82
921 Authentication82
922 Policy administration82
923 Confidentiality82
924 Policy integrity83
925 Policy identifiers83
926 Trust model84
927 Privacy 84
10 Conformance (normative)84
101 Introduction84
102 Conformance tables84
1021 Schema elements85
1022 Identifier Prefixes86
1023 Algorithms86
1024 Status Codes86
1025 Attributes87
1026 Identifiers87
1027 Data-types87
1028 Functions88
11 References 92
Appendix A Standard data-types functions and their semantics (normative)94
A1 Introduction 94
A2 Primitive types 94
A3 Structured types 95
A4 Representations 95
A5 Bags 96
A6 Expressions 96
A7 Element ltAttributeValuegt97
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt97
oasis--xacml-11pdf 6
12
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
13
A9 Element ltApplygt97
A10 Element ltConditiongt97
A11 Element ltFunctiongt98
A12 Matching elements98
A13 Arithmetic evaluation99
A14 XACML standard functions100
A141 Equality predicates100
A142 Arithmetic functions102
A143 String conversion functions103
A144 Numeric data-type conversion functions103
A145 Logical functions103
A146 Arithmetic comparison functions104
A147 Date and time arithmetic functions105
A148 Non-numeric comparison functions106
A149 Bag functions108
A1410 Set functions109
A1411 Higher-order bag functions110
A1412 Special match functions117
A1413 XPath-based functions118
A1414 Extension functions and primitive types118
Appendix B XACML identifiers (normative)119
B1 XACML namespaces119
B2 Access subject categories119
B3 XACML functions119
B4 Data-types 119
B5 Subject attributes120
B6 Resource attributes121
B7 Action attributes 121
B8 Environment attributes122
B9 Status codes 122
B10 Combining algorithms122
Appendix C Combining algorithms (normative)124
C1 Deny-overrides124
C2 Ordered-deny-overrides (non-normative)126
C3 Permit-overrides126
C4 Ordered-permit-overrides (non-normative)128
C5 First-applicable128
oasis--xacml-11pdf 7
14
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
15
C6 Only-one-applicable130
Appendix D Acknowledgments132
Appendix E Revision history133
Appendix F Notices134
oasis--xacml-11pdf 8
16
221
222
223
224225
226
17
Errata
Errata can be found at the following location
httpwwwoasis-openorgcommitteesxacmlrepositoryerrata-001pdf
oasis--xacml-11pdf 9
18
227
228
229
19
1 Introduction (non-normative)
11 Glossary
111 Preferred terms
Access - Performing an action
Access control - Controlling access in accordance with a policy
Action - An operation on a resource
Applicable policy - The set of policies and policy sets that governs access for a specific decision request
Attribute - Characteristic of a subject resource action or environment that may be referenced in a predicate or target
Authorization decision - The result of evaluating applicable policy returned by the PDP to the PEP A function that evaluates to Permitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicable and (optionally) a set of obligations
Bag ndash An unordered collection of values in which there may be duplicate values
Condition - An expression of predicates A function that evaluates to True False or ldquoIndeterminaterdquo
Conjunctive sequence - a sequence of boolean elements combined using the logical lsquoANDrsquo operation
Context - The canonical representation of a decision request and an authorization decision
Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format
Decision ndash The result of evaluating a rule policy or policy set
Decision request - The request by a PEP to a PDP to render an authorization decision
Disjunctive sequence - a sequence of boolean elements combined using the logical lsquoORrsquo operation
Effect - The intended consequence of a satisfied rule (either Permit or Deny)
Environment - The set of attributes that are relevant to an authorization decision and are independent of a particular subject resource or action
oasis--xacml-11pdf 10
20
230
231
232
233
234
235
236
237238
239240
241242243
244
245246
247248
249
250251252
253
254
255256
257
258259
21
Obligation - An operation specified in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision
Policy - A set of rules an identifier for the rule-combining algorithm and (optionally) a set of obligations May be a component of a policy set
Policy administration point (PAP) - The system entity that creates a policy or policy set
Policy-combining algorithm - The procedure for combining the decision and obligations from multiple policies
Policy decision point (PDP) - The system entity that evaluates applicable policy and renders an authorization decision
Policy enforcement point (PEP) - The system entity that performs access control by making decision requests and enforcing authorization decisions
Policy information point (PIP) - The system entity that acts as a source of attribute values
Policy set - A set of policies other policy sets a policy-combining algorithm and (optionally) a set of obligations May be a component of another policy set
Predicate - A statement about attributes whose truth can be evaluated
Resource - Data service or system component
Rule - A target an effect and a condition A component of a policy
Rule-combining algorithm - The procedure for combining decisions from multiple rules
Subject - An actor whose attributes may be referenced by a predicate
Target - The set of decision requests identified by definitions for resource subject and action that a rule policy or policy set is intended to evaluate
Type Unification - The method by which two type expressions are unified The type expressions are matched along their structure Where a type variable appears in one expression it is then unified to represent the corresponding structure element of the other expression be it another variable or subexpression All variable assignments must remain consistent in both structures Unification fails if the two expressions cannot be aligned either by having dissimilar structure or by having instance conflicts such as a variable needs to represent both xsstring and xsinteger For a full explanation of type unification please see [Hancock]
112 Related termsIn the field of access control and authorization there are several closely related terms in common use For purposes of precision and clarity certain of these terms are not used in this specification
For instance the term attribute is used in place of the terms group and role
In place of the terms privilege permission authorization entitlement and right we use the term rule
The term object is also in common use but we use the term resource in this specification
Requestors and initiators are covered by the term subject
oasis--xacml-11pdf 11
22
260261
262263
264
265266
267268
269270
271
272273
274
275
276
277
278
279280
281282283284285286287
288
289290
291
292293
294
295
23
12 NotationThis specification contains schema conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded policy statements
The key words MUST MUST NOT REQUIRED SHALL SHALL NOT SHOULD SHOULD NOT RECOMMENDED MAY and OPTIONAL in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119]
they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (eg limiting retransmissions)
These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations When these words are not capitalized they are meant in their natural-language sense
Listings of XACML schemas appear like this
Example code listings appear like this
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows whether or not a namespace declaration is present in the example
The prefix xacml stands for the XACML policy namespace
The prefix xacml-context stands for the XACML context namespace
The prefix ds stands for the W3C XML Signature namespace [DS]
The prefix xs stands for the W3C XML Schema namespace [XS]
The prefix xf stands for the XQuery 10 and XPath 20 Function and Operators specification namespace [XF]
This specification uses the following typographical conventions in text ltXACMLElementgt ltnsForeignElementgt Attribute Datatype OtherCode Terms in italic bold-face are intended to have the meaning defined in the Glossary
13 Schema organization and namespacesThe XACML policy syntax is defined in a schema associated with the following XML namespace
urnoasisnamestcxacml10policy
The XACML context syntax is defined in a schema associated with the following XML namespaceurnoasisnamestcxacml10context
The XML Signature [DS] is imported into the XACML schema and is associated with the following XML namespace
httpwwww3org200009xmldsig
2 Background (non-normative)The economics of scale have driven computing platform vendors to develop products with very generalized functionality so that they can be used in the widest possible range of situations Out
oasis--xacml-11pdf 12
24
296
297298
299300301
302303
304305306307308309310
311312313
314
315
316
317
318319
320321322
323
324325
326327
328329330
331
332333
25
of the box these products have the maximum possible privilege for accessing data and executing software so that they can be used in as many application environments as possible including those with the most permissive security policies In the more common case of a relatively restrictive security policy the platforms inherent privileges must be constrained by configuration
The security policy of a large enterprise has many elements and many points of enforcement Elements of policy may be managed by the Information Systems department by Human Resources by the Legal department and by the Finance department And the policy may be enforced by the extranet mail WAN and remote-access systems platforms which inherently implement a permissive security policy The current practice is to manage the configuration of each point of enforcement independently in order to implement the security policy as accurately as possible Consequently it is an expensive and unreliable proposition to modify the security policy And it is virtually impossible to obtain a consolidated view of the safeguards in effect throughout the enterprise to enforce the policy At the same time there is increasing pressure on corporate and government executives from consumers shareholders and regulators to demonstrate best practice in the protection of the information assets of the enterprise and its customers
For these reasons there is a pressing need for a common language for expressing security policy If implemented throughout an enterprise a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems Managing security policy may include some or all of the following steps writing reviewing testing approving issuing combining analyzing modifying withdrawing retrieving and enforcing policy
XML is a natural choice as the basis for the common security-policy language due to the ease with which its syntax and semantics can be extended to accommodate the unique requirements of this application and the widespread support that it enjoys from all the main platform and tool vendors
21 RequirementsThe basic requirements of a policy language for expressing information system security policy are
To provide a method for combining individual rules and policies into a single policy set that applies to a particular decision request
To provide a method for flexible definition of the procedure by which rules and policies are combined
To provide a method for dealing with multiple subjects acting in different capacities
To provide a method for basing an authorization decision on attributes of the subject and resource
To provide a method for dealing with multi-valued attributes
To provide a method for basing an authorization decision on the contents of an information resource
To provide a set of logical and mathematical operators on attributes of the subject resource and environment
To provide a method for handling a distributed set of policy components while abstracting the method for locating retrieving and authenticating the policy components
To provide a method for rapidly identifying the policy that applies to a given action based upon the values of attributes of the subjects resource and action
oasis--xacml-11pdf 13
26
334335336337
338339340341342343344345346347348
349350351352353354
355356357
358
359
360361
362363
364
365366
367
368369
370371
372373
374375
27
To provide an abstraction-layer that insulates the policy-writer from the details of the application environment
To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement
The motivation behind XACML is to express these well-established ideas in the field of access-control policy using an extension language of XML The XACML solutions for each of these requirements are discussed in the following sections
22 Rule and policy combiningThe complete policy applicable to a particular decision request may be composed of a number of individual rules or policies For instance in a personal privacy application the owner of the personal information may define certain aspects of disclosure policy whereas the enterprise that is the custodian of the information may define certain other aspects In order to render an authorization decision it must be possible to combine the two separate policies to form the single policy applicable to the request
XACML defines three top-level policy elements ltRulegt ltPolicygt and ltPolicySetgt The ltRulegt element contains a boolean expression that can be evaluated in isolation but that is not intended to be accessed in isolation by a PDP So it is not intended to form the basis of an authorization decision by itself It is intended to exist in isolation only within an XACML PAP where it may form the basic unit of management and be re-used in multiple policies
The ltPolicygt element contains a set of ltRulegt elements and a specified procedure for combining the results of their evaluation It is the basic unit of policy used by the PDP and so it is intended to form the basis of an authorization decision
The ltPolicySetgt element contains a set of ltPolicygt or other ltPolicySetgt elements and a specified procedure for combining the results of their evaluation It is the standard means for combining separate policies into a single combined policy
Hinton et al [Hinton94] discuss the question of the compatibility of separate policies applicable to the same decision request
23 Combining algorithmsXACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the ltPolicygt or ltPolicySetgt elements respectively The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules Similarly the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies Standard combining algorithms are defined for
Deny-overrides (Ordered and Unordered)
Permit-overrides (Ordered and Unordered)
First applicable and
Only-one-applicable
oasis--xacml-11pdf 14
28
376377
378379
380381382
383
384385386387388389
390391392393394
395396397
398399400
401402
403
404405406407408409410
411
412
413
414
29
In the first case if a single ltRulegt or ltPolicygt element is encountered that evaluates to Deny then regardless of the evaluation result of the other ltRulegt or ltPolicygt elements in the applicable policy the combined result is Deny Likewise in the second case if a single Permit result is encountered then the combined result is Permit In the case of the ldquoFirst-applicablerdquo combining algorithm the combined result is the same as the result of evaluating the first ltRulegt ltPolicygt or ltPolicySetgt element in the list of rules whose target is applicable to the decision request The Only-one-applicable policy-combining algorithm only applies to policies The result of this combining algorithm ensures that one and only one policy or policy set is applicable by virtue of their targets If no policy or policy set applies then the result is NotApplicable but if more than one policy or policy set is applicable then the result is Indeterminate When exactly one policy or policy set is applicable the result of the combining algorithm is the result of evaluating the single applicable policy or policy set
Users of this specification may if necessary define their own combining algorithms
24 Multiple subjectsAccess-control policies often place requirements on the actions of more than one subject For instance the policy governing the execution of a high-value financial transaction may require the approval of more than one individual acting in different capacities Therefore XACML recognizes that there may be more than one subject relevant to a decision request An attribute called ldquosubject-categoryrdquo is used to differentiate between subjects acting in different capacities Some standard values for this attribute are specified and users may define additional ones
25 Policies based on subject and resource attributesAnother common requirement is to base an authorization decision on some characteristic of the subject other than its identity Perhaps the most common application of this idea is the subjects role [RBAC] XACML provides facilities to support this approach Attributes of subjects may be identified by the ltSubjectAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular subject attribute value by its location in the context (see Section 211 for an explanation of context) XACML provides a standard way to reference the attributes defined in the LDAP series of specifications [LDAP-1 LDAP-2] This is intended to encourage implementers to use standard attribute identifiers for some common subject attributes
Another common requirement is to base an authorization decision on some characteristic of the resource other than its identity XACML provides facilities to support this approach Attributes of resource may be identified by the ltResourceAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular resource attribute value by its location in the context
26 Multi-valued attributesThe most common techniques for communicating attributes (LDAP XPath SAML etc) support multiple values per attribute Therefore when an XACML PDP retrieves the value of a named attribute the result may contain multiple values A collection of such values is called a bag A bag differs from a set in that it may contain duplicate values whereas a set may not Sometimes this situation represents an error Sometimes the XACML rule is satisfied if any one of the attribute values meets the criteria expressed in the rule
oasis--xacml-11pdf 15
30
415416417418
419420421422423424425426
427
428
429430431432433434
435
436437438
439440441442443444445
446447
448449450451
452
453454455456457458
31
XACML provides a set of functions that allow a policy writer to be absolutely clear about how the PDP should handle the case of multiple attribute values These are the ldquohigher-orderrdquo functions
27 Policies based on resource contentsIn many applications it is required to base an authorization decision on data contained in the information resource to which access is requested For instance a common component of privacy policy is that a person should be allowed to read records for which he or she is the subject The corresponding policy must contain a reference to the subject identified in the information resource itself
XACML provides facilities for doing this when the information resource can be represented as an XML document The ltAttributeSelectorgt element may contain an XPath expression over the request context to identify data in the information resource to be used in the policy evaluation
In cases where the information resource is not an XML document specified attributes of the resource can be referenced as described in Section 24
28 OperatorsInformation security policies operate upon attributes of subjects the resource and the action to be performed on the resource in order to arrive at an authorization decision In the process of arriving at the authorization decision attributes of many different types may have to be compared or computed For instance in a financial application a persons available credit may have to be calculated by adding their credit limit to their account balance The result may then have to be compared with the transaction value This sort of situation gives rise to the need for arithmetic operations on attributes of the subject (account balance and credit limit) and the resource (transaction value)
Even more commonly a policy may identify the set of roles that are permitted to perform a particular action The corresponding operation involves checking whether there is a non-empty intersection between the set of roles occupied by the subject and the set of roles identified in the policy Hence the need for set operations
XACML includes a number of built-in functions and a method of adding non-standard functions These functions may be nested to build arbitrarily complex expressions This is achieved with the ltApplygt element The ltApplygt element has an XML attribute called FunctionId that identifies the function to be applied to the contents of the element Each standard function is defined for specific argument data-type combinations and its return data-type is also specified Therefore data-type consistency of the policy can be checked at the time the policy is written or parsed And the types of the data values presented in the request context can be checked against the values expected by the policy to ensure a predictable outcome
In addition to operators on numerical and set arguments operators are defined for date time and duration arguments
Relationship operators (equality and comparison) are also defined for a number of data-types including the RFC822 and X500 name-forms strings URIs etc
Also noteworthy are the operators over boolean data-types which permit the logical combination of predicates in a rule For example a rule may contain the statement that access may be permitted during business hours AND from a terminal on business premises
The XACML method of representing functions borrows from MathML [MathML] and from the XQuery 10 and XPath 20 Functions and Operators specification [XF]
oasis--xacml-11pdf 16
32
459460
461
462463464465466
467468469
470471
472
473474475476477478479480
481482483484
485486
487488489490491492
493494
495496
497498499
500501
33
29 Policy distributionIn a distributed system individual policy statements may be written by several policy writers and enforced at several enforcement points In addition to facilitating the collection and combination of independent policy components this approach allows policies to be updated as required XACML policy statements may be distributed in any one of a number of ways But XACML does not describe any normative way to do this Regardless of the means of distribution PDPs are expected to confirm by examining the policys ltTargetgt element that the policy is applicable to the decision request that it is processing
ltPolicygt elements may be attached to the information resources to which they apply as described by Perritt [Perritt93] Alternatively ltPolicygt elements may be maintained in one or more locations from which they are retrieved for evaluation In such cases the applicable policy may be referenced by an identifier or locator closely associated with the information resource
210 Policy indexingFor efficiency of evaluation and ease of management the overall security policy in force across an enterprise may be expressed as multiple independent policy components In this case it is necessary to identify and retrieve the applicable policy statement and verify that it is the correct one for the requested action before evaluating it This is the purpose of the ltTargetgt element in XACML
Two approaches are supported
1 Policy statements may be stored in a database whose data-model is congruent with that of the ltTargetgt element The PDP should use the contents of the decision request that it is processing to form the database read command by which applicable policy statements are retrieved Nevertheless the PDP should still evaluate the ltTargetgt element of the retrieved policy or policy set statements as defined by the XACML specification
2 Alternatively the PDP may evaluate the ltTargetgt element from each of the policies or policy sets that it has available to it in the context of a particular decision request in order to identify the policies and policy sets that are applicable to that request
The use of constraints limiting the applicability of a policy were described by Sloman [Sloman94]
211 Abstraction layerPEPs come in many forms For instance a PEP may be part of a remote-access gateway part of a Web server or part of an email user-agent etc It is unrealistic to expect that all PEPs in an enterprise do currently or will in the future issue decision requests to a PDP in a common format Nevertheless a particular policy may have to be enforced by multiple PEPs It would be inefficient to force a policy writer to write the same policy several different ways in order to accommodate the format requirements of each PEP Similarly attributes may be contained in various envelope types (eg X509 attribute certificates SAML attribute assertions etc) Therefore there is a need for a canonical form of the request and response handled by an XACML PDP This canonical form is called the XACML Context Its syntax is defined in XML schema
Naturally XACML-conformant PEPs may issue requests and receive responses in the form of an XACML context But where this situation does not exist an intermediate step is required to convert between the requestresponse format understood by the PEP and the XACML context format understood by the PDP
oasis--xacml-11pdf 17
34
502
503504505506507
508509
510511512513
514
515516517
518519
520
521522523
524525
526527528
529
530
531532533534535536537538539
540541542543
35
The benefit of this approach is that policies may be written and analyzed independent of the specific environment in which they are to be enforced
In the case where the native requestresponse format is specified in XML Schema (eg a SAML-conformant PEP) the transformation between the native format and the XACML context may be specified in the form of an Extensible Stylesheet Language Transformation [XSLT]
Similarly in the case where the resource to which access is requested is an XML document the resource itself may be included in or referenced by the request context Then through the use of XPath expressions [XPath] in the policy values in the resource may be included in the policy evaluation
212 Actions performed in conjunction with enforcementIn many applications policies specify actions that MUST be performed either instead of or in addition to actions that MAY be performed This idea was described by Sloman [Sloman94] XACML provides facilities to specify actions that MUST be performed in conjunction with policy evaluation in the ltObligationsgt element This idea was described as a provisional action by Kudo [Kudo00] There are no standard definitions for these actions in version 10 of XACML Therefore bilateral agreement between a PAP and the PEP that will enforce its policies is required for correct interpretation PEPs that conform with v10 of XACML are required to deny access unless they understand all the ltObligationsgt elements associated with the applicable policy ltObligationsgt elements are returned to the PEP for enforcement
3 Models (non-normative)The data-flow model and language model of XACML are described in the following sub-sections
31 Data-flow modelThe major actors in the XACML domain are shown in the data-flow diagram of Figure 1
oasis--xacml-11pdf 18
36
544545
546547548
549550551552
553
554555556
557558559560
561562
563
564
565
566
37
Figure 1 - Data-flow diagram
Note some of the data-flows shown in the diagram may be facilitated by a repository For instance the communications between the context handler and the PIP or the communications between the PDP and the PAP may be facilitated by a repository The XACML specification is not intended to place restrictions on the location of any such repository or indeed to prescribe a particular communication protocol for any of the data-flows
The model operates by the following steps
1 PAPs write policies and policy sets and make them available to the PDP These policies or policy sets represent the complete policy for a specified target
2 The access requester sends a request for access to the PEP
3 The PEP sends the request for access to the context handler in its native request format optionally including attributes of the subjects resource and action The context handler constructs an XACML request context in accordance with steps 456 and 7
4 Subject resource and environment attributes may be requested from a PIP
5 The PIP obtains the requested attributes
6 The PIP returns the requested attributes to the context handler
oasis--xacml-11pdf 19
38
567
568
569570571572573
574
575576
577
578579580
581
582
583
39
7 Optionally the context handler includes the resource in the context
8 The context handler sends a decision request including the target to the PDP The PDP identifies the applicable policy and retrieves the required attributes and (optionally) the resource from the context handler The PDP evaluates the policy
9 The PDP returns the response context (including the authorization decision) to the context handler
10 The context handler translates the response context to the native response format of the PEP The context handler returns the response to the PEP
11 The PEP fulfills the obligations
12 (Not shown) If access is permitted then the PEP permits access to the resource otherwise it denies access
32 XACML contextXACML is intended to be suitable for a variety of application environments The core language is insulated from the application environment by the XACML context as shown in Figure 2 in which the scope of the XACML specification is indicated by the shaded area The XACML context is defined in XML schema describing a canonical representation for the inputs and outputs of the PDP Attributes referenced by an instance of XACML policy may be in the form of XPath expressions on the context or attribute designators that identify the attribute by subject resource action or environment and its identifier Implementations must convert between the attribute representations in the application environment (eg SAML J2SE CORBA and so on) and the attribute representations in the XACML context How this is achieved is outside the scope of the XACML specification In some cases such as SAML this conversion may be accomplished in an automated way through the use of an XSLT transformation
domain-specificinputs
domain-specificoutputs
xacml ContextRequestxml
xacml ContextResponsexmlPDP
xacmlPolicyxml
Figure 2 - XACML context
Note The PDP may be implemented such that it uses a processed form of the XML files
See Section 79 for a more detailed discussion of the request context
33 Policy language modelThe policy language model is shown in Figure 3 The main components of the model are
Rule
Policy and
oasis--xacml-11pdf 20
40
584
585586587
588589
590591
592
593594
595
596597598599600601602603604605606
607
608
609
610
611
612
613
614
41
Policy set
These are described in the following sub-sections
1
1
1
1
1
1
Condition
Target
Rule
1
01
Policy
1
1
Obligations
1
1
1
0
1 01
ActionResourceSubject
PolicySet
1
0
1
1
PolicyCombiningAlogorithm
1
0
RuleCombiningAlgorithm
1
0
1
01
101
Effect
1 1
Figure 3 - Policy language model
331 RuleA rule is the most elementary unit of policy It may exist in isolation only within one of the major actors of the XACML domain In order to exchange rules between major actors they must be encapsulated in a policy A rule can be evaluated on the basis of its contents The main components of a rule are
oasis--xacml-11pdf 21
42
615
616
617
618
619
620621622623
43
a target
an effect and
a condition
These are discussed in the following sub-sections
3311 Rule target
The target defines the set of
resources
subjects and
actions
to which the rule is intended to apply The ltConditiongt element may further refine the applicability established by the target If the rule is intended to apply to all entities of a particular data-type then an empty element named ltAnySubjectgt ltAnyResourcegt or ltAnyActiongt is used An XACML PDP verifies that the subjects resource and action identified in the request context are all present in the target of the rules that it uses to evaluate the decision request Target definitions are discrete in order that applicable rules may be efficiently identified by the PDP
The ltTargetgt element may be absent from a ltRulegt In this case the target of the ltRulegt is the same as that of the parent ltPolicygt element
Certain subject name-forms resource name-forms and certain types of resource are internally structured For instance the X500 directory name-form and RFC 822 name-form are structured subject name-forms whereas an account number commonly has no discernible structure UNIX file-system path-names and URIs are examples of structured resource name-forms And an XML document is an example of a structured resource
Generally the name of a node (other than a leaf node) in a structured name-form is also a legal instance of the name-form So for instance the RFC822 name medicocom is a legal RFC822 name identifying the set of mail addresses hosted by the medicocom mail server And the XPathXPointer value ctxResourceContentmdrecordmdpatient is a legal XPathXPointer value identifying a node-set in an XML document
The question arises how should a name that identifies a set of subjects or resources be interpreted by the PDP whether it appears in a policy or a request context Are they intended to represent just the node explicitly identified by the name or are they intended to represent the entire sub-tree subordinate to that node
In the case of subjects there is no real entity that corresponds to such a node So names of this type always refer to the set of subjects subordinate in the name structure to the identified node Consequently non-leaf subject names should not be used in equality functions only in match functions such as ldquournoasisnamestcxacml10functionrfc822Name-matchrdquo not ldquournoasisnamestcxacml10functionrfc822Name-equalrdquo (see Appendix A)
On the other hand in the case of resource names and resources themselves three options exist The name could refer to
1 the contents of the identified node only
2 the contents of the identified node and the contents of its immediate child nodes or
3 the contents of the identified node and all its descendant nodes
oasis--xacml-11pdf 22
44
624
625
626
627
628
629
630
631
632
633634
635636637638639
640641
642643644645646
647648649
650651
652653654655
656657658659660
661662
663
664
665
45
All three options are supported in XACML
3312 Effect
The effect of the rule indicates the rule-writers intended consequence of a True evaluation for the rule Two values are allowed Permit and Deny
3313 Condition
Condition represents a boolean expression that refines the applicability of the rule beyond the predicates implied by its target Therefore it may be absent
332 Policy From the data-flow model one can see that rules are not exchanged amongst system entities Therefore a PAP combines rules in a policy A policy comprises four main components
a target
a rule-combining algorithm-identifier
a set of rules and
obligations
Rules are described above The remaining components are described in the following sub-sections
3321 Policy target
An XACML ltPolicySetgt ltPolicygt or ltRulegt element contains a ltTargetgt element that specifies the set of subjects resources and actions to which it applies The ltTargetgt of a ltPolicySetgt or ltPolicygt may be declared by the writer of the ltPolicySetgt or ltPolicygt or it may be calculated from the ltTargetgt elements of the ltPolicySetgt ltPolicygt and ltRulegt elements that it contains
A system entity that calculates a ltTargetgt in this way is not defined by XACML but there are two logical methods that might be used In one method the ltTargetgt element of the outer ltPolicySetgt or ltPolicygt (the outer component) is calculated as the union of all the ltTargetgt elements of the referenced ltPolicySetgt ltPolicygt or ltRulegt elements (the inner components) In another method the ltTargetgt element of the outer component is calculated as the intersection of all the ltTargetgt elements of the inner components The results of evaluation in each case will be very different in the first case the ltTargetgt element of the outer component makes it applicable to any decision request that matches the ltTargetgt element of at least one inner component in the second case the ltTargetgt element of the outer component makes it applicable only to decision requests that match the ltTargetgt elements of every inner component Note that computing the intersection of a set of ltTargetgt elements is likely only practical if the target data-model is relatively simple
In cases where the ltTargetgt of a ltPolicygt is declared by the policy writer any component ltRulegt elements in the ltPolicygt that have the same ltTargetgt element as the ltPolicygt element may omit the ltTargetgt element Such ltRulegt elements inherit the ltTargetgt of the ltPolicygt in which they are contained
oasis--xacml-11pdf 23
46
666
667
668669
670
671672
673
674675
676
677
678
679
680681
682
683684685686687
688689690691692693694695696697698699
700701702703
47
3322 Rule-combining algorithm
The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined when evaluating the policy ie the Decision value placed in the response context by the PDP is the value of the policy as defined by the rule-combining algorithm
See Appendix C for definitions of the normative rule-combining algorithms
3323 Obligations
The XACML ltRulegt syntax does not contain an element suitable for carrying obligations therefore if required in a policy obligations must be added by the writer of the policy
When a PDP evaluates a policy containing obligations it returns certain of those obligations to the PEP in the response context Section 711 explains which obligations are to be returned
333 Policy set A policy set comprises four main components
a target
a policy-combining algorithm-identifier
a set of policies and
obligations
The target and policy components are described above The other components are described in the following sub-sections
3331 Policy-combining algorithm
The policy-combining algorithm specifies the procedure by which the results of evaluating the component policies are combined when evaluating the policy set iethe Decision value placed in the response context by the PDP is the result of evaluating the policy set as defined by the policy-combining algorithm
See Appendix C for definitions of the normative policy-combining algorithms
3332 Obligations
The writer of a policy set may add obligations to the policy set in addition to those contained in the component policies and policy sets
When a PDP evaluates a policy set containing obligations it returns certain of those obligations to the PEP in its response context Section 711 explains which obligations are to be returned
oasis--xacml-11pdf 24
48
704
705706707708
709
710
711712
713714
715
716
717
718
719
720
721722
723
724725726727
728
729
730731
732733
734
49
4 Examples (non-normative)This section contains two examples of the use of XACML for illustrative purposes The first example is a relatively simple one to illustrate the use of target context matching functions and subject attributes The second example additionally illustrates the use of the rule-combining algorithm conditions and obligations
41 Example one
411 Example policyAssume that a corporation named Medi Corp (medicocom) has an access control policy that states in English
Any user with an e-mail name in the medicocom namespace is allowed to perform any action on any resource
An XACML policy consists of header information an optional text description of the policy a target one or more rules and an optional set of obligations
The header for this policy is[p01] ltxml version=10 encoding=UTF-8gt[p02] ltPolicy xmlns=urnoasisnamestcxacml10policy[p03] xmlnsxsi=httpwwww3org2001XMLSchema-instance[p04] xsischemaLocation=urnoasisnamestcxacml10policy[p05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-policy-01xsd[p06] PolicyId=identifierexampleSimplePolicy1[p07] RuleCombiningAlgId=identifierrule-combining-algorithmdeny-overridesgt
[p01] is a standard XML document tag indicating which version of XML is being used and what the character encoding is
[p02] introduces the XACML Policy itself
[p03-p05] are XML namespace declarations
[p05] gives a URL to the schema for XACML policies
[p06] assigns a name to this policy instance The name of a policy should be unique for a given PDP so that there is no ambiguity if one policy is referenced from another policy
[p07] specifies the algorithm that will be used to resolve the results of the various rules that may be in the policy The deny-overrides rule-combining algorithm specified here says that if any rule evaluates to ldquoDenyrdquo then that policy must return ldquoDenyrdquo If all rules evaluate to ldquoPermitrdquo then the policy must return ldquoPermitrdquo The rule-combining algorithm which is fully described in Appendix C also says what to do if an error were to occur when evaluating any rule and what to do with rules that do not apply to a particular decision request[p08] ltDescriptiongt[p09] Medi Corp access control policy[p10] ltDescriptiongt
[p08-p10] provide a text description of the policy This description is optional[p11] ltTargetgt[p12] ltSubjectsgt[p13] ltAnySubjectgt[p14] ltSubjectsgt[p15] ltResourcesgt
oasis--xacml-11pdf 25
50
735
736737738739
740
741
742743
744745
746747
748
749750
751
752
753
754755
756757758759760761
762
51
[p16] ltAnyResourcegt[p17] ltResourcesgt[p18] ltActionsgt[p19] ltAnyActiongt[p20] ltActionsgt[p21] ltTargetgt
[p11-p21] describe the decision requests to which this policy applies If the subject resource and action in a decision request do not match the values specified in the target then the remainder of the policy does not need to be evaluated This target section is very useful for creating an index to a set of policies In this simple example the target section says the policy is applicable to any decision request[p22] ltRule[p23] RuleId= urnoasisnamestcxacml10exampleSimpleRule1[p24] Effect=Permitgt
[p22] introduces the one and only rule in this simple policy Just as for a policy each rule must have a unique identifier (at least unique for any PDP that will be using the policy)
[p23] specifies the identifier for this rule
[p24] says what effect this rule has if the rule evaluates to ldquoTruerdquo Rules can have an effect of either ldquoPermitrdquo or ldquoDenyrdquo In this case the rule will evaluate to ldquoPermitrdquo meaning that as far as this one rule is concerned the requested access should be permitted If a rule evaluates to ldquoFalserdquo then it returns a result of ldquoNotApplicablerdquo If an error occurs when evaluating the rule the rule returns a result of ldquoIndeterminaterdquo As mentioned above the rule-combining algorithm for the policy tells how various rule values are combined into a single policy value[p25] ltDescriptiongt[p26] Any subject with an e-mail name in the medicocom domain[p27] can perform any action on any resource[p28] ltDescriptiongt
[p25-p28] provide a text description of this rule This description is optional[p29] ltTargetgt
[p29] introduces the target of the rule As described above for the target of a policy the target of a rule describes the decision requests to which this rule applies If the subject resource and action in a decision request do not match the values specified in the rule target then the remainder of the rule does not need to be evaluated and a value of ldquoNotApplicablerdquo is returned to the policy evaluation[p30] ltSubjectsgt[p31] ltSubjectgt[p32] ltSubjectMatch MatchId=
urnoasisnamestcxacml10functionrfc822Name-matchgt[p33] ltSubjectAttributeDesignator[p34]
AttributeId=urnoasisnamestcxacml10subjectsubject-id[p35] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[p36] ltAttributeValue[p37] DataType=urnoasisnamestcxacml10data-
typerfc822Namegtmedicocom[p38] ltAttributeValuegt[p39] ltSubjectMatchgt[p40] ltSubjectgt[p41] ltSubjectsgt[p42] ltResourcesgt[p43] ltAnyResourcegt[p44] ltResourcesgt[p45] ltActionsgt[p46] ltAnyActiongt[p47] ltActionsgt[p48] ltTargetgt
oasis--xacml-11pdf 26
52
763764765766767
768769
770
771772773774775776
777
778779780781782
53
The rule target is similar to the target of the policy itself but with one important difference [p32-p41] do not say ltAnySubjectgt but instead spell out a specific value that the subject in the decision request must match The ltSubjectMatchgt element specifies a matching function in the MatchId attribute a pointer to a specific subject attribute in the request context by means of the ltSubjectAttributeDesignatorgt element and a literal value of ldquomedicocomrdquo The matching function will be used to compare the value of the subject attribute with the literal value Only if the match returns ldquoTruerdquo will this rule apply to a particular decision request If the match returns ldquoFalserdquo then this rule will return a value of ldquoNotApplicablerdquo[p49] ltRulegt[p50] lt Policygt
[p49] closes the rule we have been examining In this rule all the work is done in the ltTargetgt element In more complex rules the ltTargetgt may have been followed by a ltConditiongt (which could also be a set of conditions to be ANDed or ORed together)
[p50] closes the policy we have been examining As mentioned above this policy has only one rule but more complex policies may have any number of rules
412 Example request contextLets examine a hypothetical decision request that might be submitted to a PDP using the policy above In English the access request that generates the decision request may be stated as follows
Bart Simpson with e-mail name bssimpsonscom wants to read his medical record at Medi Corp
In XACML the information in the decision request is formatted into a request context statement that looks as follows[c01] ltxml version=10 encoding=UTF-8gt[c02] ltRequest xmlns=urnoasisnamestcxacml10context[c03] Xmlnsxsi=httpwwww3org2001XMLSchema-instance[c04] xsischemaLocation=urnoasisnamestcxacml10context[c05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-01xsdgt
[c01-c05] are the header for the request context and are used the same way as the header for the policy explained above[c06] ltSubjectgt[c07] ltAttribute AttributeId=urnoasisnamestcxacml10subjectsubject-
id[c08] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[c09] ltAttributeValuegtbssimpsonscomltAttributeValuegt[c10] ltAttributegt[c11] ltSubjectgt
The ltSubjectgt element contains one or more attributes of the entity making the access request There can be multiple subjects and each subject can have multiple attributes In this case in [c06-c11] there is only one subject and the subject has only one attribute the subjects identity expressed as an e-mail name is ldquobssimpsonscomrdquo[c12] ltResourcegt[c13] ltAttribute AttributeId=urnoasisnamestcxacml10resourceufs-
path[c14] DataType=httpwwww3org2001XMLSchemaanyURIgt[c15] ltAttributeValuegtmedicorecordpatientBartSimpsonltAttributeValuegt[c16] ltAttributegt[c17] ltResourcegtThe ltResourcegt element contains one or more attributes of the resource to which the subject (or subjects) has requested access There can be only one ltResourcegt
oasis--xacml-11pdf 27
54
783784785786787788789790
791792793
794795
796
797798799
800801
802803
804805
806807808809
810811
55
per decision request Lines [c13-c16] contain the one attribute of the resource to which Bart Simpson has requested access the resource unix file-system path-name which is ldquomedicorecordpatientBartSimpsonrdquo[c18] ltActiongt[c19] ltAttribute AttributeId=urnoasisnamestcxacml10actionaction-id[c20] DataType=httpwwww3org2001XMLSchemastringgt[c21] ltAttributeValuegtreadltAttributeValuegt[c22] ltAttributegt[c23] ltActiongt
The ltActiongt element contains one or more attributes of the action that the subject (or subjects) wishes to take on the resource There can be only one action per decision request [c18-c23] describe the identity of the action Bart Simpson wishes to take which is ldquoreadrdquo[c24] ltRequestgt
[c24] closes the request context A more complex request context may have contained some attributes not associated with the subject the resource or the action These would have been placed in an optional ltEnvironmentgt element following the ltActiongt element
The PDP processing this request context locates the policy in its policy repository It compares the subject resource and action in the request context with the subjects resources and actions in the policy target Since the policy target matches the ltAnySubjectgt ltAnyResourcegt and ltAnyActiongt elements the policy matches this context
The PDP now compares the subject resource and action in the request context with the target of the one rule in this policy The requested resource matches the ltAnyResourcegt element and the requested action matches the ltAnyActiongt element but the requesting subject-id attribute does not match medicocom
413 Example response contextAs a result there is no rule in this policy that returns a Permit result for this request The rule-combining algorithm for the policy specifies that in this case a result of NotApplicable should be returned The response context looks as follows[r01] ltxml version=10 encoding=UTF-8gt[r02] ltResponse xmlns=urnoasisnamestcxacml10context[r03] xsischemaLocation=urnoasisnamestcxacml10context[r04] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-
01xsdgt
[r01-r04] contain the same sort of header information for the response as was described above for a policy[r05] ltResultgt[r06] ltDecisiongtNotApplicableltDecisiongt[r07] ltResultgt
The ltResultgt element in lines [r05-r07] contains the result of evaluating the decision request against the policy In this case the result is ldquoNotApplicablerdquo A policy can return ldquoPermitrdquo ldquoDenyrdquo ldquoNotApplicablerdquo or ldquoIndeterminaterdquo[r08] ltResponsegt
[r08] closes the response context
42 Example twoThis section contains an example XML document an example request context and example XACML rules The XML document is a medical record Four separate rules are defined These illustrate a rule-combining algorithm conditions and obligations
oasis--xacml-11pdf 28
56
812813
814
815816817
818819
820
821822
823824
825826827828
829
830831832
833834
835836837
838
839
840841842
57
421 Example medical record instanceThe following is an instance of a medical record to which the example XACML rules can be applied The ltrecordgt schema is defined in the registered namespace administered by medicocom
ltxml version=10 encoding=UTF-8gtltrecord xmlns=httpwwwmedicocomschemasrecordxsd xmlnsxsi=httpwwww3org2001XMLSchema-instancerdquogt
ltpatientgtltpatientNamegt
ltfirstgtBartholomewltfirstgtltlastgtSimpsonltlastgt
ltpatientNamegtltpatientContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgt
ltpatientContactgtltpatientDoBgt1992-03-21ltpatientDoBgtltpatientGendergtmaleltpatientGendergtltpatient-numbergt555555ltpatient-numbergt
ltpatientgtltparentGuardiangt
ltparentGuardianIdgtHS001ltparentGuardianIdgtltparentGuardianNamegt
ltfirstgtHomerltfirstgtltlastgtSimpsonltlastgt
ltparentGuardianNamegtltparentGuardianContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgthomersaolcomltemailgt
ltparentGuardianContactgtltparentGuardiangtltprimaryCarePhysiciangt
ltphysicianNamegtltfirstgtJuliusltfirstgtltlastgtHibbertltlastgt
ltphysicianNamegtltphysicianContactgt
ltstreetgt1 First StltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551239012ltphonegtltfaxgt5551239013ltfaxgtltemailgt
ltphysicianContactgtltregistrationIDgtABC123ltregistrationIDgt
ltprimaryCarePhysiciangtltinsurergt
ltnamegtBlue Crossltnamegtltstreetgt1234 Main StltstreetgtltcitygtSpringfieldltcitygt
oasis--xacml-11pdf 29
58
843
844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903
59
ltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551235678ltphonegtltfaxgt5551235679ltfaxgtltemailgt
ltinsurergtltmedicalgt
lttreatmentgtltdruggt
ltnamegtmethylphenidate hydrochlorideltnamegtltdailyDosagegt30mgsltdailyDosagegtltstartDategt1999-01-12ltstartDategt
ltdruggtltcommentgtpatient exhibits side-effects of skin coloration and carpal
degenerationltcommentgtlttreatmentgtltresultgt
lttestgtblood pressurelttestgtltvaluegt12080ltvaluegtltdategt2001-06-09ltdategtltperformedBygtNurse BettyltperformedBygt
ltresultgtltmedicalgt
ltrecordgt
422 Example request contextThe following example illustrates a request context to which the example rules may be applicable It represents a request by the physician Julius Hibbert to read the patient date of birth in the record of Bartholomew Simpson
[01] ltxml version=10 encoding=UTF-8gt[02] ltRequest xmlns=urnoasisnamestcxacml10context[03] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo [04] ltSubject SubjectCategory=urnoasisnamestcxacml10subject-categoryaccess-subjectgt[05] ltAttribute AttributeId=[06] urnoasisnamestcxacml10subjectsubject-id[07] DataType=[08] rdquournoasisnamestcxacml10data-typex500namerdquo[09] Issuer=wwwmedicocom [10] IssueInstant=2001-12-17T093047-0500gt[11] ltAttributeValuegtCN=Julius HibbertltAttributeValuegt[12] ltAttributegt[13] ltAttribute AttributeId=[14] urnoasisnamestcxacml10exampleattributerole[15] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[16] Issuer=wwwmedicocom [17] IssueInstant=2001-12-17T093047-0500gt[18] ltAttributeValuegtphysicianltAttributeValuegt[19] ltAttributegt[20] ltAttribute AttributeId=[21] urnoasisnamestcxacml10exampleattributephysician-id[22] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[23] Issuer=wwwmedicocom [24] IssueInstant=2001-12-17T093047-0500gt[25] ltAttributeValuegtjh1234ltAttributeValuegt[26] ltAttributegt[27] ltSubjectgt[28] ltResourcegt[29] ltResourceContentgt[30] ltmdrecord[31] xmlnsmd=httpwwwmedicocomschemasrecordxsdgt
oasis--xacml-11pdf 30
60
904905906907908909910911912913914915916917918919920921922923924925926927
928
929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963
61
[32] ltmdpatientgt[33] ltmdpatientDoBgt1992-03-21ltmdpatientDoBgt[34] ltmdpatientgt[35] lt-- other fields --gt[36] ltmdrecordgt[37] ltResourceContentgt[38] ltAttribute AttributeId=[39] urnoasisnamestcxacml10resourceresource-id[40] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[41] ltAttributeValuegt[42] medicocomrecordsbart-simpsonxml[43] xmlns(md=httpwwwmedicocomschemasrecordxsd)[44] xpointer(mdrecordmdpatientmdpatientDoB)[45] ltAttributeValuegt[46] ltAttributegt[47] ltAttribute AttributeId=[48] urnoasisnamestcxacml10resourcexpath[49] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[50] ltAttributeValuegt[51] xmlns(md=httpwwwmedicocomschemasrecordxsd)[52] xpointer(mdrecordmdpatientmdpatientDoB)[53] ltAttributeValuegt[54] ltAttributegt[55] ltAttribute AttributeId=[56] rdquournoasisnamestcxacml10resourcetarget-namespacerdquo[57] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[58] ltAttributeValuegt[59] httpwwwmedicocomschemasrecordxsd[60] ltAttributeValuegt[61] ltAttributegt[62] ltResourcegt[63] ltActiongt[64] ltAttribute AttributeId=[65] urnoasisnamestcxacml10actionaction-id[66] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[67] ltAttributeValuegtreadltAttributeValuegt[68] ltAttributegt[69] ltActiongt[70] ltRequestgt
[02]-[03] Standard namespace declarations
[04]-[27] Subject attributes are placed in the Subject section of the Request Each attribute consists of the attribute meta-data and the attribute value
[04] Each Subject element has SubjectCategory xml attribute The value of this attribute describes the role that the subject plays in making the decision request The value of ldquoaccess-subjectrdquo denotes the identity for which the request was issued
[05]-[12] Subject subject-id attribute
[13]-[19] Subject role attribute
[20]-[26] Subject physician-id attribute
[28]-[62] Resource attributes are placed in the Resource section of the Request Each attribute consists of attribute meta-data and an attribute value
[29]-[36] Resource content The XML document that is being requested is placed here
[38]-[46] Resource identifier
oasis--xacml-11pdf 31
62
964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999
100010011002
1003
10041005
100610071008
1009
1010
1011
10121013
1014
1015
63
[47]-[61] The Resource is identified with an Xpointer expression that names the URI of the file that is accessed the target namespace of the document and the XPath location path to the specific element
[47]-[54] The XPath location path in the ldquoresource-idrdquo attribute is extracted and placed in the xpath attribute
[55]-[61] Resource target-namespace attribute
[63]-[69] Action attributes are placed in the Action section of the Request
[64]-[68] Action identifier
423 Example plain-language rulesThe following plain-language rules are to be enforced
Rule 1 A person identified by his or her patient number may read any record for which he or she is the designated patient
Rule 2 A person may read any record for which he or she is the designated parent or guardian and for which the patient is under 16 years of age
Rule 3 A physician may write to any medical element for which he or she is the designated primary care physician provided an email is sent to the patient
Rule 4 An administrator shall not be permitted to read or write to medical elements of a patient record
These rules may be written by different PAPs operating independently or by a single PAP
424 Example XACML rule instances
4241 Rule 1
Rule 1 illustrates a simple rule with a single ltConditiongt element The following XACML ltRulegt instance expresses Rule 1
[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid1[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomschemasrecordxsd namespace[12] for which he or she is a designated patient[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt
oasis--xacml-11pdf 32
64
101610171018
10191020
1021
1022
1023
1024
1025
10261027
10281029
10301031
10321033
1034
1035
1036
10371038
10391040104110421043104410451046104710481049105010511052105310541055105610571058
65
[22] ltResourceMatch MatchId=urnoasisnamestcxacml10functionstring-equalgt
[23] ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] ltActionMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[40] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[41] ltActionAttributeDesignator AttributeId=[42] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[43] ltActionMatchgt[44] ltActiongt[45] ltActionsgt[46] ltTargetgt[47] lt-- compare policy number in the document with [48] policy-number attribute --gt[49] ltCondition FunctionId=urnoasisnamestcxacml10functionstring-
equalgt[50] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[51] lt-- policy-number attribute --gt[52] ltSubjectAttributeDesignator AttributeId=[53] urnoasisnamestcxacml10examplesattributepolicy-number
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[54] ltApplygt[55] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[56] lt-- policy number in the document --gt[57] ltAttributeSelector RequestContextPath=[58] mdrecordmdpatientmdpatient-numbertext()
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[59] ltAttributeSelectorgt[60] ltApplygt[61] ltConditiongt[62] ltRulegt
[02]-[06] XML namespace declarations
[07] Rule identifier
[08] When a rule evaluates to lsquoTruersquo it emits the value of the Effect attribute This value is combined with the Effect values of other rules according to the rule-combining algorithm
oasis--xacml-11pdf 33
66
10591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114
1115
1116
11171118
67
[09]-[13] Free form description of the rule
[14]-[46] A rule target defines a set of decision requests that are applicable to the rule A decision request such that the value of the ldquournoasisnamestcxacml10resourcetarget-namespacerdquo resource attribute is equal to ldquohttpwwwmedicocomschemarecordsxsdrdquo and the value of the ldquournoasisnamestcxacml10resourcexpathrdquo resource attribute matches the XPath expression ldquomdrecordldquo and the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute is equal to ldquoreadrdquo matches the target of this rule
[15]-[17] The Subjects element may contain either a disjunctive sequence of Subject elements or AnySubject element
[16] The AnySubject element is a special element that matches any subject in the request context
[18]-[36] The Resources element may contain either a disjunctive sequence of Resource elements or AnyResource element
[20]-[35] The Resource element encloses the conjunctive sequence of ResourceMatch elements
[22]-[28] The ResourceMatch element compares its first and second child elements according to the matching function A match is positive if the value of the first argument matches any of the values selected by the second argument This match compares the target namespace of the requested document with the value of ldquohttpwwwmedicocomschemarecordsxsdrdquo
[22] The MatchId attribute names the matching function
[23]-[25] Literal attribute value to match
[26]-[27] The ResourceAttributeDesignator element selects the resource attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values
[30]-[34] The ResourceMatch This match compares the results of two XPath expressions The first XPath expression is mdrecord and the second XPath expression is the location path to the requested xml element The ldquoxpath-node-matchrdquo function evaluates to ldquoTruerdquo if the requested XML element is below the mdrecord element
[30] MatchId attribute names the matching function
[31] The literal XPath expression to match The md prefix is resolved using a standard namespace declaration
[32]-[33] The ResourceAttributeDesignator selects the bag of values for the ldquournoasisnamestcxacml10xpathrdquo resource attribute Here there is just one element in the bag which is the location path for the requested XML element
[37]-[45] The Actions element may contain either a disjunctive sequence of Action elements or an AnyAction element
[38]-[44] The Action element contains a conjunctive sequence of ActionMatch elements
[39]-[43] The ActionMatch element compares its first and second child elements according to the matching function Match is positive if the value of the first argument matches any of the values selected by the second argument In this case the value of the action-id action attribute in the request context is compared with the value ldquoreadrdquo
oasis--xacml-11pdf 34
68
1119
11201121
11221123
1124112511261127
11281129
11301131
11321133
11341135
1136113711381139
1140
1141
114211431144
114511461147
1148
1149
11501151
115211531154
11551156
1157
11581159
11601161
69
[39] The MatchId attribute names the matching function
[40] The Attribute value to match This is an action name
[41]-[42] The ActionAttributeDesignator selects action attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values ldquournoasisnamestcxacml10actionaction-idrdquo is the predefined name for the action identifier
[49]-[61] The ltConditiongt element A condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the patient-number subject attribute is equal to the patient-number in the XML document
[49] The FunctionId attribute of the ltConditiongt element names the function to be used for comparison In this case comparison is done with urnoasisnamestcxacml10functionstring-equal this function takes two arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[50] The first argument to the urnoasisnamestcxacml10functionstring-equal in the Condition Functions can take other functions as arguments The Apply element encodes the function call with the FunctionId attribute naming the function Since urnoasisnamestcxacml10functionstring-equal takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and SubjectAttributeDesignator selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[52]-[53] The SubjectAttributeDesignator selects a bag of values for the policy-number subject attribute in the request context
[55] The second argument to the ldquournoasisnamestcxacml10functionstring-equalrdquo in the Condition Functions can take other functions as arguments The Apply element encodes function call with the FunctionId attribute naming the function Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and the AttributeSelector selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[57] The AttributeSelector element selects a bag of values from the request context The AttributeSelector is a free-form XPath pointing device into the request context The RequestContextPath attribute specifies an XPath expression over the content of the requested XML document selecting the policy number Note that the namespace prefixes in the XPath expression are resolved with the standard XML namespace declarations
4242 Rule 2
Rule 2 illustrates the use of a mathematical function ie the ltApplygt element with functionId urnoasisnamestcxacml10functiondate-add-yearMonthDuration to calculate date It also illustrates the use of predicate expressions with the functionId urnoasisnamestcxacml10functionand
[01] ltxml version=10 encoding=UTF-8gt
oasis--xacml-11pdf 35
70
1162
1163
1164116511661167
116811691170
11711172
11731174
117511761177117811791180118111821183
1184
11851186
11871188118911901191119211931194
1195
11961197119811991200
1201
12021203
120412051206
71
[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid2[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomrecordsxsd namespace[12] for which he or she is the designated parent or guardian [13] and for which the patient is under 16 years of age[14] ltDescriptiongt[15] ltTargetgt[16] ltSubjectsgt[17] ltAnySubjectgt[18] ltSubjectsgt[19] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt[22] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[23] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=rdquournoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] lt-- match read action --gt[40] ltActionMatch
MatchId=rdquournoasisnamestcxacml10functionstring-equalgt[41] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[42] ltActionAttributeDesignator AttributeId=[43] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[44] ltActionMatchgt[45] ltActiongt[46] ltActionsgt[47] ltTargetgt[48] ltCondition FunctionId=ldquournoasisnamestcxacml10functionandgt[49] lt-- compare parent-guardian-id subject attribute with [50] the value in the document --gt[51] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-equalgt[52] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[53] lt-- parent-guardian-id subject attribute --gt
oasis--xacml-11pdf 36
72
120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269
73
[54] ltSubjectAttributeDesignator AttributeId=[55] urnoasisnamestcxacml10examplesattribute[56] parent-guardian-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[57] ltApplygt[58] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[59] lt-- parent-guardian-id element in the document --gt[60] ltAttributeSelector RequestContextPath=[61] mdrecordmdparentGuardianmdparentGuardianIdtext()[62] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[63] ltAttributeSelectorgt[64] ltApplygt[65] ltApplygt[66] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-less-or-
equalrdquogt[67] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-one-
and-onlyrdquogt[68] ltEnvironmentAttributeDesignator AttributeId=[69] rdquournoasisnamestcxacml10environmentcurrent-daterdquo
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[70] ltApplygt[71] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-add-
yearMonthDurationrdquogt[73] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-
one-and-onlyrdquogt[74] lt-- patient dob recorded in the document --gt[75] ltAttributeSelector RequestContextPath=[76] mdrecordmdpatientmdpatientDoBtext()
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[77] ltAttributeSelectorgt[78] ltApplygt[79] ltAttributeValue DataType=rdquohttpwwww3orgTR2002WD-xquery-
operators-20020816yearMonthDurationrdquogt[80] P16Y[81] ltAttributeValuegt[82] ltApplygt[83] ltApplygt[84] ltConditiongt[85] ltRulegt
[02]-[47] Rule declaration and rule target See Rule 1 in Section 4241 for the detailed explanation of these elements
[48]-[82] The Condition element Condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the requestor is the designated parent or guardian and the patient is under 16 years of age
[48] The Condition is using the ldquournoasisnamestcxacml10functionandrdquo function This is a boolean function that takes one or more boolean arguments (2 in this case) and performs the logical ldquoANDrdquo operation to compute the truth value of the expression
[51]-[65] The truth of the first part of the condition is evaluated The requestor is the designated parent or guardian The Apply element contains a function invocation The function name is contained in the FunctionId attribute The comparison is done with ldquournoasisnamestcxacml10functionstring-equalrdquo that takes 2 arguments of ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[52] Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo in
oasis--xacml-11pdf 37
74
1270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309
13101311
131213131314
131513161317
13181319132013211322
1323132413251326
75
the request context contains one and only one value ldquournoasisnamestcxacml10functionstring-equalrdquo takes an argument expression that evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[54] Value of the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo is selected from the request context with the ltSubjectAttributeDesignatorgt element This expression evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[58] ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[60] The value of the mdparentGuardianId element is selected from the resource content with the AttributeSelector element AttributeSelector is a free-form XPath expression pointing into the request context The RequestContextPath XML attribute contains an XPath expression over the request context Note that all namespace prefixes in the XPath expression are resolved with standard namespace declarations The AttributeSelector evaluates to the bag of values of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[66]-[83] The expression ldquothe patient is under 16 years of agerdquo is evaluated The patient is under 16 years of age if the current date is less than the date computed by adding 16 to the patientrsquos date of birth
[66] ldquournoasisnamestcxacml10functiondate-less-or-equalrdquo is used to compute the difference of two dates
[67] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by its argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemadaterdquo
[68]-[69] Current date is evaluated by selecting the ldquournoasisnamestcxacml10environmentcurrent-daterdquo environment attribute
[71] ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo is used to compute the date by adding 16 to the patientrsquos date of birth The first argument is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second argument is an ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo
[73] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type rdquohttpwwww3org2001XMLSchemadaterdquo
[75]-[76] The ltAttributeSelectorgt element selects the patientrsquos date of birth by taking the XPath expression over the document content
[79]-[81] Year Month Duration of 16 years
4243 Rule 3
Rule 3 illustrates the use of an obligation The XACML ltRulegt element syntax does not include an element suitable for carrying an obligation therefore Rule 3 has to be formatted as a ltPolicygt element
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicy
oasis--xacml-11pdf 38
76
1327132813291330
1331133213331334
13351336
1337
1338133913401341
13421343
134413451346
13471348
13491350
1351
13521353
13541355
135613571358
13591360
1361
13621363
1364
1365
13661367
136813691370
77
[03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] PolicyId=urnoasisnamestcxacmlexamplespolicyid3[08] RuleCombiningAlgId=urnoasisnamestcxacml10[09] rule-combining-algorithmdeny-overridesgt[10] ltDescriptiongt[11] Policy for any medical record in the[12] httpwwwmedicocomschemasrecordxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- match document target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomschemasrecordxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltAnyActiongt[32] ltActionsgt[33] ltTargetgt[34] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid3[35] Effect=Permitgt[36] ltDescriptiongt[37] A physician may write any medical element in a record[38] for which he or she is the designated primary care[39] physician provided an email is sent to the patient[40] ltDescriptiongt[41] ltTargetgt[42] ltSubjectsgt[43] ltSubjectgt[44] lt-- match subject group attribute --gt[45] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[46] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtphysicianltAttributeValuegt
[47] ltSubjectAttributeDesignator AttributeId=[48] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[49] ltSubjectMatchgt[50] ltSubjectgt[51] ltSubjectsgt[52] ltResourcesgt[53] ltResourcegt[54] lt-- match requested xml element --gt[55] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[56] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
oasis--xacml-11pdf 39
78
137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433
79
[57] mdrecordmdmedical[58] ltAttributeValuegt[59] ltResourceAttributeDesignator AttributeId=[60] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[61] ltResourceMatchgt[62] ltResourcegt[63] ltResourcesgt[64] ltActionsgt[65] ltActiongt[66] lt-- match action --gt[67] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[68] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwriteltAttributeValuegt[069] ltActionAttributeDesignator AttributeId=[070] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[071] ltActionMatchgt[072] ltActiongt[073] ltActionsgt[074] ltTargetgt[075] ltCondition FunctionId=ldquournoasisnamestcxacml10functionstring-
equalgt[076] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[077] lt-- physician-id subject attribute --gt[078] ltSubjectAttributeDesignator AttributeId=[079] urnoasisnamestcxacml10example[080] attributephysician-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[081] ltApplygt[082] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[083] ltAttributeSelector RequestContextPath=[084] mdrecordmdprimaryCarePhysicianmdregistrationIDtext()[085] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[086] ltApplygt[087] ltConditiongt[089] ltRulegt[090] ltObligationsgt[091] lt-- send e-mail message to the document owner --gt[092] ltObligation ObligationId=[093] urnoasisnamestcxacmlexampleobligationemail[094] FulfillOn=Permitgt[095] ltAttributeAssignment AttributeId=[096] urnoasisnamestcxacml10exampleattributemailto[097] DataType=httpwwww3org2001XMLSchemastringgt[098] ltAttributeSelector RequestContextPath=[099] mdrecordmdpatientmdpatientContactmdemail[100] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[101] ltAttributeAssignmentgt[102] ltAttributeAssignment AttributeId=[103] urnoasisnamestcxacml10exampleattributetext[104] DataType=httpwwww3org2001XMLSchemastringgt[105] ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgt[106] Your medical record has been accessed by[107] ltAttributeValuegt[108] ltAttributeAssignmentgt[109] ltAttributeAssignment AttributeId=[110] urnoasisnamestcxacmlexampleattributetext[111] DataType=httpwwww3org2001XMLSchemastringgt
oasis--xacml-11pdf 40
80
143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496
81
[112] ltSubjectAttributeDesignator AttributeId=[113] urnosasisnamestcxacml10subjectsubject-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[114] ltAttributeAssignmentgt[115] ltObligationgt[116] ltObligationsgt[117] ltPolicygt
[01]-[09] The Policy element includes standard namespace declarations as well as policy specific parameters such as PolicyId and RuleCombiningAlgId
[07] Policy identifier This parameter is used for the inclusion of the Policy in the PolicySet element
[08]-[09] Rule combining algorithm identifier This parameter is used to compute the combined outcome of rule effects for rules that are applicable to the decision request
[10-13] Free-form description of the policy
[14]-[33] Policy target The policy target defines a set of applicable decision requests The structure of the Target element in the Policy is identical to the structure of the Target element in the Rule In this case the policy target is a set of all XML documents conforming to the ldquohttpwwwmedicocomschemasrecordxsdrdquo target namespace For the detailed description of the Target element see Rule 1 Section 4241
[34]-[89] The only Rule element included in this Policy Two parameters are specified in the rule header RuleId and Effect For the detailed description of the Rule structure see Rule 1 Section 4241
[41]-[74] A rule target narrows down a policy target Decision requests with the value of ldquournoasisnamestcxacml10exampeattributerolerdquo subject attribute equal to ldquophysicianrdquo [42]-[51] and that access elements of the medical record that ldquoxpath-node-matchrdquo the ldquomdrecordmdmedicalrdquo XPath expression [52]-[63] and that have the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute equal to ldquoreadrdquo
[65]-[73] match the target of this rule For a detailed description of the rule target see example 1 Section 4241
[75]-[87] The Condition element For the rule to be applicable to the authorization request condition must evaluate to True This rule condition compares the value of the ldquournoasisnamestcxacml10examplesattributephysician-idrdquo subject attribute with the value of the physician id element in the medical record that is being accessed For a detailed explanation of rule condition see Rule 1 Section 4241
[90]-[116] The Obligations element Obligations are a set of operations that must be performed by the PEP in conjunction with an authorization decision An obligation may be associated with a positive or negative authorization decision
[92]-[115] The Obligation element consists of the ObligationId the authorization decision value for which it must fulfill and a set of attribute assignments
[92]-[93] ObligationId identifies an obligation Obligation names are not interpreted by the PDP
[94] FulfillOn attribute defines an authorization decision value for which this obligation must be fulfilled
[95]-[101] Obligation may have one or more parameters The obligation parameter ldquournoasisnamestcxacml10examplesattributemailtordquo is assigned the value from the content of the xml document
oasis--xacml-11pdf 41
82
1497149814991500150115021503
15041505
15061507
15081509
1510
1511151215131514
1515
151615171518
15191520152115221523
15241525
15261527
152815291530
153115321533
15341535
15361537
15381539
154015411542
83
[95-96] AttributeId declares ldquournoasisnamestcxacml10examplesattributemailtordquo obligation parameter
[97] The obligation parameter data-type is defined
[98]-[100] The obligation parameter value is selected from the content of the XML document that is being accessed with the XPath expression over request context
[102]-[108] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of data-type ldquohttpwwww3org2001XMLSchemastringrdquo is assigned the literal value ldquoYour medical record has been accessed byrdquo
[109]-[114] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type is assigned the value of the ldquournoasisnamestcxacml10subjectsubject-idrdquo subject attribute
4244 Rule 4
Rule 4 illustrates the use of the Deny Effect value and a Rule with no Condition element[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexampleruleid4 [08] Effect=Denygt[09] ltDescriptiongt[10] An Administrator shall not be permitted to read or write [11] medical elements of a patient record in the[12] httpwwwmedicocomrecordsxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltSubjectgt[17] lt-- match role subject attribute --gt[18] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[19] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtadministratorltAttributeValuegt
[20] ltSubjectAttributeDesignator AttributeId=[21] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[22] ltSubjectMatchgt[23] ltSubjectgt[24] ltSubjectsgt[25] ltResourcesgt[26] ltResourcegt[27] lt-- match document target namespace --gt[28] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[29] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[30] httpwwwmedicocomschemasrecordxsd[31] ltAttributeValuegt[32] ltResourceAttributeDesignator AttributeId=
oasis--xacml-11pdf 42
84
15431544
1545
15461547
1548154915501551
155215531554
1555
1556
155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595
85
[33] urnoasisnamestcxacml10resourcetarget-namespace DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[34] ltResourceMatchgt[35] lt-- match requested xml element --gt[36] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[37] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[38] mdrecordmdmedical[39] ltAttributeValuegt[40] ltResourceAttributeDesignator AttributeId=[41] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[42] ltResourceMatchgt[43] ltResourcegt[44] ltResourcesgt[45] ltActionsgt[46] ltActiongt[47] lt-- match read action --gt[48] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[49] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtread
ltAttributeValuegt[50] ltActionAttributeDesignator AttributeId=[51] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[52] ltActionMatchgt[53] ltActiongt[54] ltActiongt[55] lt-- match write action --gt[56] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[57] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwrite
ltAttributeValuegt[58] ltActionAttributeDesignator AttributeId=[59] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[60] ltActionMatchgt[61] ltActiongt[62] ltActionsgt[63] ltTargetgt[64] ltRulegt
[01]-[08] The Rule element declaration The most important parameter here is Effect See Rule 1 Section 4241 for a detailed explanation of the Rule structure
[08] Rule Effect Every rule that evaluates to ldquoTruerdquo emits rule effect as its value that will be combined later on with other rule effects according to the rule combining algorithm This rule Effect is ldquoDenyrdquo meaning that according to this rule access must be denied
[09]-[13] Free form description of the rule
[14]-[63] Rule target The Rule target defines a set of decision requests that are applicable to the rule This rule is matched by
a decision request with subject attribute ldquournoasisnamestcxacml10examplesattributerolerdquo equal to ldquoadministratorrdquo
oasis--xacml-11pdf 43
86
1596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641
16421643
16441645
1646
1647
16481649
165016511652
87
the value of resource attribute ldquournoasisnamestcxacml10resourcetarget-namespacerdquo is equal to ldquohttpwwwmedicocomschemasrecordxsdrdquo
the value of the requested XML element matches the XPath expression ldquomdrecordmdmedicalrdquo
the value of action attribute ldquournoasisnamestcxacml10actionaction-idrdquo is equal to ldquoreadrdquo
See Rule 1 Section 4241 for the detailed explanation of the Target element
This rule does not have a Condition element
4245 Example PolicySet
This section uses the examples of the previous sections to illustrate the process of combining policies The policy governing read access to medical elements of a record is formed from each of the four rules described in Section 423 In plain language the combined rule is
Either the requestor is the patient or
the requestor is the parent or guardian and the patient is under 16 or
the requestor is the primary care physician and a notification is sent to the patient and
the requestor is not an administrator
The following XACML ltPolicySetgt illustrates the combined policies Policy 3 is included by reference and policy 2 is explicitly included
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicySet [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] PolicySetId=[06] urnoasisnamestcxacml10examplespolicysetid1[07] PolicyCombiningAlgId=rdquournoasisnamestcxacml10[071] policy-combining-algorithmdeny-overridesrdquogt[08] ltDescriptiongt[09] Example policy set[10] ltDescriptiongt[11] ltTargetgt[12] ltSubjectsgt[13] ltSubjectgt[14] lt-- any subject --gt[15] ltAnySubjectgt[16] ltSubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- any resource in the target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomrecordsxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt
oasis--xacml-11pdf 44
88
165316541655
16561657
16581659
1660
1661
1662
166316641665
1666
1667
1668
1669
167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702
89
[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltActiongt[32] lt-- any action --gt[33] ltAnyActiongt[34] ltActiongt[35] ltActionsgt[36] ltTargetgt[37] lt-- include policy from the example 3 by reference --gt[38] ltPolicyIdReferencegt[39] urnoasisnamestcxacml10examplespolicyid3[40] ltPolicyIdReferencegt[41] lt-- policy 2 combines rules from the examples 1 2 [42] and 4 is included by value --gt[43] ltPolicy [44] PolicyId=urnoasisnamestcxacmlexamplespolicyid2[45] RuleCombiningAlgId=[46] urnoasisnamestcxacml10rule-combining-algorithmdeny-overridesgt[47] ltDescriptiongt[48] Policy for any medical record in the[49] httpwwwmedicocomschemasrecordxsd namespace[50] ltDescriptiongt[51] ltTargetgt ltTargetgt[52] ltRule [53] RuleId=urnoasisnamestcxacmlexamplesruleid1[54] Effect=Permitgt ltRulegt[55] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid2 [56] Effect=Permitgt ltRulegt[57] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid4[58] Effect=Denygt ltRulegt[59] ltObligationsgt ltObligationsgt[60] ltPolicygt[61] ltPolicySetgt
[02]-[07] PolicySet declaration Standard XML namespace declarations are included as well as PolicySetId and policy combining algorithm identifier
[05]-[06] PolicySetId is used for identifying this policy set and for possible inclusion of this policy set into another policy set
[07] Policy combining algorithm identifier Policies in the policy set are combined according to the specified policy combining algorithm identifier when the authorization decision is computed
[08]-[10] Free form description of the policy set
[11]-[36] PolicySet Target element defines a set of decision requests that are applicable to this PolicySet
[38]-[40] PolicyIdReference includes policy by id
[43]-[60] Policy 2 is explicitly included in this policy set
oasis--xacml-11pdf 45
90
17031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737
17381739
17401741
174217431744
1745
17461747
1748
1749
91
5 Policy syntax (normative with the exception of the schema fragments)
51 Element ltPolicySetgtThe ltPolicySetgt element is a top-level element in the XACML policy schema ltPolicySetgt is an aggregation of other policy sets and policies Policy sets MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicySetgt element or indirectly using the ltPolicySetIdReferencegt element Policies MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicygt element or indirectly using the ltPolicyIdReferencegt element
If a ltPolicySetgt element contains references to other policy sets or policies in the form of URLs then these references MAY be resolvable
Policies included in the ltPolicySetgt element MUST be combined using the algorithm specified by the PolicyCombiningAlgId attribute ltPolicySetgt is treated exactly like a ltPolicygt in all the policy combining algorithms
The ltTargetgt element defines the applicability of the ltPolicySetgt to a set of decision requests If the ltTargetgt element within ltPolicySetgt matches the request context then the ltPolicySetgt element MAY be used by the PDP in making its authorization decision
The ltObligationsgt element contains a set of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision If the PEP does not understand any of the obligations then it MUST act as if the PDP had returned a ldquoDenyrdquo authorization decision value
ltxselement name=PolicySet type=xacmlPolicySetTypegtltxscomplexType name=PolicySetTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicySetDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxschoice minOccurs=0 maxOccurs=unboundedgt
ltxselement ref=xacmlPolicySetgtltxselement ref=xacmlPolicygtltxselement ref=xacmlPolicySetIdReferencegtltxselement ref=xacmlPolicyIdReferencegt
ltxschoicegtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicySetId type=xsanyURI use=requiredgtltxsattribute name=PolicyCombiningAlgId type=rdquoxsanyURI
use=requiredgtltxscomplexTypegt
The ltPolicySetgt element is of PolicySetType complex type
The ltPolicySetgt element contains the following attributes and elements
PolicySetId [Required]
Policy set identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy set identifier is in the form of a URL then it MAY be resolvable
oasis--xacml-11pdf 46
92
1750
1751
1752
17531754
1755175617571758
17591760
176117621763
176417651766
176717681769177017711772177317741775177617771778177917801781178217831784178517861787
1788
1789
1790
1791179217931794
1795
93
PolicyCombiningAlgId [Required]
The identifier of the policy-combining algorithm by which the ltPolicySetgt components MUST be combined Standard policy-combining algorithms are listed in Appendix C Standard policy-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the ltPolicySetgt
ltPolicySetDefaultsgt [Optional]
A set of default values applicable to the ltPolicySetgt The scope of the ltPolicySetDefaultsgt element SHALL be the enclosing policy set
ltTargetgt [Required]
The ltTargetgt element defines the applicability of a ltPolicySetgt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicySetgt or it MAY be computed from the ltTargetgt elements of the referenced ltPolicygt elements either as an intersection or as a union
ltPolicySetgt [Any Number]
A policy set component that is included in this policy set
ltPolicygt [Any Number]
A policy component that is included in this policy set
ltPolicySetIdReferencegt [Any Number]
A reference to a ltPolicySetgt component that MUST be included in this policy set If ltPolicySetIdReferencegt is a URL then it MAY be resolvable
ltPolicyIdReferencegt [Any Number]
A reference to a ltPolicygt component that MUST be included in this policy set If the ltPolicyIdReferencegt is a URL then it MAY be resolvable
ltObligationsgt [Optional]
Contains the set of ltObligationgt elements See Section 711 for a description of how the set of obligations to be returned by the PDP shall be determined
52 Element ltDescriptiongtThe ltDescriptiongt element is used for a free-form description of the ltPolicySetgt element ltPolicygt element and ltRulegt element The ltDescriptiongt element is of xsstring simple type
ltxselement name=Description type=xsstringgt
53 Element ltPolicySetDefaultsgtThe ltPolicySetDefaultsgt element SHALL specify default values that apply to the ltPolicySetgt element
oasis--xacml-11pdf 47
94
1796
179717981799
1800
1801
1802
18031804
1805
18061807
180818091810
1811
1812
1813
1814
1815
18161817
1818
18191820
1821
18221823
1824
1825182618271828
1829
18301831
95
ltxselement name=PolicySetDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicySetDefaultsgt element is of DefaultsType complex type
The ltPolicySetDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
54 Element ltXPathVersiongtThe ltXPathVersiongt element SHALL specify the version of the XPath specification to be used by ltAttributeSelectorgt elements
ltxselement name=XPathVersion type=xsanyURIgt
The URI for the XPath 10 specification is ldquohttpwwww3orgTR1999Rec-xpath-19991116rdquo The ltXPathVersiongt element is REQUIRED if the XACML enclosing policy set or policy contains ltAttributeSelectorgt elements or XPath-based functions
55 Element ltTargetgtThe ltTargetgt element identifies the set of decision requests that the parent element is intended to evaluate The ltTargetgt element SHALL appear as a child of ltPolicySetgt ltPolicygt and ltRulegt elements It contains definitions for subjects resources and actions
The ltTargetgt element SHALL contain a conjunctive sequence of ltSubjectsgt ltResourcesgt and ltActionsgt elements For the parent of the ltTargetgt element to be applicable to the decision request there MUST be at least one positive match between each section of the ltTargetgt element and the corresponding section of the ltxacml-contextRequestgt element
ltxselement name=Target type=xacmlTargetTypegtltxscomplexType name=TargetTypegt
ltxssequencegtltxselement ref=xacmlSubjectsgtltxselement ref=xacmlResourcesgtltxselement ref=xacmlActionsgt
ltxssequencegtltxscomplexTypegt
The ltTargetgt element is of TargetType complex type
The ltTargetgt element contains the following elements
ltSubjectsgt [Required]
Matching specification for the subject attributes in the context
ltResourcesgt [Required]
Matching specification for the resource attributes in the context
oasis--xacml-11pdf 48
96
18321833183418351836183718381839
1840
1841
1842
1843
1844
18451846
1847
184818491850
1851
185218531854
185518561857
185818591860186118621863186418651866
1867
1868
1869
1870
1871
1872
1873
97
ltActionsgt [Required]
Matching specification for the action attributes in the context
56 Element ltSubjectsgtThe ltSubjectsgt element SHALL contains a disjunctive sequence of ltSubjectgt elements
ltxselement name=Subjects type=xacmlSubjectsTypegtltxscomplexType name=SubjectsTypegt
ltxschoicegtltxselement ref=xacmlSubject maxOccurs=unboundedgtltxselement ref=xacmlAnySubjectgt
ltxschoicegtltxscomplexTypegt
The ltSubjectsgt element is of SubjectsType complex type
The ltSubjectsgt element contains the following elements
ltSubjectgt [One To Many Required Choice]
See Section 57
ltAnySubjectgt [Required Choice]
See Section 58
57 Element ltSubjectgtThe ltSubjectgt element SHALL contain a conjunctive sequence of ltSubjectMatchgt elements
ltxselement name=Subject type=xacmlSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacmlSubjectMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
ltSubjectMatchgt [One to Many]
A conjunctive sequence of individual matches of the subject attributes in the context and the embedded attribute values
58 Element ltAnySubjectgtThe ltAnySubjectgt element SHALL match any subject attribute in the context
ltxselement name=AnySubjectgt
59 Element ltSubjectMatchgtThe ltSubjectMatchgt element SHALL identify a set of subject-related entities by matching attribute values in a ltxacml-contextSubjectgt element of the context with the embedded attribute value
oasis--xacml-11pdf 49
98
1874
1875
1876
18771878187918801881188218831884
1885
1886
1887
1888
1889
1890
1891
18921893189418951896189718981899
1900
1901
1902
19031904
1905
19061907
1908
190919101911
99
ltxselement name=SubjectMatch type=xacmlSubjectMatchTypegtltxscomplexType name=SubjectMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltSubjectMatchgt element is of SubjectMatchType complex type
The ltSubjectMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltSubjectAttributeDesignatorgt [Required choice]
Identifies one or more attribute values in a ltSubjectgt element of the context
ltAttributeSelectorgt [Required choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in a ltSubjectgt element of the context
510 Element ltResourcesgtThe ltResourcesgt element SHALL contain a disjunctive sequence of ltResourcegt elements
ltxselement name=Resources type=xacmlResourcesTypegtltxscomplexType name=ResourcesTypegt
ltxschoicegtltxselement ref=xacmlResource maxOccurs=unboundedgtltxselement ref=xacmlAnyResourcegt
ltxschoicegtltxscomplexTypegt
The ltResourcesgt element is of ResourcesType complex type
The ltResourcesgt element contains the following elements
ltResourcegt [One To Many Required Choice]
See Section 511
ltAnyResourcegt [Required Choice]
See Section 512
511 Element ltResourcegtThe ltResourcegt element SHALL contain a conjunctive sequence of ltResourceMatchgt elements
oasis--xacml-11pdf 50
100
19121913191419151916191719181919192019211922
1923
1924
1925
19261927
1928
1929
1930
1931
1932
19331934
1935
19361937193819391940194119421943
1944
1945
1946
1947
1948
1949
1950
19511952
101
ltxselement name=Resource type=xacmlResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacmlResourceMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceMatchgt [One to Many]
A conjunctive sequence of individual matches of the resource attributes in the context and the embedded attribute values
512 Element ltAnyResourcegtThe ltAnyResourcegt element SHALL match any resource attribute in the context
ltxselement name=AnyResourcegt
513 Element ltResourceMatchgtThe ltResourceMatchgt element SHALL identify a set of resource-related entities by matching attribute values in the ltxacml-contextResourcegt element of the context with the embedded attribute value
ltxselement name=ResourceMatch type=xacmlResourceMatchTypegtltxscomplexType name=ResourceMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyMatch use=requiredgt
ltxscomplexTypegt
The ltResourceMatchgt element is of ResourceMatchType complex type
The ltResourceMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function Values of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltResourceAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltResourcegt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltResourcegt element of the context
oasis--xacml-11pdf 51
102
195319541955195619571958
1959
1960
1961
19621963
1964
19651966
1967
19681969197019711972197319741975197619771978197919801981
1982
1983
1984
19851986
1987
1988
1989
1990
1991
19921993
103
514 Element ltActionsgtThe ltActionsgt element SHALL contain a disjunctive sequence of ltActiongt elements
ltxselement name=Actions type=xacmlActionsTypegtltxscomplexType name=ActionsTypegt
ltxschoicegtltxselement ref=xacmlAction maxOccurs=unboundedgtltxselement ref=xacmlAnyActiongt
ltxschoicegtltxscomplexTypegt
The ltActionsgt element is of ActionsType complex type
The ltActionsgt element contains the following elements
ltActiongt [One To Many Required Choice]
See Section 515
ltAnyActiongt [Required Choice]
See Section 516
515 Element ltActiongtThe ltActiongt element SHALL contain a conjunctive sequence of ltActionMatchgt elements
ltxselement name=Action type=xacmlActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacmlActionMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltActionMatchgt [One to Many]
A conjunctive sequence of individual matches of the action attributes in the context and the embedded attribute values
516 Element ltAnyActiongtThe ltAnyActiongt element SHALL match any action attribute in the context
ltxselement name=AnyActiongt
517 Element ltActionMatchgtThe ltActionMatchgt element SHALL identify a set of action-related entities by matching attribute values in the ltxacml-contextActiongt element of the context with the embedded attribute value
ltxselement name=ActionMatch type=xacmlActionMatchTypegtltxscomplexType name=ActionMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegt
oasis--xacml-11pdf 52
104
1994
19951996199719981999200020012002
2003
2004
2005
2006
2007
2008
2009
2010201120122013201420152016
2017
2018
2019
20202021
2022
20232024
2025
2026
2027202820292030203120322033
105
ltxschoicegtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltActionMatchgt element is of ActionMatchType complex type
The ltActionMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltActionAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltActiongt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltActiongt element of the context
518 Element ltPolicySetIdReferencegtThe ltPolicySetIdReferencegt element SHALL be used to reference a ltPolicySetgt element by id If ltPolicySetIdReferencegt is a URL then it MAY be resolvable to the ltPolicySetgt The mechanism for resolving a policy set reference to the corresponding policy set is outside the scope of this specification
ltxselement name=PolicySetIdReference type=xsanyURIgt
Element ltPolicySetIdReferencegt is of xsanyURI simple type
519 Element ltPolicyIdReferencegtThe ltxacmlPolicyIdReferencegt element SHALL be used to reference a ltPolicygt element by id If ltPolicyIdReferencegt is a URL then it MAY be resolvable to the ltPolicygt The mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification
ltxselement name=PolicyIdReference type=xsanyURIgt
Element ltPolicyIdReferencegt is of xsanyURI simple type
520 Element ltPolicygtThe ltPolicygt element is the smallest entity that SHALL be presented to the PDP for evaluation
The main components of this element are the ltTargetgt ltRulegt and ltObligationsgt elements and the RuleCombiningAlgId attribute
oasis--xacml-11pdf 53
106
2034203520362037203820392040
2041
2042
2043
20442045
2046
2047
2048
2049
2050
20512052
2053
20542055205620572058
2059
2060
20612062206320642065
2066
2067
2068
20692070
107
The ltTargetgt element SHALL define the applicability of the ltPolicygt to a set of decision requests
Rules included in the ltPolicygt element MUST be combined by the algorithm specified by the RuleCombiningAlgId attribute
The ltObligationsgt element SHALL contain a set of obligations that MUST be fulfilled by the PDP in conjunction with the authorization decision
ltxselement name=Policy type=xacmlPolicyTypegtltxscomplexType name=PolicyTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicyDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxselement ref=xacmlRule minOccurs=0 maxOccurs=unboundedgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicyId type=xsanyURI use=requiredgtltxsattribute name=RuleCombiningAlgId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltPolicygt element is of PolicyType complex type
The ltPolicygt element contains the following attributes and elements
PolicyId [Required]
Policy identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy identifier is in the form of a URL then it MAY be resolvable
RuleCombiningAlgId [Required]
The identifier of the rule-combining algorithm by which the ltPolicygt components MUST be combined Standard rule-combining algorithms are listed in Appendix C Standard rule-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the policy See Section 52 Element ltDescriptiongt
ltPolicyDefaultsgt [Optional]
Defines a set of default values applicable to the policy The scope of the ltPolicyDefaultsgt element SHALL be the enclosing policy
ltTargetgt [Required]
The ltTargetgt element SHALL define the applicability of a ltPolicygt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicygt element or it MAY be computed from the ltTargetgt elements of the referenced ltRulegt elements either as an intersection or as a union
ltRulegt [Any Number]
A sequence of authorizations that MUST be combined according to the RuleCombiningAlgId attribute Rules whose ltTargetgt elements match the decision request MUST be considered Rules whose ltTargetgt elements do not match the decision request SHALL be ignored
oasis--xacml-11pdf 54
108
20712072
20732074
20752076207720782079208020812082208320842085208620872088
2089
2090
2091
209220932094
2095
209620972098
2099
2100
2101
21022103
2104
21052106
210721082109
2110
2111211221132114
109
ltObligationsgt [Optional]
A conjunctive sequence of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision See Section 711 for a description of how the set of obligations to be returned by the PDP SHALL be determined
521 Element ltPolicyDefaultsgtThe ltPolicyDefaultsgt element SHALL specify default values that apply to the ltPolicygt element
ltxselement name=PolicyDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicyDefaultsgt element is of DefaultsType complex type
The ltPolicyDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
522 Element ltRulegtThe ltRulegt element SHALL define the individual rules in the policy The main components of this element are the ltTargetgt and ltConditiongt elements and the Effect attribute
ltxselement name=Rule type=xacmlRuleTypegtltxscomplexType name=RuleTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlTarget minOccurs=0gtltxselement ref=xacmlCondition minOccurs=0gt
ltxssequencegtltxsattribute name=RuleId type=xsanyURI use=requiredgtltxsattribute name=Effect type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltRulegt element is of RuleType complex type
The ltRulegt element contains the following attributes and elements
RuleId [Required]
A URN identifying this rule
Effect [Required]
Rule effect Values of this attribute are either ldquoPermitrdquo or ldquoDenyrdquo
ltDescriptiongt [Optional]
A free-form description of the rule
oasis--xacml-11pdf 55
110
2115
211621172118
2119
2120212121222123212421252126212721282129
2130
2131
2132
2133
2134
21352136
2137213821392140214121422143214421452146
2147
2148
2149
2150
2151
2152
2153
2154
2155
111
ltTargetgt [Optional]
Identifies the set of decision requests that the ltRulegt element is intended to evaluate If this element is omitted then the target for the ltRulegt SHALL be defined by the ltTargetgt element of the enclosing ltPolicygt element See Section 55 for details
ltConditiongt [Optional]
A predicate that MUST be satisfied for the rule to be assigned its Effect value A condition is a boolean function over a combination of subject resource action and environment attributes or other functions
523 Simple type EffectTypeThe EffectType simple type defines the values allowed for the Effect attribute of the ltRulegt element and for the FulfillOn attribute of the ltObligationgt element
ltxssimpleType name=EffectTypegtltxsrestriction base=xsstringgt
ltxsenumeration value=Permitgtltxsenumeration value=Denygt
ltxsrestrictiongtltxssimpleTypegt
524 Element ltConditiongtThe ltConditiongt element is a boolean function over subject resource action and environment attributes or functions of attributes If the ltConditiongt element evaluates to True then the enclosing ltRulegt element is assigned its Effect value
ltxselement name=Condition type=xacmlApplyTypegt
The ltConditiongt element is of ApplyType complex type
525 Element ltApplygtThe ltApplygt element denotes application of a function to its arguments thus encoding a function call The ltApplygt element can be applied to any combination of ltApplygt ltAttributeValuegt ltSubjectAttributeDesignatorgt ltResourceAttributeDesignatorgt ltActionAttributeDesignatorgt ltEnvironmentAttributeDesignatorgt and ltAttributeSelectorgt arguments
ltxselement name=Apply type=xacmlApplyTypegtltxscomplexType name=ApplyTypegt
ltxschoice minOccurs=0 maxOccurs=unboundedgtltxselement ref=rdquoxacmlFunctionrdquogt ltxselement ref=xacmlApplygtltxselement ref=xacmlAttributeValuegtltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlEnvironmentAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxsattribute name=FunctionId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltApplygt element is of ApplyType complex type
The ltApplygt element contains the following attributes and elements
oasis--xacml-11pdf 56
112
2156
215721582159
2160
216121622163
2164
21652166
216721682169217021712172
2173
217421752176
2177
2178
2179
2180218121822183
218421852186218721882189219021912192219321942195219621972198
2199
2200
113
FunctionId [Required]
The URN of a function XACML-defined functions are described in Appendix A
ltFunctiongt [Optional]
The name of a function that is applied to the elements of a bag See Section A1411
ltApplygt [Optional]
A nested function-call argument
ltAttributeValuegt [Optional]
A literal value argument
ltSubjectAttributeDesignatorgt [Optional]
A subject attribute argument
ltResourceAttributeDesignatorgt [Optional]
A resource attribute argument
ltActionAttributeDesignatorgt [Optional]
An action attribute argument
ltEnvironmentAttributeDesignatorgt [Optional]
An environment attribute argument
ltAttributeSelectorgt [Optional]
An attribute selector argument
526 Element ltFunctiongtThe Function element SHALL be used to name a function that is applied by the higher-order bag functions to every element of a bag The higher-order bag functions are described in Section A1411
ltxselement name=rdquoFunctionrdquo type=rdquoxacmlFunctionTyperdquogtltxscomplexType name=rdquoFunctionTyperdquogt
ltxsattribute name=rdquoFunctionIdrdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxscomplexTypegt
The Function element is of FunctionType complex type
The Function element contains the following attributes
FunctionId [Required]
The identifier for the function that is applied to the elements of a bag by the higher-order bag functions
527 Complex type AttributeDesignatorTypeThe AttributeDesignatorType complex type is the type for elements and extensions that identify attributes An element of this type contains properties by which it MAY be matched to attributes in the request context
oasis--xacml-11pdf 57
114
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220222122222223222422252226
2227
2228
2229
22302231
2232
223322342235
115
In addition elements of this type MAY control behaviour in the event that no matching attribute is present in the context
Elements of this type SHALL NOT alter the match semantics of named attributes but MAY narrow the search space
ltxscomplexType name=AttributeDesignatorTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsattribute name=Issuer type=xsstring use=optionalgtltxsattribute name=MustBePresent type=xsboolean use=optional
default=falsegtltxscomplexTypegt
A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and Issuer attributes match The attribute designatorrsquos AttributeId MUST match by URI equality the AttributeId of the attribute The attribute designatorrsquos DataType MUST match by URI equality the DataType of the same attribute
If the Issuer attribute is present in the attribute designator then it MUST match by string equality the Issuer of the same attribute If the Issuer is not present in the attribute designator then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone
The ltAttributeDesignatorTypegt contains the following attributes
AttributeId [Required]
This attribute SHALL specify the AttributeId with which to match the attribute
DataType [Required]
This attribute SHALL specify the data-type with which to match the attribute
Issuer [Optional]
This attribute if supplied SHALL specify the Issuer with which to match the attribute
MustBePresent [Optional]
This attribute governs whether the element returns ldquoIndeterminaterdquo in the case where the named attribute is absent If the named attribute is absent and MustBePresent is ldquoTruerdquo then this element SHALL result in ldquoIndeterminaterdquo The default value SHALL be ldquoFalserdquo
528 Element ltSubjectAttributeDesignatorgtThe ltSubjectAttributeDesignatorgt element is of the SubjectAttributeDesignatorType The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType complex type It is the base type for elements and extensions that refer to named categorized subject attributes A named categorized subject attribute is defined as follows
A subject is represented by a ltSubjectgt element in the ltxacml-contextRequestgt element Each ltSubjectgt element SHALL contain the XML attribute SubjectCategory This attribute is called the subject category attribute
A categorized subject is a subject that is identified by a particular subject category attribute
A subject attribute is an attribute of a particular subject ie contained within a ltSubjectgt element
oasis--xacml-11pdf 58
116
22362237
223822392240224122422243224422452246
2247224822492250
225122522253
2254
2255
2256
2257
2258
2259
2260
2261
2262
226322642265
2266
2267226822692270
227122722273
2274
22752276
117
A named subject attribute is a named attribute for a subject
A named categorized subject attribute is a named subject attribute for a particular categorized subject
The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType with a SubjectCategory attribute The SubjectAttributeDesignatorType extends the match semantics of the AttributeDesignatorType such that it narrows the attribute search space to the specific categorized subject such that the value of this elementrsquos SubjectCategory attribute matches by URI equality the value of the ltRequestgt elementrsquos subject category attribute
If there are multiple subjects with the same SubjectCategory xml attribute then they SHALL be treated as if they were one categorized subject
Elements and extensions of the SubjectAttributeDesignatorType complex type determine the presence of select attribute values associated with named categorized subject attributes Elements and extensions of the SubjectAttributeDesignatorType SHALL NOT alter the match semantics of named categorized subject attributes but MAY narrow the search space
ltxscomplexType name=SubjectAttributeDesignatorTypegtltxscomplexContentgt
ltxsextension base=xacmlAttributeDesignatorTypegt ltxsattribute name=SubjectCategory type=xsanyURI use=optional default= urnoasisnamestcxacml10subject-categoryaccess-subjectgt ltxsextensiongt ltxscomplexContentgtltxscomplexTypegt
The ltSubjectAttributeDesignatorTypegt complex type contains the following attribute in addition to the attributes of the AttributeDesignatorType complex type
SubjectCategory [Optional]
This attribute SHALL specify the categorized subject from which to match named subject attributes If SubjectCategory is not present then its default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used
529 Element ltResourceAttributeDesignatorgtThe ltResourceAttributeDesignatorgt element retrieves a bag of values for a named resource attribute A resource attribute is an attribute contained within the ltResourcegt element of the ltxacml-contextRequestgt element A named resource attribute is a named attribute that matches a resource attribute A named resource attribute SHALL be considered present if there is at least one resource attribute that matches the criteria set out below A resource attribute value is an attribute value that is contained within a resource attribute
The ltResourceAttributeDesignatorgt element SHALL return a bag containing all the resource attribute values that are matched by the named resource attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named resource attribute is absent If the named resource attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named resource attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named
oasis--xacml-11pdf 59
118
2277
22782279
228022812282
22832284
22852286
2287228822892290229122922293229422952296229722982299230023012302
23032304
2305
2306230723082309
2310
231123122313231423152316
23172318
23192320
23212322
23232324
119
resource attribute is present or not in the request context or the value of the named resource attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named resource attribute SHALL match a resource attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltResourceAttributeDesignatorgt MAY appear in the ltResourceMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ResourceAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltResourceAttributeDesignatorgt element is of the AttributeDesignatorType complex type
530 Element ltActionAttributeDesignatorgtThe ltActionAttributeDesignatorgt element retrieves a bag of values for a named action attribute An action attribute is an attribute contained within the ltActiongt element of the ltxacml-contextRequestgt element A named action attribute has specific criteria (described below) with which to match an action attribute A named action attribute SHALL be considered present if there is at least one action attribute that matches the criteria An action attribute value is an attribute value that is contained within an action attribute
The ltActionAttributeDesignatorgt element SHALL return a bag of all the action attribute values that are matched by the named action attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named action attribute is absent If the named action attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named action attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named action attribute is present or not present in the request context or the value of the named action attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named action attribute SHALL match an action attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltActionAttributeDesignatorgt MAY appear in the ltActionMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ActionAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltActionAttributeDesignatorgt element is of the AttributeDesignatorType complex type
531 Element ltEnvironmentAttributeDesignatorgtThe ltEnvironmentAttributeDesignatorgt element retrieves a bag of values for a named environment attribute An environment attribute is an attribute contained within the ltEnvironmentgt element of the ltxacml-contextRequestgt element A named environment attribute has specific criteria (described below) with which to match an environment attribute A named environment attribute SHALL be considered present if there is at least one environment attribute that matches the criteria An environment attribute value is an attribute value that is contained within an environment attribute
oasis--xacml-11pdf 60
120
23252326
23272328
23292330
23312332
23332334
2335
233623372338233923402341
234223432344
23452346
23472348234923502351
23522353
23542355
23562357
23582359
2360
23612362
23632364236523662367
121
The ltEnvironmentAttributeDesignatorgt element SHALL evaluate to a bag of all the environment attribute values that are matched by the named environment attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named environment attribute is absent If the named environment attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named environment attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named environment attribute is present or not present in the request context or the value of the named environment attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named environment attribute SHALL match an environment attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltEnvironmentAttributeDesignatorgt MAY be passed to the ltApplygt element as an argument
ltxselement name=EnvironmentAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltEnvironmentAttributeDesignatorgt element is of the AttributeDesignatorType complex type
532 Element ltAttributeSelectorgtThe AttributeSelector elements RequestContextPath XML attribute SHALL contain a legal XPath expression whose context node is the ltxacml-contextRequestgt element The AttributeSelector element SHALL evaluate to a bag of values whose data-type is specified by the elementrsquos DataType attribute If the DataType specified in the AttributeSelector is a primitive data type defined in [XF] or [XS] then the value returned by the XPath expression SHALL be converted to the DataType specified in the AttributeSelector using the constructor function below [XF Section 4] that corresponds to the DataType If an error results from using the constructor function then the value of the AttributeSelector SHALL be Indeterminate
xsstring() xsboolean() xsinteger() xsdouble() xsdateTime() xsdate() xstime() xshexBinary() xsbase64Binary() xsanyURI() xfyearMonthDuration() xfdayTimeDuration()
If the DataType specified in the AttributeSelector is not one of the preceding primitive DataTypes then the AttributeSelector SHALL return a bag of instances of the specified DataType If there are errors encountered in converting the values returned by the XPath expression to the specified DataType then the result of the AttributeSelector SHALL be Indeterminate
Each selected node by the specified XPath expression MUST be either a text node an attribute node a processing instruction node or a comment node The string representation of the value of each selected node MUST be converted to an attribute value of the specified data type and the
oasis--xacml-11pdf 61
122
23682369
23702371
23722373
2374237523762377
23782379
2380238123822383
23842385
238623872388238923902391
23922393239423952396239723982399240024012402240324042405240624072408
240924102411241224132414241524162417
123
result of the AttributeSelector is the bag of the attribute values generated from all the selected nodes
If the selected node is different from the node types listed above (a text node an attribute node a processing instruction node or a comment node) then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
Support for the ltAttributeSelectorgt element is OPTIONAL
ltxselement name=AttributeSelector type=xacmlAttributeSelectorTypegtltxscomplexType name=AttributeSelectorTypegt
ltxsattribute name=RequestContextPath type=xsstring use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=rdquoMustBePresentrdquo type=rdquoxsbooleanrdquo use=rdquooptionalrdquo
default=rdquofalserdquolt xscomplexTypegt
The ltAttributeSelectorgt element is of AttributeSelectorType complex type
The ltAttributeSelectorgt element has the following attributes
RequestContextPath [Required]
An XPath expression whose context node is the ltxacml-contextRequestgt element There SHALL be no restriction on the XPath syntax
DataType [Required]
The bag of values returned by the AttributeSelector SHALL be of this data type
MustBePresent [Optional]
Whether or not the designated attribute must be present in the context If the XPath expression selects no node and the MustBePresent attribute is TRUE then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusmissing-attribute If the XPath expression selects no node and the MustBePresent attribute is missing or FALSE then the result SHALL be an empty bag If the XPath expression selects at least one node and the selected node(s) could be successfully converted to a bag of values of the specified data-type then the result SHALL be the bag regardless of the value of the MustBePresent attribute If the XPath expression selects at least one node but there is an error in converting one or more of the nodes to values of the specified data-type then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusprocessing-error regardless of the value of the MustBePresent attribute
533 Element ltAttributeValuegtThe ltAttributeValuegt element SHALL contain a literal attribute value
ltxselement name=AttributeValue type=xacmlAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
oasis--xacml-11pdf 62
124
24182419242024212422
242324242425
24262427242824292430243124322433
2434
2435
2436
24372438
2439
2440
2441
244224432444
2445244624472448
244924502451
24522453
2454
2455245624572458245924602461246224632464
125
The ltAttributeValuegt element is of AttributeValueType complex type
The ltAttributeValuegt element has the following attributes
DataType [Required]
The data-type of the attribute value
534 Element ltObligationsgtThe ltObligationsgt element SHALL contain a set of ltObligationgt elements
Support for the ltObligationsgt element is OPTIONALltxselement name=Obligations type=xacmlObligationsTypegtltxscomplexType name=ObligationsTypegt
ltxssequencegtltxselement ref=xacmlObligation maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltObligationsgt element is of ObligationsType complexType
The ltObligationsgt element contains the following element
ltObligationgt [One to Many]
A sequence of obligations
535 Element ltObligationgtThe ltObligationgt element SHALL contain an identifier for the obligation and a set of attributes that form arguments of the action defined by the obligation The FulfillOn attribute SHALL indicate the effect for which this obligation applies
ltxselement name=Obligation type=xacmlObligationTypegtltxscomplexType name=ObligationTypegt
ltxssequencegtltxselement ref=xacmlAttributeAssignment maxOccurs=unboundedgt
ltxssequencegtltxsattribute name=ObligationId type=xsanyURI use=requiredgtltxsattribute name=FulfillOn type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltObligationgt element is of ObligationType complexType See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
The ltObligationgt element contains the following elements and attributes
ObligationId [Required]
Obligation identifier The value of the obligation identifier SHALL be interpreted by the PEP
FulfillOn [Required]
The effect for which this obligation applies
ltAttributeAssignmentgt [One To Many]
Obligation arguments assignment The values of the obligation arguments SHALL be interpreted by the PEP
oasis--xacml-11pdf 63
126
2465
2466
2467
2468
2469
2470
2471247224732474247524762477
2478
2479
2480
2481
2482
24832484248524862487248824892490249124922493
24942495
2496
2497
24982499
2500
2501
2502
25032504
127
536 Element ltAttributeAssignmentgtThe ltAttributeAssignmentgt element SHALL contain an AttributeId and the corresponding attribute value The AttributeId is part of attribute meta-data and is used when the attribute cannot be referenced by its location in the ltxacml-contextRequestgt This situation may arise in an ltObligationgt element if the obligation includes parameters The ltAttributeAssignmentgt element MAY be used in any way consistent with the schema syntax which is a sequence of ldquoanyrdquo The value specified SHALL be understood by the PEP but it is not further specified by XACML See section 711 ldquoObligationsrdquo
ltxselement name=AttributeAssignment type=xacmlAttributeAssignmentTypegt
ltxscomplexType name=AttributeAssignmentType mixed=truegtltxscomplexContentgt
ltxsextension base=xacmlAttributeValueTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgt
ltxsextensiongtltxscomplexContentgt
ltxscomplexTypegt
The ltAttributeAssignmentgt element is of AttributeAssignmentType complex type
The ltAttributeAssignmentgt element contains the following attributes
AttributeId [Required]
The attribute Identifier
6 Context syntax (normative with the exception of the schema fragments)
61 Element ltRequestgtThe ltRequestgt element is a top-level element in the XACML context schema The ltRequestgt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform its decision request into the form of an XACML context ltRequestgt
The ltRequestgt element contains ltSubjectgt ltResourcegt ltActiongt and ltEnvironmentgt elements There may be multiple ltSubjectgt elements Each child element contains a sequence of ltxacml-contextAttributegt elements associated with the subject resource action and environment respectively
ltxselement name=Request type=xacml-contextRequestTypegtltxscomplexType name=RequestTypegt
ltxssequencegtltxselement ref=xacml-contextSubject maxOccurs=unboundedgtltxselement ref=xacml-contextResourcegtltxselement ref=xacml-contextActiongtltxselement ref=xacml-contextEnvironment minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltRequestgt element is of RequestType complex type
The ltRequestgt element contains the following elements
oasis--xacml-11pdf 64
128
2505
2506250725082509251025112512251325142515251625172518251925202521
2522
2523
2524
2525
2526
2527
2528
252925302531
2532
2533253425352536253725382539254025412542254325442545
2546
2547
129
ltSubjectgt [One to Many]
Specifies information about a subject of the request context by listing a sequence of ltAttributegt elements associated with the subject One or more ltSubjectgt elements are allowed A subject is an entity associated with the access request One subject might represent the human user that initiated the application from which the request was issued Another subject might represent the applicationrsquos executable code that created the request Another subject might represent the machine on which the application was executing Another subject might represent the entity that is to be the recipient of the resource Attributes of each of these entities MUST be enclosed in a separate ltSubjectgt element
ltResourcegt [Required]
Specifies information about the resource for which access is being requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include a ltResourceContentgt element
ltActiongt [Required]
Specifies the requested action to be performed on the resource by listing a set of ltAttributegt elements associated with the action
ltEnvironmentgt [Optional]
Contains a set of ltAttributegt elements of the environment These ltAttributegt elements MAY form a part of policy evaluation
62 Element ltSubjectgtThe ltSubjectgt element specifies a subject by listing a sequence of ltAttributegt elements associated with the subject
ltxselement name=Subject type=xacml-contextSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=SubjectCategory type=xsanyURI use=optional
default=urnoasisnamestcxacml10subject-categoryaccess-subjectgtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
SubjectCategory [Optional]
This attribute indicates the role that the parent ltSubjectgt played in the formation of the access request If this attribute is not present in a given ltSubjectgt element then the default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used indicating that the parent ltSubjectgt element represents the entity ultimately responsible for initiating the access request
If more than one ltSubjectgt element contains a urnoasisnamestcxacml10subject-category attribute with the same value then the PDP SHALL treat the contents of those elements as if they were contained in the same ltSubjectgt element
ltAttributegt [Any Number]
oasis--xacml-11pdf 65
130
2548
25492550255125522553255425552556
2557
2558
255925602561
2562
25632564
2565
25662567
2568
25692570257125722573257425752576257725782579
2580
2581
2582
258325842585
25862587
25882589
2590
2591
131
A sequence of attributes that apply to the subject
Typically a ltSubjectgt element will contain an ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10subjectsubject-idrdquo containing the identity of the subject
A ltSubjectgt element MAY contain additional ltAttributegt elements
63 Element ltResourcegtThe ltResourcegt element specifies information about the resource to which access is requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include the resource content
ltxselement name=Resource type=xacml-contextResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacml-contextResourceContent minOccurs=0gtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceContentgt [Optional]
The resource content
ltAttributegt [Any Number]
A sequence of resource attributes The ltResourcegt element MUST contain one and only one ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10resourceresource-idrdquo This attribute specifies the identity of the resource to which access is requested
A ltResourcegt element MAY contain additional ltAttributegt elements
64 Element ltResourceContentgtThe ltResourceContentgt element is a notional placeholder for the resource content If an XACML policy references the contents of the resource then the ltResourceContentgt element SHALL be used as the reference point
ltxscomplexType name=ResourceContentType mixed=rdquotruerdquogtltxssequencegt
ltxsany namespace=any processContents=lax minOccurs=0 maxOccurs=unboundedgt
ltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltResourceContentgt element is of ResourceContentType complex type
The ltResourceContentgt element allows arbitrary elements and attributes
oasis--xacml-11pdf 66
132
2592
25932594
2595
2596
25972598259926002601260226032604260526062607
2608
2609
2610
2611
2612
2613261426152616
2617
2618
2619262026212622262326242625262626272628
2629
2630
133
65 Element ltActiongtThe ltActiongt element specifies the requested action on the resource by listing a set of ltAttributegt elements associated with the action
ltxselement name=Action type=xacml-contextActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltAttributegt [Any Number]
List of attributes of the action to be performed on the resource
66 Element ltEnvironmentgtThe ltEnvironmentgt element contains a set of attributes of the environment These attributes MAY form part of the policy evaluation
ltxselement name=Environment type=xacml-contextEnvironmentTypegtltxscomplexType name=EnvironmentTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltEnvironmentgt element is of EnvironmentType complex type
The ltEnvironmentgt element contains the following elements
ltAttributegt [Any Number]
A list of environment attributes Environment attributes are attributes that are not associated with either the resource the action or any of the subjects of the access request
67 Element ltAttributegtThe ltAttributegt element is the central abstraction of the request context It contains an attribute value and attribute meta-data The attribute meta-data comprises the attribute identifier the attribute issuer and the attribute issue instant Attribute designators and attribute selectors in the policy MAY refer to attributes by means of this meta-data
ltxselement name=Attribute type=xacml-contextAttributeTypegtltxscomplexType name=AttributeTypegt
ltxssequencegtltxselement ref=xacml-contextAttributeValuegt
ltxssequencegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=Issuer type=xsstring use=optionalgt
oasis--xacml-11pdf 67
134
2631
26322633
2634263526362637263826392640
2641
2642
2643
2644
2645
26462647
26482649265026512652265326542655
2656
2657
2658
265926602661
2662
266326642665266626672668266926702671267226732674
135
ltxsattribute name=IssueInstant type=xsdateTime use=optionalgtltxscomplexTypegt
The ltAttributegt element is of AttributeType complex type
The ltAttributegt element contains the following attributes and elements
AttributeId [Required]
Attribute identifier A number of identifiers are reserved by XACML to denote commonly used attributes
DataType [Required]
The data-type of the contents of the ltAttributeValuegt element This SHALL be either a primitive type defined by the XACML 10 specification or a type defined in a namespace declared in the ltxacml-contextgt element
Issuer [Optional]
Attribute issuer This attribute value MAY be an x500Name that binds to a public key or it may be some other identifier exchanged out-of-band by issuing and relying parties
IssueInstant [Optional]
The date and time at which the attribute was issued
ltAttributeValuegt [Required]
Exactly one attribute value The mandatory attribute value MAY have contents that are empty occur once or occur multiple times
68 Element ltAttributeValuegtThe ltAttributeValuegt element contains the value of an attribute
ltxselement name=AttributeValue type=xacml-contextAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltAttributeValuegt element is of AttributeValueType type
The data-type of the ltAttributeValuegt MAY be specified by using the DataType attribute of the parent ltAttributegt element
69 Element ltResponsegtThe ltResponsegt element is a top-level element in the XACML context schema The ltResponsegt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform an XACML context ltResponsegt into the form of its authorization decision
oasis--xacml-11pdf 68
136
26752676
2677
2678
2679
26802681
2682
26832684
2685
2686
26872688
2689
2690
2691
2692
26932694
2695
269626972698269927002701270227032704
2705
27062707
2708
2709271027112712
137
The ltResponsegt element encapsulates the authorization decision produced by the PDP It includes a sequence of one or more results with one ltResultgt element per requested resource Multiple results MAY be returned when the value of the ldquournoasisxacml10resourcescoperdquo resource attribute in the request context is ldquoDescendantsrdquo or ldquoChildrenrdquo Support for multiple results is OPTIONAL
ltxselement name=Response type=xacml-contextResponseTypegtltxscomplexType name=ResponseTypegt
ltxssequencegtltxselement ref=xacml-contextResult maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResponsegt element is of ResponseType complex type
The ltResponsegt element contains the following elements
ltResultgt [One to Many]
An authorization decision result
610 Element ltResultgtThe ltResultgt element represents an authorization decision result for the resource specified by the ResourceId attribute It MAY include a set of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource
ltxselement name=Result type=xacml-contextResultTypegtltxscomplexType name=ResultTypegt
ltxssequencegtltxselement ref=xacml-contextDecisiongtltxselement ref=xacml-contextStatusgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=ResourceId type=xsstring use=optionalgt
ltxscomplexTypegt
The ltResultgt element is of ResultType complex type
The ltResultgt element contains the following attributes and elements
ResourceId [Optional]
The identifier of the requested resource If this attribute is omitted then the resource identity is specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo resource attribute in the corresponding ltRequestgt element
ltDecisiongt [Required]
The authorization decision ldquoPermitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicablerdquo
ltStatusgt [Required]
Indicates whether errors occurred during evaluation of the decision request and optionally information about those errors
ltxacmlObligationsgt [Optional]
oasis--xacml-11pdf 69
138
27132714271527162717271827192720272127222723
2724
2725
2726
2727
2728
2729273027312732
2733273427352736273727382739274027412742
2743
2744
2745
274627472748
2749
2750
2751
27522753
2754
139
A list of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
611 Element ltDecisiongtThe ltDecisiongt element contains the result of policy evaluation
ltxselement name=Decision type=xacml-contextDecisionTypegtltxssimpleType name=DecisionTypegt
ltxsrestriction base=xsstringgtltxsenumeration value=Permitgtltxsenumeration value=Denygtltxsenumeration value=Indeterminategtltxsenumeration value=NotApplicablegt
ltxsrestrictiongtltxssimpleTypegt
The ltDecisiongt element is of DecisionType simple type
The values of the ltDecisiongt element have the following meanings
ldquoPermitrdquo the requested access is permitted
ldquoDenyrdquo the requested access is denied
ldquoIndeterminaterdquo the PDP is unable to evaluate the requested access Reasons for such inability include missing attributes network errors while retrieving policies division by zero during policy evaluation syntax errors in the decision request or in the policy etc
ldquoNotApplicablerdquo the PDP does not have any policy that applies to this decision request
612 Element ltStatusgtThe ltStatusgt element represents the status of the authorization decision result
ltxselement name=Status type=xacml-contextStatusTypegtltxscomplexType name=StatusTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCodegtltxselement ref=xacml-contextStatusMessage minOccurs=0gtltxselement ref=xacml-contextStatusDetail minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltStatusgt element is of StatusType complex type
The ltStatusgt element contains the following elements
ltStatusCodegt [Required]
Status code
ltStatusMessagegt [Optional]
A status message describing the status code
ltStatusDetailgt [Optional]
Additional status information
oasis--xacml-11pdf 70
140
2755275627572758
2759
2760276127622763276427652766276727682769
2770
2771
2772
2773
277427752776
2777
2778
277927802781278227832784278527862787
2788
2789
2790
2791
2792
2793
2794
2795
141
613 Element ltStatusCodegtThe ltStatusCodegt element contains a major status code value and an optional sequence of minor status codes
ltxselement name=StatusCode type=xacml-contextStatusCodeTypegtltxscomplexType name=StatusCodeTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCode minOccurs=0gt
ltxssequencegtltxsattribute name=Value type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltStatusCodegt element is of StatusCodeType complex type
The ltStatusCodegt element contains the following attributes and elements
Value [Required]
See Section B9 for a list of values
ltStatusCodegt [Any Number]
Minor status code This status code qualifies its parent status code
614 Element ltStatusMessagegtThe ltStatusMessagegt element is a free-form description of the status code
ltxselement name=StatusMessage type=xsstringgt
The ltStatusMessagegt element is of xsstring type
615 Element ltStatusDetailgtThe ltStatusDetailgt element qualifies the ltStatusgt element with additional information
ltxselement name=StatusDetail type=xacml-contextStatusDetailTypegtltxscomplexType name=StatusDetailTypegt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltStatusDetailgt element is of StatusDetailType complex type
The ltStatusDetailgt element allows arbitrary XML content
Inclusion of a ltStatusDetailgt element is optional However if a PDP returns one of the following XACML-defined ltStatusCodegt values and includes a ltStatusDetailgt element then the following rules apply
urnoasisnamestcxacml10statusok
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquookrdquo status value
urnoasisnamestcxacml10statusmissing-attribute
A PDP MAY choose not to return any ltStatusDetailgt information or MAY choose to return a ltStatusDetailgt element containing one or more ltxacml-contextAttributegt elements If the PDP includes ltAttributeValuegt elements in the ltAttributegt element then this indicates
oasis--xacml-11pdf 71
142
2796
279727982799280028012802280328042805
2806
2807
2808
2809
2810
2811
2812
28132814
2815
2816
28172818281928202821282228232824
2825
2826
282728282829
2830
2831
2832
283328342835
143
the acceptable values for that attribute If no ltAttributeValuegt elements are included then this indicates the names of attributes that the PDP failed to resolve during its evaluation The list of attributes may be partial or complete There is no guarantee by the PDP that supplying the missing values or attributes will be sufficient to satisfy the policy
urnoasisnamestcxacml10statussyntax-error
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquosyntax-errorrdquo status value A syntax error may represent either a problem with the policy being used or with the request context The PDP MAY return a ltStatusMessagegt describing the problem
urnoasisnamestcxacml10statusprocessing-error
A PDP MUST NOT return ltStatusDetailgt element in conjunction with the ldquoprocessing-errorrdquo status value This status code indicates an internal problem in the PDP For security reasons the PDP MAY choose to return no further information to the PEP In the case of a divide-by-zero error or other computational error the PDP MAY return a ltStatusMessagegt describing the nature of the error
7 Functional requirements (normative)This section specifies certain functional requirements that are not directly associated with the production or consumption of a particular XACML element
71 Policy enforcement pointThis section describes the requirements for the PEPAn application functions in the role of the PEP if it guards access to a set of resources and asks the PDP for an authorization decision The PEP MUST abide by the authorization decision in the following way
A PEP SHALL allow access to the resource only if a valid XACML response of Permit is returned by the PDP The PEP SHALL deny access to the resource in all other cases An XACML response of Permit SHALL be considered valid only if the PEP understands all of the obligations contained in the response
72 Base policyA PDP SHALL represent one policy or policy set called its base policy This base policy MAY be a ltPolicygt element containing a ltTargetgt element that matches every possible decision request or (for instance) it MAY be a ltPolicygt element containing a ltTargetgt element that matches only a specific subject In such cases the base policy SHALL form the root-node of a tree of policies connected by ltPolicyIdReferencegt and ltPolicySetIdReferencegt elements to all the rules that may be applicable to any decision request that the PDP is capable of evaluating
In the case of a PDP that retrieves policies according to the decision request that it is processing the base policy SHALL contain a ltPolicygt element containing a ltTargetgt element that matches every possible decision request and a PolicyCombiningAlgId attribute with the value ldquoOnly-one-applicable In other words the PDP SHALL return an error if it retrieves policies that do not form a single tree
oasis--xacml-11pdf 72
144
2836283728382839
2840
28412842
2843
2844
284528462847
28482849
2850
28512852
28532854285528562857
2858285928602861
2862
2863286428652866
286728682869
28702871287228732874
145
73 Target evaluationThe target value SHALL be Match if the subject resource and action specified in the target all match values in the request context The target value SHALL be No-match if one or more of the subject resource and action specified in the target do not match values in the request context The value of a ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element in which a referenced attribute value cannot be obtained depends on the value of the MustBePresent attribute of the ltAttributeDesignatorgt or ltAttributeSelectorgt element If the MustBePresent attribute is True then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be Indeterminate in this case If the MustBePresent attribute is False or missing then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be No-match
74 Condition evaluationThe condition value SHALL be True if the ltConditiongt element is absent or if it evaluates to True for the attribute values supplied in the request context Its value is False if the ltConditiongt element evaluates to False for the attribute values supplied in the request context If any attribute value referenced in the condition cannot be obtained then the condition SHALL evaluate to Indeterminate
75 Rule evaluationA rule has a value that can be calculated by evaluating its contents Rule evaluation involves separate evaluation of the rules target and condition The rule truth table is shown in Table 1
Target Condition Rule Value
ldquoMatchrdquo ldquoTruerdquo Effect
ldquoMatchrdquo ldquoFalserdquo ldquoNotApplicablerdquo
ldquoMatchrdquo ldquoIndeterminaterdquo ldquoIndeterminaterdquo
ldquoNo-matchrdquo Donrsquot care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot care ldquoIndeterminaterdquo
Table 1 - Rule truth table
If the target value is No-match or ldquoIndeterminaterdquo then the rule value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the condition For these cases therefore the condition need not be evaluated in order to determine the rule value
If the target value is ldquoMatchrdquo and the condition value is ldquoTruerdquo then the effect specified in the rule SHALL determine the rule value
76 Policy evaluationThe value of a policy SHALL be determined only by its contents considered in relation to the contents of the request context A policys value SHALL be determined by evaluation of the policys target and rules according to the specified rule-combining algorithm
oasis--xacml-11pdf 73
146
2875287628772878
2879288028812882288328842885
2886
28872888
288928902891
2892
28932894
2895
2896
2897
289828992900
29012902
2903
290429052906
147
The policys target SHALL be evaluated to determine the applicability of the policy If the target evaluates to Match then the value of the policy SHALL be determined by evaluation of the policys rules according to the specified rule-combining algorithm If the target evaluates to No-match then the value of the policy SHALL be NotApplicable If the target evaluates to Indeterminate then the value of the policy SHALL be Indeterminate
The policy truth table is shown in Table 2
Target Rule values Policy Value
ldquoMatchrdquo At least one rule value is its Effect
Specified by the rule-combining algorithm
ldquoMatchrdquo All rule values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
ldquoMatchrdquo At least one rule value is ldquoIndeterminaterdquo
Specified by the rule-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot-care ldquoIndeterminaterdquo
Table 2 - Policy truth table
A rules value of At least one rule value is its Effect SHALL be used if the ltRulegt element is absent or if one or more of the rules contained in the policy is applicable to the decision request (ie returns a value of ldquoEffectrdquo see Section 75) A rules value of ldquoAll rule values are lsquoNotApplicablersquordquo SHALL be used if no rule contained in the policy is applicable to the request and if no rule contained in the policy returns a value of ldquoIndeterminaterdquo If no rule contained in the policy is applicable to the request but one or more rule returns a value of ldquoIndeterminaterdquo then rules value SHALL evaluate to At least one rule value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the rules For these cases therefore the rules need not be evaluated in order to determine the policy value
If the target value is ldquoMatchrdquo and the rules value is ldquoAt least one rule value is itrsquos Effectrdquo or ldquoAt least one rule value is lsquoIndeterminatersquordquo then the rule-combining algorithm specified in the policy SHALL determine the policy value
77 Policy Set evaluationThe value of a policy set SHALL be determined by its contents considered in relation to the contents of the request context A policy sets value SHALL be determined by evaluation of the policy sets target policies and policy sets according to the specified policy-combining algorithm
The policy sets target SHALL be evaluated to determine the applicability of the policy set If the target evaluates to Match then the value of the policy set SHALL be determined by evaluation of the policy sets policies and policy sets according to the specified policy-combining algorithm If the target evaluates to No-match then the value of the policy set shall be NotApplicable If the target evaluates to Indeterminate then the value of the policy set SHALL be Indeterminate
The policy set truth table is shown in Table 3
Target Policy values Policy Set Value
oasis--xacml-11pdf 74
148
29072908290929102911
2912
2913
2914291529162917291829192920
292129222923
292429252926
2927
2928292929302931
29322933293429352936
2937
149
Match At least one policy value is its Decision
Specified by the policy-combining algorithm
Match All policy values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
Match At least one policy value is ldquoIndeterminaterdquo
Specified by the policy-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
Indeterminate Donrsquot-care ldquoIndeterminaterdquo
Table 3 ndash Policy set truth table
A policies value of At least one policy value is its Decision SHALL be used if there are no contained or referenced policies or policy sets or if one or more of the policies or policy sets contained in or referenced by the policy set is applicable to the decision request (ie returns a value determined by its rule-combining algorithm see Section 76) A policies value of ldquoAll policy values are lsquoNotApplicablersquordquo SHALL be used if no policy or policy set contained in or referenced by the policy set is applicable to the request and if no policy or policy set contained in or referenced by the policy set returns a value of ldquoIndeterminaterdquo If no policy or policy set contained in or referenced by the policy set is applicable to the request but one or more policy or policy set returns a value of ldquoIndeterminaterdquo then policies SHALL evaluate to At least one policy value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy set value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the policies For these cases therefore the policies need not be evaluated in order to determine the policy set value
If the target value is ldquoMatchrdquo and the policies value is ldquoAt least one policy value is itrsquos Decisionrdquo or ldquoAt least one policy value is lsquoIndeterminatersquordquo then the policy-combining algorithm specified in the policy set SHALL determine the policy set value
78 Hierarchical resourcesIt is often the case that a resource is organized as a hierarchy (eg file system XML document) Some access requesters may request access to an entire subtree of a resource specified by a node XACML allows the PEP (or context handler) to specify whether the decision request is just for a single resource or for a subtree below the specified resource The latter is equivalent to repeating a single request for each node in the entire subtree When a request context contains a resource attribute of type
urnoasisnamestcxacml10resourcescope
with a value of Immediate or if it does not contain that attribute then the decision request SHALL be interpreted to apply to just the single resource specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo attribute
When the
urnoasisnamestcxacml10resourcescope
oasis--xacml-11pdf 75
150
2938
2939294029412942294329442945294629472948
294929502951
295229532954
2955
295629572958295929602961
2962
29632964
2965
2966
2967
151
attribute has the value Children the decision request SHALL be interpreted to apply to the specified resource and its immediate children resources
When the
urnoasisnamestcxacml10resourcescope
attribute has the value Descendants the decision request SHALL be interpreted to apply to both the specified resource and all its descendant resources
In the case of Children and Descendants the authorization decision MAY include multiple results for the multiple sub-nodes in the resource sub-tree
An XACML authorization response MAY contain multiple ltResultgt elements
Note that the method by which the PDP discovers whether the resource is hierarchically organized or not is outside the scope of XACML
In the case where a child or descendant resource cannot be accessed the ltResultgt element associated with the parent element SHALL contain a ltStatusCodegt Value of ldquournoasisnamestcxacml10statusprocessing-errorrdquo
79 AttributesAttributes are specified in the request context regardless of whether or not they appeared in the original decision request and are referred to in the policy by subject resource action and environment attribute designators and attribute selectors A named attribute is the term used for the criteria that the specific subject resource action and environment attribute designators and selectors use to refer to attributes in the subject resource action and environment elements of the request context respectively
791 Attribute MatchingA named attribute has specific criteria with which to match attributes in the context An attribute specifies AttributeId DataType and Issuer attributes and each named attribute also specifies AttributeId DataType and optional Issuer attributes A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and optional Issuer attributes match within their particular element eg subject resource action or environment of the context The AttributeId of the named attribute MUST match by URI equality the AttributeId of the context attribute The DataType of the named attribute MUST match by URI equality the DataType of the same context attribute If Issuer is supplied in the named attribute then it MUST match by string equality the Issuer of the same context attribute If Issuer is not supplied in the named attribute then the matching of the context attribute to the named attribute SHALL be governed by AttributeId and DataType alone regardless of the presence absence or actual value of Issuer In the case of an attribute selector the matching of the attribute to the named attribute SHALL be governed by the XPath expression and DataType
792 Attribute RetrievalThe PDP SHALL request the values of attributes in the request context from the context handler The PDP SHALL reference the attributes as if they were in a physical request context document but the context handler is responsible for obtaining and supplying the requested values The context handler SHALL return the values of attributes that match the attribute designator or attribute selector and form them into a bag of values with the specified data-type If no attributes
oasis--xacml-11pdf 76
152
29682969
2970
2971
29722973
29742975
2976
29772978
297929802981
2982
298329842985298629872988
2989
29902991299229932994
29952996299729982999300030013002
3003
3004
30053006300730083009
153
from the request context match then the attribute SHALL be considered missing If the attribute is missing then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an ldquoIndeterminaterdquo result If MustBePresent is ldquoFalserdquo (default value) then a missing attribute SHALL result in an empty bag If MustBePresent is ldquoTruerdquo then a missing attribute SHALL result in ldquoIndeterminaterdquo This ldquoIndeterminaterdquo result SHALL be handled in accordance with the specification of the encompassing expressions rules policies and policy sets If the result is ldquoIndeterminaterdquo then the AttributeId DataType and Issuer of the attribute MAY be listed in the authorization decision as described in Section 710 However a PDP MAY choose not to return such information for security reasons
793 Environment AttributesEnvironment attributes are listed in Section B8 If a value for one of these attributes is supplied in the decision request then the context handler SHALL use that value Otherwise the context handler SHALL supply a value For the date and time attributes the supplied value SHALL have the semantics of date and time that apply to the decision request
710 Authorization decisionGiven a valid XACML policy or policy set a compliant XACML PDP MUST evaluate the policy as specified in Sections 5 and 42 The PDP MUST return a response context with one ltDecisiongt element of value Permit Deny Indeterminate or NotApplicable
If the PDP cannot make a decision then an Indeterminate ltDecisiongt element contents SHALL be returned The PDP MAY return a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
signifying that more information is needed In this case the ltStatusgt element MAY list the names and data-types of any attributes of the subjectsresource action or environment that are needed by the PDP to refine its decision A PEP MAY resubmit a refined request context in response to a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
by adding attribute values for the attribute names that were listed in the previous response When the PDP returns a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
it MUST NOT list the names and data-types of any attribute of the subjectresource action or environment for which values were supplied in the original request Note this requirement forces the PDP to eventually return an authorization decision of Permit Deny or Indeterminate with some other status code in response to successively-refined requests
711 ObligationsA policy or policy set may contain one or more obligations When such a policy or policy set is evaluated an obligation SHALL be passed up to the next level of evaluation (the enclosing or referencing policy set or authorization decision) only if the effect of the policy or policy set being evaluated matches the value of the xacmlFulfillOn attribute of the obligation
As a consequence of this procedure no obligations SHALL be returned to the PEP if the policies or policy sets from which they are drawn are not evaluated or if their evaluated result is
oasis--xacml-11pdf 77
154
301030113012301330143015
301630173018
3019
3020302130223023
3024
30253026
3027
302830293030
3031
303230333034
3035
3036
30373038
3039
3040304130423043
3044304530463047
3048304930503051
155
Indeterminate or NotApplicable or if the decision resulting from evaluating the policy or policy set does not match the decision resulting from evaluating an enclosing policy set
If the PDPs evaluation is viewed as a tree of policy sets and policies each of which returns Permit or Deny then the set of obligations returned by the PDP to the PEP will include only the obligations associated with those paths where the effect at each level of evaluation is the same as the effect being returned by the PDPA PEP that receives a valid XACML response of Permit with obligations SHALL be responsible for fulfilling all of those obligations A PEP that receives an XACML response of Deny with obligations SHALL be responsible for fulfilling all of the obligations that it understands
712 Unsupported functionalityIf the PDP attempts to evaluate a policy set or policy that contains an optional element type or feature that the PDP does not support then the PDP SHALL return a ltDecisiongt value of Indeterminate If a ltStatusCodegt element is also returned then its value SHALL be urnoasisnamestcxacml10statussyntax-error in the case of an unsupported element type and urnoasisnamestcxacml10statusprocessing-error in the case of an unsupported feature
713 Syntax and type errorsIf a policy that contains invalid syntax is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
If a policy that contains invalid static data-types is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statusprocessing-error
8 XACML extensibility points (non-normative)This section describes the points within the XACML model and schema where extensions can be added
81 Extensible XML attribute typesThe following XML attributes have values that are URIs These may be extended by the creation of new URIs associated with new semantics for these attributes
AttributeId
AttributeValue
DataType
FunctionId
MatchId
ObligationId
PolicyCombiningAlgId
RuleCombiningAlgId
oasis--xacml-11pdf 78
156
3052305330543055305630573058305930603061
3062
30633064306530663067
3068
306930703071
307230733074
3075
30763077
3078
30793080
3081
3082
3083
3084
3085
3086
3087
3088
157
StatusCode
SubjectCategory
See Section 5 for definitions of these attribute types
82 Structured attributesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type Section A3 describes a number of standard techniques to identify data items within such a structured attribute Listed here are some additional techniques that require XACML extensions
1 For a given structured data-type a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types Using these new attribute identifiers the PEPs or context handlers used by that community of users can flatten instances of the structured data-type into a sequence of individual ltAttributegt elements Each such ltAttributegt element can be compared using the XACML-defined functions Using this method the structured data-type itself never appears in an ltAttributeValuegt element
2 A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value This method may only be used by PDPs that support the new function
9 Security and privacy considerations (non-normative)
This section identifies possible security and privacy compromise scenarios that should be considered when implementing an XACML-based system The section is informative only It is left to the implementer to decide whether these compromise scenarios are practical in their environment and to select appropriate safeguards
91 Threat modelWe assume here that the adversary has access to the communication channel between the XACML actors and is able to interpret insert delete and modify messages or parts of messages
Additionally an actor may use information from a former transaction maliciously in subsequent transactions It is further assumed that rules and policies are only as reliable as the actors that create and use them Thus it is incumbent on each actor to establish appropriate trust in the other actors upon which it relies Mechanisms for trust establishment are outside the scope of this specification
The messages that are transmitted between the actors in the XACML model are susceptible to attack by malicious third parties Other points of vulnerability include the PEP the PDP and the PAP While some of these entities are not strictly within the scope of this specification their compromise could lead to the compromise of access control enforced by the PEP
It should be noted that there are other components of a distributed system that may be compromised such as an operating system and the domain-name system (DNS) that are outside the scope of this discussion of threat models Compromise in these components may also lead to a policy violation
oasis--xacml-11pdf 79
158
3089
3090
3091
3092
309330943095
3096309730983099
310031013102
310331043105
3106
3107
3108310931103111
3112
31133114
31153116311731183119
3120312131223123
3124312531263127
159
The following sections detail specific compromise scenarios that may be relevant to an XACML system
911 Unauthorized disclosureXACML does not specify any inherent mechanisms for confidentiality of the messages exchanged between actors Therefore an adversary could observe the messages in transit Under certain security policies disclosure of this information is a violation Disclosure of attributes or the types of decision requests that a subject submits may be a breach of privacy policy In the commercial sector the consequences of unauthorized disclosure of personal data may range from embarrassment to the custodian to imprisonment and large fines in the case of medical or financial data
Unauthorized disclosure is addressed by confidentiality mechanisms
912 Message replayA message replay attack is one in which the adversary records and replays legitimate messages between XACML actors This attack may lead to denial of service the use of out-of-date information or impersonation
Prevention of replay attacks requires the use of message freshness mechanisms
Note that encryption of the message does not mitigate a replay attack since the message is just replayed and does not have to be understood by the adversary
913 Message insertionA message insertion attack is one in which the adversary inserts messages in the sequence of messages between XACML actors
The solution to a message insertion attack is to use mutual authentication and a message sequence integrity mechanism between the actors It should be noted that just using SSL mutual authentication is not sufficient This only proves that the other party is the one identified by the subject of the X509 certificate In order to be effective it is necessary to confirm that the certificate subject is authorized to send the message
914 Message deletionA message deletion attack is one in which the adversary deletes messages in the sequence of messages between XACML actors Message deletion may lead to denial of service However a properly designed XACML system should not render an incorrect authorization decision as a result of a message deletion attack
The solution to a message deletion attack is to use a message integrity mechanism between the actors
915 Message modificationIf an adversary can intercept a message and change its contents then they may be able to alter an authorization decision Message integrity mechanisms can prevent a successful message modification attack
oasis--xacml-11pdf 80
160
31283129
3130
3131313231333134313531363137
3138
3139
314031413142
3143
31443145
3146
31473148
31493150315131523153
3154
3155315631573158
31593160
3161316231633164
161
916 NotApplicable resultsA result of NotApplicable means that the PDP did not have a policy whose target matched the information in the decision request In general we highly recommend using a default-deny policy so that when a PDP would have returned NotApplicable a result of Deny is returned instead
In some security models however such as is common in many Web Servers a result of NotApplicable is treated as equivalent to Permit There are particular security considerations that must be taken into account for this to be safe These are explained in the following paragraphs
If NotApplicable is to be treated as Permit it is vital that the matching algorithms used by the policy to match elements in the decision request are closely aligned with the data syntax used by the applications that will be submitting the decision request A failure to match will be treated as Permit so an unintended failure to match may allow unintended access
A common example of this is a Web Server Commercial http responders allow a variety of syntaxes to be treated equivalently The can be used to represent characters by hex value The URL path provides multiple ways of specifying the same value Multiple character sets may be permitted and in some cases the same printed character can be represented by different binary values Unless the matching algorithm used by the policy is sophisticated enough to catch these variations unintended access may be permitted
It is safe to treat NotApplicable as Permit only in a closed environment where all applications that formulate a decision request can be guaranteed to use the exact syntax expected by the policies used by the PDP In a more open environment where decision requests may be received from applications that may use any legal syntax it is strongly recommended that NotApplicable NOT be treated as Permit unless matching rules have been very carefully designed to match all possible applicable inputs regardless of syntax or type variations
917 Negative rulesA negative rule is one that is based on a predicate not being True If not used with care negative rules can lead to policy violation therefore some authorities recommend that they not be used However negative rules can be extremely efficient in certain cases so XACML has chosen to include them Nevertheless it is recommended that they be used with care and avoided if possible
A common use for negative rules is to deny access to an individual or subgroup when their membership in a larger group would otherwise permit them access For example we might want to write a rule that allows all Vice Presidents to see the unpublished financial data except for Joe who is only a Ceremonial Vice President and can be indiscreet in his communications If we have complete control of the administration of subject attributes a superior approach would be to define ldquoVice Presidentrdquo and ldquoCeremonial Vice Presidentrdquo as distinct groups and then define rules accordingly However in some environments this approach may not be feasible (It is worth noting in passing that generally speaking referring to individuals in rules does not scale well Generally shared attributes are preferred)
If not used with care negative rules can lead to policy violation in two common cases They are when attributes are suppressed and when the base group changes An example of suppressed attributes would be if we have a policy that access should be permitted unless the subject is a credit risk If it is possible that the attribute of being a credit risk may be unknown to the PDP for some reason then unauthorized access may be permitted In some environments the subject may be able to suppress the publication of attributes by the application of privacy controls or the server or repository that contains the information may be unavailable for accidental or intentional reasons
oasis--xacml-11pdf 81
162
3165
3166316731683169
3170317131723173
3174317531763177
317831793180318131823183
318431853186318731883189
3190
31913192319331943195
319631973198319932003201320232033204
32053206320732083209321032113212
163
An example of a changing base group would be if there is a policy that everyone in the engineering department may change software source code except for secretaries Suppose now that the department was to merge with another engineering department and the intent is to maintain the same policy However the new department also includes individuals identified as administrative assistants who ought to be treated in the same way as secretaries Unless the policy is altered they will unintentionally be permitted to change software source code Problems of this type are easy to avoid when one individual administers all policies but when administration is distributed as XACML allows this type of situation must be explicitly guarded against
92 Safeguards
921 Authentication Authentication provides the means for one party in a transaction to determine the identity of the other party in the transaction Authentication may be in one direction or it may be bilateral
Given the sensitive nature of access control systems it is important for a PEP to authenticate the identity of the PDP to which it sends decision requests Otherwise there is a risk that an adversary could provide false or invalid authorization decisions leading to a policy violation
It is equally important for a PDP to authenticate the identity of the PEP and assess the level of trust to determine what if any sensitive data should be passed One should keep in mind that even simple Permit or Deny responses could be exploited if an adversary were allowed to make unlimited requests to a PDP
Many different techniques may be used to provide authentication such as co-located code a private network a VPN or digital signatures Authentication may also be performed as part of the communication protocol used to exchange the contexts In this case authentication may be performed at the message level or at the session level
922 Policy administrationIf the contents of policies are exposed outside of the access control system potential subjects may use this information to determine how to gain unauthorized access
To prevent this threat the repository used for the storage of policies may itself require access control In addition the ltStatusgt element should be used to return values of missing attributes only when exposure of the identities of those attributes will not compromise security
923 Confidentiality Confidentiality mechanisms ensure that the contents of a message can be read only by the desired recipients and not by anyone else who encounters the message while it is in transit There are two areas in which confidentiality should be considered one is confidentiality during transmission the other is confidentiality within a ltPolicygt element
9231 Communication confidentiality
In some environments it is deemed good practice to treat all data within an access control system as confidential In other environments policies may be made freely available for distribution inspection and audit The idea behind keeping policy information secret is to make it more difficult for an adversary to know what steps might be sufficient to obtain unauthorized access Regardless of the approach chosen the security of the access control system should not depend on the secrecy of the policy
oasis--xacml-11pdf 82
164
32133214321532163217321832193220
3221
3222
32233224
322532263227
3228322932303231
3232323332343235
3236
32373238
323932403241
3242
324332443245
3246
3247
324832493250325132523253
165
Any security concerns or requirements related to transmitting or exchanging XACML ltPolicygt elements are outside the scope of the XACML standard While it is often important to ensure that the integrity and confidentiality of ltPolicygt elements is maintained when they are exchanged between two parties it is left to the implementers to determine the appropriate mechanisms for their environment
Communications confidentiality can be provided by a confidentiality mechanism such as SSL Using a point-to-point scheme like SSL may lead to other vulnerabilities when one of the end-points is compromised
9232 Statement level confidentiality
In some cases an implementation may want to encrypt only parts of an XACML ltPolicygt element
The XML Encryption Syntax and Processing Candidate Recommendation from W3C can be used to encrypt all or parts of an XML document This specification is recommended for use with XACML
It should go without saying that if a repository is used to facilitate the communication of cleartext (ie unencrypted) policy between the PAP and PDP then a secure repository should be used to store this sensitive data
924 Policy integrityThe XACML policy used by the PDP to evaluate the request context is the heart of the system Therefore maintaining its integrity is essential There are two aspects to maintaining the integrity of the policy One is to ensure that ltPolicygt elements have not been altered since they were originally created by the PAP The other is to ensure that ltPolicygt elements have not been inserted or deleted from the set of policies
In many cases both aspects can be achieved by ensuring the integrity of the actors and implementing session-level mechanisms to secure the communication between actors The selection of the appropriate mechanisms is left to the implementers However when policy is distributed between organizations to be acted on at a later time or when the policy travels with the protected resource it would be useful to sign the policy In these cases the XML Signature Syntax and Processing standard from W3C is recommended to be used with XACML
Digital signatures should only be used to ensure the integrity of the statements Digital signatures should not be used as a method of selecting or evaluating policy That is the PDP should not request a policy based on who signed it or whether or not it has been signed (as such a basis for selection would itself be a matter of policy) However the PDP must verify that the key used to sign the policy is one controlled by the purported issuer of the policy The means to do this are dependent on the specific signature technology chosen and are outside the scope of this document
925 Policy identifiersSince policies can be referenced by their identifiers it is the responsibility of the PAP to ensure that these are unique Confusion between identifiers could lead to misidentification of the applicable policy This specification is silent on whether a PAP must generate a new identifier when a policy is modified or may use the same identifier in the modified policy This is a matter of administrative practice However care must be taken in either case If the identifier is reused there is a danger that other policies or policy sets that reference it may be adversely affected Conversely if a new identifier is used these other policies may continue to use the prior policy unless it is deleted In either case the results may not be what the policy administrator intends
oasis--xacml-11pdf 83
166
32543255
325632573258
325932603261
3262
32633264
326532663267
326832693270
3271
32723273
327432753276
327732783279328032813282
328332843285328632873288
3289
32903291329232933294329532963297
167
926 Trust modelDiscussions of authentication integrity and confidentiality mechanisms necessarily assume an underlying trust model how can one actor come to believe that a given key is uniquely associated with a specific identified actor so that the key can be used to encrypt data for that actor or verify signatures (or other integrity structures) from that actor Many different types of trust model exist including strict hierarchies distributed authorities the Web the bridge and so on
It is worth considering the relationships between the various actors of the access control system in terms of the interdependencies that do and do not exist
None of the entities of the authorization system are dependent on the PEP They may collect data from it for example authentication but are responsible for verifying it
The correct operation of the system depends on the ability of the PEP to actually enforce policy decisions
The PEP depends on the PDP to correctly evaluate policies This in turn implies that the PDP is supplied with the correct inputs Other than that the PDP does not depend on the PEP
The PDP depends on the PAP to supply appropriate policies The PAP is not dependent on other components
927 PrivacyIt is important to be aware that any transactions that occur with respect to access control may reveal private information about the actors For example if an XACML policy states that certain data may only be read by subjects with ldquoGold Card Memberrdquo status then any transaction in which a subject is permitted access to that data leaks information to an adversary about the subjects status Privacy considerations may therefore lead to encryption andor to access control policies surrounding the enforcement of XACML policy instances themselves confidentiality-protected channels for the requestresponse protocol messages protection of subject attributes in storage and in transit and so on
Selection and use of privacy mechanisms appropriate to a given environment are outside the scope of XACML The decision regarding whether how and when to deploy such mechanisms is left to the implementers associated with the environment
10 Conformance (normative)
101 IntroductionThe XACML specification addresses the following aspect of conformance
The XACML specification defines a number of functions etc that have somewhat specialist application therefore they are not required to be implemented in an implementation that claims to conform with the OASIS standard
102Conformance tablesThis section lists those portions of the specification that MUST be included in an implementation of a PDP that claims to conform with XACML v10 A set of test cases has been created to assist in this process These test cases are hosted by Sun Microsystems and can be located from the
oasis--xacml-11pdf 84
168
3298
32993300330133023303
33043305
33063307
33083309
331033113312
33133314
3315
33163317331833193320332133223323
332433253326
3327
3328
3329
333033313332
3333
333433353336
169
XACML Web page The site hosting the test cases contains a full description of the test cases and how to execute them
Note M means mandatory-to-implement O means optional
1021 Schema elementsThe implementation MUST support those schema elements that are marked ldquoMrdquoElement name MOxacml-contextAction Mxacml-contextAttribute Mxacml-contextAttributeValue Mxacml-contextDecision Mxacml-contextEnvironment Mxacml-contextObligations Oxacml-contextRequest Mxacml-contextResource Mxacml-contextResourceContent Oxacml-contextResponse Mxacml-contextResult Mxacml-contextStatus Mxacml-contextStatusCode Mxacml-contextStatusDetail Oxacml-contextStatusMessage Oxacml-contextSubject MxacmlAction MxacmlActionAttributeDesignator MxacmlActionMatch MxacmlActions MxacmlAnyAction MxacmlAnyResource MxacmlAnySubject MxacmlApply MxacmlAttributeAssignment OxacmlAttributeSelector OxacmlAttributeValue MxacmlCondition MxacmlDescription MxacmlEnvironmentAttributeDesignator MxacmlFunction MxacmlObligation OxacmlObligations OxacmlPolicy MxacmlPolicyDefaults OxacmlPolicyIdReference MxacmlPolicySet MxacmlPolicySetDefaults OxacmlPolicySetIdReference MxacmlResource MxacmlResourceAttributeDesignator MxacmlResourceMatch MxacmlResources MxacmlRule MxacmlSubject MxacmlSubjectMatch MxacmlSubjects M
oasis--xacml-11pdf 85
170
33373338
3339
3340
3341
171
xacmlTarget MxacmlXPathVersion O
1022 Identifier PrefixesThe following identifier prefixes are reserved by XACML
Identifierurnoasisnamestcxacml10urnoasisnamestcxacml10conformance-testurnoasisnamestcxacml10contexturnoasisnamestcxacml10exampleurnoasisnamestcxacml10functionurnoasisnamestcxacml10policyurnoasisnamestcxacml10subjecturnoasisnamestcxacml10resourceurnoasisnamestcxacml10action
1023 AlgorithmsThe implementation MUST include the rule- and policy-combining algorithms associated with the following identifiers that are marked M
Algorithm MOurnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
M
urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11rule-combining-algorithmordered-permit-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
1024 Status CodesImplementation support for the urnoasisnamestcxacml10contextstatus element is optional but if the element is supported then the following status codes must be supported and must be used in the way XACML has specified
Identifier MOurnoasisnamestcxacml10statusmissing-attribute Murnoasisnamestcxacml10statusok Murnoasisnamestcxacml10statusprocessing-error M
oasis--xacml-11pdf 86
172
3342
3343
3344
33453346
3347
334833493350
173
urnoasisnamestcxacml10statussyntax-error M
1025 AttributesThe implementation MUST support the attributes associated with the following attribute identifiers as specified by XACML If values for these attributes are not present in the decision request then their values MUST be supplied by the PDP So unlike most other attributes their semantics are not transparent to the PDP
Identifier MOurnoasisnamestcxacml10environmentcurrent-time Murnoasisnamestcxacml10environmentcurrent-date Murnoasisnamestcxacml10environmentcurrent-dateTime M
1026 IdentifiersThe implementation MUST use the attributes associated with the following identifiers in the way XACML has defined This requirement pertains primarily to implementations of a PAP or PEP that use XACML since the semantics of the attributes are transparent to the PDP
Identifier MOurnoasisnamestcxacml10subjectauthn-localitydns-name Ournoasisnamestcxacml10subjectauthn-localityip-address Ournoasisnamestcxacml10subjectauthentication-method Ournoasisnamestcxacml10subjectauthentication-time Ournoasisnamestcxacml10subjectkey-info Ournoasisnamestcxacml10subjectrequest-time Ournoasisnamestcxacml10subjectsession-start-time Ournoasisnamestcxacml10subjectsubject-id Ournoasisnamestcxacml10subjectsubject-id-qualifier Ournoasisnamestcxacml10subject-categoryaccess-subject Murnoasisnamestcxacml10subject-categorycodebase Ournoasisnamestcxacml10subject-categoryintermediary-subject Ournoasisnamestcxacml10subject-categoryrecipient-subject Ournoasisnamestcxacml10subject-categoryrequesting-machine Ournoasisnamestcxacml10resourceresource-location Ournoasisnamestcxacml10resourceresource-id Murnoasisnamestcxacml10resourcescope Ournoasisnamestcxacml10resourcesimple-file-name Ournoasisnamestcxacml10actionaction-id Murnoasisnamestcxacml10actionimplied-action M
1027 Data-typesThe implementation MUST support the data-types associated with the following identifiers marked M
Data-type MOhttpwwww3org2001XMLSchemastring Mhttpwwww3org2001XMLSchemaboolean Mhttpwwww3org2001XMLSchemainteger Mhttpwwww3org2001XMLSchemadouble Mhttpwwww3org2001XMLSchematime Mhttpwwww3org2001XMLSchemadate Mhttpwwww3org2001XMLSchemadateTime Mhttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
M
oasis--xacml-11pdf 87
174
3351
3352335333543355
3356
335733583359
3360
33613362
175
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
M
httpwwww3org2001XMLSchemaanyURI Mhttpwwww3org2001XMLSchemahexBinary Mhttpwwww3org2001XMLSchemabase64Binary Murnoasisnamestcxacml10data-typerfc822Name Murnoasisnamestcxacml10data-typex500Name M
1028 FunctionsThe implementation MUST properly process those functions associated with the identifiers marked with an M
Function MOurnoasisnamestcxacml10functionstring-equal Murnoasisnamestcxacml10functionboolean-equal Murnoasisnamestcxacml10functioninteger-equal Murnoasisnamestcxacml10functiondouble-equal Murnoasisnamestcxacml10functiondate-equal Murnoasisnamestcxacml10functiontime-equal Murnoasisnamestcxacml10functiondateTime-equal Murnoasisnamestcxacml10functiondayTimeDuration-equal Murnoasisnamestcxacml10functionyearMonthDuration-equal Murnoasisnamestcxacml10functionanyURI-equal Murnoasisnamestcxacml10functionx500Name-equal Murnoasisnamestcxacml10functionrfc822Name-equal Murnoasisnamestcxacml10functionhexBinary-equal Murnoasisnamestcxacml10functionbase64Binary-equal Murnoasisnamestcxacml10functioninteger-add Murnoasisnamestcxacml10functiondouble-add Murnoasisnamestcxacml10functioninteger-subtract Murnoasisnamestcxacml10functiondouble-subtract Murnoasisnamestcxacml10functioninteger-multiply Murnoasisnamestcxacml10functiondouble-multiply Murnoasisnamestcxacml10functioninteger-divide Murnoasisnamestcxacml10functiondouble-divide Murnoasisnamestcxacml10functioninteger-mod Murnoasisnamestcxacml10functioninteger-abs Murnoasisnamestcxacml10functiondouble-abs Murnoasisnamestcxacml10functionround Murnoasisnamestcxacml10functionfloor Murnoasisnamestcxacml10functionstring-normalize-space Murnoasisnamestcxacml10functionstring-normalize-to-lower-case Murnoasisnamestcxacml10functiondouble-to-integer Murnoasisnamestcxacml10functioninteger-to-double Murnoasisnamestcxacml10functionor Murnoasisnamestcxacml10functionand Murnoasisnamestcxacml10functionn-of Murnoasisnamestcxacml10functionnot Murnoasisnamestcxacml10functionpresent Murnoasisnamestcxacml10functioninteger-greater-than Murnoasisnamestcxacml10functioninteger-greater-than-or-equal Murnoasisnamestcxacml10functioninteger-less-than Murnoasisnamestcxacml10functioninteger-less-than-or-equal Murnoasisnamestcxacml10functiondouble-greater-than Murnoasisnamestcxacml10functiondouble-greater-than-or-equal Murnoasisnamestcxacml10functiondouble-less-than M
oasis--xacml-11pdf 88
176
3363
33643365
177
urnoasisnamestcxacml10functiondouble-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-add-dayTimeDuration Murnoasisnamestcxacml10functiondateTime-add-yearMonthDuration Murnoasisnamestcxacml10functiondateTime-subtract-dayTimeDuration
M
urnoasisnamestcxacml10functiondateTime-subtract-yearMonthDuration
M
urnoasisnamestcxacml10functiondate-add-yearMonthDuration Murnoasisnamestcxacml10functiondate-subtract-yearMonthDuration Murnoasisnamestcxacml10functionstring-greater-than Murnoasisnamestcxacml10functionstring-greater-than-or-equal Murnoasisnamestcxacml10functionstring-less-than Murnoasisnamestcxacml10functionstring-less-than-or-equal Murnoasisnamestcxacml10functiontime-greater-than Murnoasisnamestcxacml10functiontime-greater-than-or-equal Murnoasisnamestcxacml10functiontime-less-than Murnoasisnamestcxacml10functiontime-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-greater-than Murnoasisnamestcxacml10functiondateTime-greater-than-or-equal Murnoasisnamestcxacml10functiondateTime-less-than Murnoasisnamestcxacml10functiondateTime-less-than-or-equal Murnoasisnamestcxacml10functiondate-greater-than Murnoasisnamestcxacml10functiondate-greater-than-or-equal Murnoasisnamestcxacml10functiondate-less-than Murnoasisnamestcxacml10functiondate-less-than-or-equal Murnoasisnamestcxacml10functionstring-one-and-only Murnoasisnamestcxacml10functionstring-bag-size Murnoasisnamestcxacml10functionstring-is-in Murnoasisnamestcxacml10functionstring-bag Murnoasisnamestcxacml10functionboolean-one-and-only Murnoasisnamestcxacml10functionboolean-bag-size Murnoasisnamestcxacml10functionboolean-is-in Murnoasisnamestcxacml10functionboolean-bag Murnoasisnamestcxacml10functioninteger-one-and-only Murnoasisnamestcxacml10functioninteger-bag-size Murnoasisnamestcxacml10functioninteger-is-in Murnoasisnamestcxacml10functioninteger-bag Murnoasisnamestcxacml10functiondouble-one-and-only Murnoasisnamestcxacml10functiondouble-bag-size Murnoasisnamestcxacml10functiondouble-is-in Murnoasisnamestcxacml10functiondouble-bag Murnoasisnamestcxacml10functiontime-one-and-only Murnoasisnamestcxacml10functiontime-bag-size Murnoasisnamestcxacml10functiontime-is-in Murnoasisnamestcxacml10functiontime-bag Murnoasisnamestcxacml10functiondate-one-and-only Murnoasisnamestcxacml10functiondate-bag-size Murnoasisnamestcxacml10functiondate-is-in Murnoasisnamestcxacml10functiondate-bag Murnoasisnamestcxacml10functiondateTime-one-and-only Murnoasisnamestcxacml10functiondateTime-bag-size Murnoasisnamestcxacml10functiondateTime-is-in Murnoasisnamestcxacml10functiondateTime-bag Murnoasisnamestcxacml10functionanyURI-one-and-only Murnoasisnamestcxacml10functionanyURI-bag-size Murnoasisnamestcxacml10functionanyURI-is-in Murnoasisnamestcxacml10functionanyURI-bag M
oasis--xacml-11pdf 89
178
179
urnoasisnamestcxacml10functionhexBinary-one-and-only Murnoasisnamestcxacml10functionhexBinary-bag-size Murnoasisnamestcxacml10functionhexBinary-is-in Murnoasisnamestcxacml10functionhexBinary-bag Murnoasisnamestcxacml10functionbase64Binary-one-and-only Murnoasisnamestcxacml10functionbase64Binary-bag-size Murnoasisnamestcxacml10functionbase64Binary-is-in Murnoasisnamestcxacml10functionbase64Binary-bag Murnoasisnamestcxacml10functiondayTimeDuration-one-and-only Murnoasisnamestcxacml10functiondayTimeDuration-bag-size Murnoasisnamestcxacml10functiondayTimeDuration-is-in Murnoasisnamestcxacml10functiondayTimeDuration-bag Murnoasisnamestcxacml10functionyearMonthDuration-one-and-only Murnoasisnamestcxacml10functionyearMonthDuration-bag-size Murnoasisnamestcxacml10functionyearMonthDuration-is-in Murnoasisnamestcxacml10functionyearMonthDuration-bag Murnoasisnamestcxacml10functionx500Name-one-and-only Murnoasisnamestcxacml10functionx500Name-bag-size Murnoasisnamestcxacml10functionx500Name-is-in Murnoasisnamestcxacml10functionx500Name-bag Murnoasisnamestcxacml10functionrfc822Name-one-and-only Murnoasisnamestcxacml10functionrfc822Name-bag-size Murnoasisnamestcxacml10functionrfc822Name-is-in Murnoasisnamestcxacml10functionrfc822Name-bag Murnoasisnamestcxacml10functionany-of Murnoasisnamestcxacml10functionall-of Murnoasisnamestcxacml10functionany-of-any Murnoasisnamestcxacml10functionall-of-any Murnoasisnamestcxacml10functionany-of-all Murnoasisnamestcxacml10functionall-of-all Murnoasisnamestcxacml10functionmap Murnoasisnamestcxacml10functionx500Name-match Murnoasisnamestcxacml10functionrfc822Name-match Murnoasisnamestcxacml10functionregexp-string-match Murnoasisnamestcxacml10functionxpath-node-count Ournoasisnamestcxacml10functionxpath-node-equal Ournoasisnamestcxacml10functionxpath-node-match Ournoasisnamestcxacml10functionstring-intersection Murnoasisnamestcxacml10functionstring-at-least-one-member-of Murnoasisnamestcxacml10functionstring-union Murnoasisnamestcxacml10functionstring-subset Murnoasisnamestcxacml10functionstring-set-equals Murnoasisnamestcxacml10functionboolean-intersection Murnoasisnamestcxacml10functionboolean-at-least-one-member-of Murnoasisnamestcxacml10functionboolean-union Murnoasisnamestcxacml10functionboolean-subset Murnoasisnamestcxacml10functionboolean-set-equals Murnoasisnamestcxacml10functioninteger-intersection Murnoasisnamestcxacml10functioninteger-at-least-one-member-of Murnoasisnamestcxacml10functioninteger-union Murnoasisnamestcxacml10functioninteger-subset Murnoasisnamestcxacml10functioninteger-set-equals Murnoasisnamestcxacml10functiondouble-intersection Murnoasisnamestcxacml10functiondouble-at-least-one-member-of Murnoasisnamestcxacml10functiondouble-union Murnoasisnamestcxacml10functiondouble-subset Murnoasisnamestcxacml10functiondouble-set-equals M
oasis--xacml-11pdf 90
180
181
urnoasisnamestcxacml10functiontime-intersection Murnoasisnamestcxacml10functiontime-at-least-one-member-of Murnoasisnamestcxacml10functiontime-union Murnoasisnamestcxacml10functiontime-subset Murnoasisnamestcxacml10functiontime-set-equals Murnoasisnamestcxacml10functiondate-intersection Murnoasisnamestcxacml10functiondate-at-least-one-member-of Murnoasisnamestcxacml10functiondate-union Murnoasisnamestcxacml10functiondate-subset Murnoasisnamestcxacml10functiondate-set-equals Murnoasisnamestcxacml10functiondateTime-intersection Murnoasisnamestcxacml10functiondateTime-at-least-one-member-of Murnoasisnamestcxacml10functiondateTime-union Murnoasisnamestcxacml10functiondateTime-subset Murnoasisnamestcxacml10functiondateTime-set-equals Murnoasisnamestcxacml10functionanyURI-intersection Murnoasisnamestcxacml10functionanyURI-at-least-one-member-of Murnoasisnamestcxacml10functionanyURI-union Murnoasisnamestcxacml10functionanyURI-subset Murnoasisnamestcxacml10functionanyURI-set-equals Murnoasisnamestcxacml10functionhexBinary-intersection Murnoasisnamestcxacml10functionhexBinary-at-least-one-member-of Murnoasisnamestcxacml10functionhexBinary-union Murnoasisnamestcxacml10functionhexBinary-subset Murnoasisnamestcxacml10functionhexBinary-set-equals Murnoasisnamestcxacml10functionbase64Binary-intersection Murnoasisnamestcxacml10functionbase64Binary-at-least-one-member-of
M
urnoasisnamestcxacml10functionbase64Binary-union Murnoasisnamestcxacml10functionbase64Binary-subset Murnoasisnamestcxacml10functionbase64Binary-set-equals Murnoasisnamestcxacml10functiondayTimeDuration-intersection Murnoasisnamestcxacml10functiondayTimeDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functiondayTimeDuration-union Murnoasisnamestcxacml10functiondayTimeDuration-subset Murnoasisnamestcxacml10functiondayTimeDuration-set-equals Murnoasisnamestcxacml10functionyearMonthDuration-intersection Murnoasisnamestcxacml10functionyearMonthDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functionyearMonthDuration-union Murnoasisnamestcxacml10functionyearMonthDuration-subset Murnoasisnamestcxacml10functionyearMonthDuration-set-equals Murnoasisnamestcxacml10functionx500Name-intersection Murnoasisnamestcxacml10functionx500Name-at-least-one-member-of Murnoasisnamestcxacml10functionx500Name-union Murnoasisnamestcxacml10functionx500Name-subset Murnoasisnamestcxacml10functionx500Name-set-equals Murnoasisnamestcxacml10functionrfc822Name-intersection Murnoasisnamestcxacml10functionrfc822Name-at-least-one-member-of
M
urnoasisnamestcxacml10functionrfc822Name-union Murnoasisnamestcxacml10functionrfc822Name-subset Murnoasisnamestcxacml10functionrfc822Name-set-equals M
oasis--xacml-11pdf 91
182
3366
183
11 References[DS] D Eastlake et al XML-Signature Syntax and Processing
httpwwww3orgTRxmldsig-core World Wide Web Consortium[Hancock] Hancock Polymorphic Type Checking in Simon L Peyton Jones
Implementation of Functional Programming Languages Section 8 Prentice-Hall International 1987
[Haskell] Haskell a purely functional language Available at httpwwwhaskellorg
[Hinton94] Hinton H M Lee E S The Compatibility of Policies Proceedings 2nd ACM Conference on Computer and Communications Security Nov 1994 Fairfax Virginia USA
[IEEE754] IEEE Standard for Binary Floating-Point Arithmetic 1985 ISBN 1-5593-7653-8 IEEE Product No SH10116-TBR
[Kudo00] Kudo M and Hada S XML document security based on provisional authorization Proceedings of the Seventh ACM Conference on Computer and Communications Security Nov 2000 Athens Greece pp 87-96
[LDAP-1] RFC2256 A summary of the X500(96) User Schema for use with LDAPv3 Section 5 M Wahl December 1997 httpwwwietforgrfcrfc2798txt
[LDAP-2] RFC2798 Definition of the inetOrgPerson M Smith April 2000 httpwwwietforgrfcrfc2798txt
[MathML] Mathematical Markup Language (MathML) Version 20 W3C Recommendation 21 February 2001 Available at httpwwww3orgTRMathML2
[Perritt93] Perritt H Knowbots Permissions Headers and Contract Law Conference on Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment April 1993 Available at httpwwwiflaorgdocumentsinfopolcopyrightperh2txt
[RBAC] Role-Based Access Controls David Ferraiolo and Richard Kuhn 15th National Computer Security Conference 1992 Available at httpcsrcnistgovrbac
[RegEx] XML Schema Part 0 Primer W3C Recommendation 2 May 2001 Appendix D Available at httpwwww3orgTRxmlschema-0
[RFC2119] S Bradner Key words for use in RFCs to Indicate Requirement Levels httpwwwietforgrfcrfc2119txt IETF RFC 2119 March 1997
[SAML] Security Assertion Markup Language available from httpwwwoasis-openorgcommitteessecuritydocuments
[Sloman94] Sloman M Policy Driven Management for Distributed Systems Journal of Network and Systems Management Volume 2 part 4 Plenum Press 1994
[XF] XQuery 10 and XPath 20 Functions and Operators W3C Working Draft 16 August 2002 Available at httpwwww3orgTR2002WD-xquery-operators-20020816
[XS] XML Schema parts 1 and 2 Available at httpwwww3orgTRxmlschema-1 and httpwwww3orgTRxmlschema-2
[XPath] XML Path Language (XPath) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxpath
oasis--xacml-11pdf 92
184
336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396
33973398
3399340034013402340334043405
340634073408
34093410341134123413
185
[XSLT] XSL Transformations (XSLT) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxslt
oasis--xacml-11pdf 93
186
341434153416
187
Appendix A Standard data-types functions and their semantics (normative)
A1 IntroductionThis section contains a specification of the data-types and functions used in XACML to create predicates for a rulersquos condition and target matches
This specification combines the various standards set forth by IEEE and ANSI for string representation of numeric values as well as the evaluation of arithmetic functions
This section describes the primitive data-types bags and construction of expressions using XACML constructs Finally each standard function is named and its operational semantics are described
A2 Primitive typesAlthough XML instances represent all data-types as strings an XACML PDP must reason about types of data that while they have string representations are not just strings Types such as boolean integer and double MUST be converted from their XML string representations to values that can be compared with values in their domain of discourse such as numbers The following primitive data-types are specified for use with XACML and have explicit data representations
httpwwww3org2001XMLSchemastring
httpwwww3org2001XMLSchemaboolean
httpwwww3org2001XMLSchemainteger
httpwwww3org2001XMLSchemadouble
httpwwww3org2001XMLSchematime
httpwwww3org2001XMLSchemadate
httpwwww3org2001XMLSchemadateTime
httpwwww3org2001XMLSchemaanyURI
httpwwww3org2001XMLSchemahexBinary
httpwwww3org2001XMLSchemabase64Binary
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
urnoasisnamestcxacml10data-typex500Name
urnoasisnamestcxacml10data-typerfc822Name
oasis--xacml-11pdf 94
188
3417
3418
3419
34203421
34223423
342434253426
3427
34283429343034313432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
189
A3 Structured typesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type for example ltdsKeyInfogt XACML 10 supports several ways for comparing such ltAttributeValuegt elements
1 In some cases such an ltAttributeValuegt element MAY be compared using one of the XACML string functions such as ldquoregexp-string-matchrdquo described below This requires that the structured data ltAttributeValuegt be given the DataType=httpwwww3org2001XMLSchemastring For example a structured data-type that is actually a dsKeyInfoKeyName would appear in the Context as
ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgtampltdsKeyNameampgtjhibbert-keyampltdsKeyNameampgt
ltAttributeValuegt
In general this method will not be adequate unless the structured data-type is quite simple
2 An ltAttributeSelectorgt element MAY be used to select the value of a leaf sub-element of the structured data-type by means of an XPath expression That value MAY then be compared using one of the supported XACML functions appropriate for its primitive data-type This method requires support by the PDP for the optional XPath expressions feature
3 An ltAttributeSelectorgt element MAY be used to select the value of any node in the structured data-type by means of an XPath expression This node MAY then be compared using one of the XPath-based functions described in Section A1413 This method requires support by the PDP for the optional XPath expressions and XPath functions features
A4 RepresentationsAn XACML PDP SHALL be capable of converting string representations into various primitive data-types For integers and doubles XACML SHALL use the conversions described in [IEEE754]
This document combines the various standards set forth by IEEE and ANSI for string representation of numeric values
XACML defines two additional data-types these are ldquournoasisnamestcxacml10data-typex500Namerdquo and ldquournoasisnamestcxacml10data-typerfc822Namerdquo These types represent identifiers for subjects and appear in several standard applications such as TLSSSL and electronic mail
The ldquournoasisnamestcxacml10data-typex500Namerdquo primitive type represents an X500 Distinguished Name The string representation of an X500 distinguished name is specified in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names1
The ldquournoasisnamestcxacml10data-typerfc822Namerdquo primitive type represents electronic mail addresses and its string representation is specified by RFC 822
1 An earlier RFC RFC 1779 A String Representation of Distinguished Names is less restrictive so urnoasisnamestcxacml10data-typex500Name uses the syntax in RFC 2253 for better interoperability
oasis--xacml-11pdf 95
190
3447
344834493450
34513452
345334543455345634573458
3459
34603461346234633464
3465346634673468
3469
34703471
34723473
3474347534763477
3478347934803481
34823483
191192193
194
An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive2
A5 BagsXACML defines implicit collections of its primitive types XACML refers to a collection of values that are of a single primitive type as a bag Bags of primitive types are needed because selections of nodes from an XML resource or XACML request context may return more than one value
The ltAttributeSelectorgt element uses an XPath expression to specify the selection of data from an XML resource The result of an XPath expression is termed a node-set which contains all the leaf nodes from the XML resource that match the predicate in the XPath expression Based on the various indexing functions provided in the XPath specification it SHALL be implied that a resultant node-set is the collection of the matching nodes XACML also defines the ltAttributeDesignatorgt element to have the same matching methodology for attributes in the XACML request context
The values in a bag are not ordered and some of the values may be duplicates There SHALL be no notion of a bag containing bags or a bag containing values of differing types Ie a bag in XACML SHALL contain only values that are of the same primitive type
A6 ExpressionsXACML specifies expressions in terms of the following elements of which the ltApplygt and ltConditiongt elements recursively compose greater expressions Valid expressions shall be type correct which means that the types of each of the elements contained within ltApplygt and ltConditiongt elements shall agree with the respective argument types of the function that is named by the FunctionId attribute The resultant type of the ltApplygt or ltConditiongt element shall be the resultant type of the function which may be narrowed to a primitive data-type or a bag of a primitive data-type by type-unification XACML defines an evaluation result of Indeterminate which is said to be the result of an invalid expression or an operational error occurring during the evaluation of the expression
XACML defines the following elements to be legal XACML expressions
ltAttributeValuegt
ltSubjectAttributeDesignatorgt
ltSubjectAttributeSelectorgt
ltResourceAttributeDesignatorgt
ltActionAttributeDesignatorgt
ltEnvironmentAttributeDesignatorgt
ltAttributeSelectorgt
ltApplygt
2 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part However many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This is considered an error by mail-system designers and is not encouraged
oasis--xacml-11pdf 96
195
348434853486
3487
348834893490
34913492349334943495
34963497
349834993500
3501
350235033504350535063507350835093510
3511
3512
3513
3514
3515
3516
3517
3518
3519
196197198
199
ltConditiongt
ltFunctiongt
A7 Element ltAttributeValuegt The ltAttributeValuegt element SHALL represent an explicit value of a primitive type For example
ltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltApplygt
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt
The ltAttributeDesignatorgt and ltAttributeSelectorgt elements SHALL evaluate to a bag of a specific primitive type The type SHALL be inferred from the function in which it appears Each element SHALL contain a URI or XPath expression respectively to identify the required attribute values If an operational error were to occur while finding the values the value of the element SHALL be set to Indeterminate If the required attribute cannot be located then the value of the element SHALL be set to an empty bag of the inferred primitive type
A9 Element ltApplygt XACML function calls are represented by the ltApplygt element The function to be applied is named in the FunctionId attribute of this element The value of the ltApplygt element SHALL be set to either a primitive data-type or a bag of a primitive type whose data-type SHALL be inferred from the FunctionId The arguments of a function SHALL be the values of the XACML expressions that are contained as ordered elements in an ltApplygt element The legal number of arguments within an ltApplygt element SHALL depend upon the functionId
A10Element ltConditiongt The ltConditiongt element MAY appear in the ltRulegt element as the premise for emitting the corresponding effect of the rule The ltConditiongt element has the same structure as the ltApplygt element with the restriction that its result SHALL be of data-type ldquohttpwwww3org2001XMLSchemabooleanrdquo The evaluation of the ltConditiongt element SHALL follow the same evaluation semantics as those of the ltApplygt element
oasis--xacml-11pdf 97
200
3520
3521
3522
35233524352535263527352835293530
3531
3532
353335343535353635373538
3539
354035413542
354335443545
3546
35473548354935503551
201
A11Element ltFunctiongt The ltFunctiongt element names a standard XACML function or an extension function in its FunctionId attribute The ltFunctiongt element MAY be used as an argument in functions that take a function as an argument
A12Matching elementsMatching elements appear in the ltTargetgt element of rules policies and policy sets They are the following
ltSubjectMatchgt
ltResourceMatchgt
ltActionMatchgt
These elements represent boolean expressions over attributes of the subject resource and action respectively A matching element contains a MatchId attribute that specifies the function to be used in performing the match evaluation an attribute value and an ltAttributeDesignatorgt or ltAttributeSelectorgt element that specifies the attribute in the context that is to be matched against the specified value
The MatchId attribute SHALL specify a function that compares two arguments returning a result type of httpwwww3org2001XMLSchemaboolean The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument An element of the bag returned by the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL be supplied to the MatchId function as its second argument The data-type of the attribute value SHALL match the data-type of the first argument expected by the MatchId function The data-type of the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL match the data-type of the second argument expected by the MatchId function
The XACML standard functions that meet the requirements for use as a MatchId attribute value are
urnoasisnamestcxacml10function-type-equal
urnoasisnamestcxacml10function-type-greater-than
urnoasisnamestcxacml10function-type-greater-than-or-equal
urnoasisnamestcxacml10function-type-less-than
urnoasisnamestcxacml10function-type-less-than-or-equal
urnoasisnamestcxacml10function-type-match
In addition functions that are strictly within an extension to XACML MAY appear as a value for the MatchId attribute and those functions MAY use data-types that are also extensions so long as the extension function returns a boolean result and takes an attribute value as its first argument and an ltAttributeDesignatorgt or ltAttributeSelectorgt as its second argument The function used as the value for the MatchId attribute SHOULD be easily indexable Use of non-indexable or complex functions may prevent efficient evaluation of decision requests
The evaluation semantics for a matching element is as follows If an operational error were to occur while evaluating the ltAttributeDesignatorgt or ltAttributeSelectorgt element then
oasis--xacml-11pdf 98
202
3552
355335543555
3556
35573558
3559
3560
3561
35623563356435653566
35673568
356935703571357235733574
35753576
3577
3578
3579
3580
3581
3582
358335843585
358635873588
35893590
203
the result of the entire expression SHALL be Indeterminate If the ltAttributeDesignatorgt or ltAttributeSelectorgt element were to evaluate to an empty bag then the result of the expression SHALL be False Otherwise the MatchId function SHALL be applied between the explicit attribute value and each element of the bag returned from the ltAttributeDesignatorgt or ltAttributeSelectorgt element If at least one of those function applications were to evaluate to True then the result of the entire expression SHALL be True Otherwise if at least one of the function applications results in Indeterminate then the result SHALL be Indeterminate Finally only if all function applications evaluate to False the result of the entire expression SHALL be False
It is possible to express the semantics of a target matching element in a condition For instance the target match expression that compares a ldquosubject-namerdquo starting with the name ldquoJohnrdquo can be expressed as follows
ltSubjectMatch MatchId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegtltSubjectMatchgt
Alternatively the same match semantics can be expressed as an ltApplygt element in a condition by using the ldquournoasisnamestcxacml10functionany-ofrdquo function as follows
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt ltFunctionFunctionId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtltApplygt
This expression of the semantics is NOT normative
A13Arithmetic evaluationIEEE 754 [IEEE 754] specifies how to evaluate arithmetic functions in a context which specifies defaults for precision rounding etc XACML SHALL use this specification for the evaluation of all integer and double functions relying on the Extended Default Context enhanced with double precision
flags - all set to 0
trap-enablers - all set to 0 (IEEE 854 sect7) with the exception of the ldquodivision-by-zerordquo trap enabler which SHALL be set to 1
precision - is set to the designated double precision
rounding - is set to round-half-even (IEEE 854 sect41)
oasis--xacml-11pdf 99
204
359135923593359435953596359735983599
36003601360236033604360536063607360836093610
36113612361336143615361636173618361936203621
3622
3623
3624
3625362636273628
3629
36303631
3632
3633
205
A14XACML standard functionsXACML specifies the following functions that are prefixed with the ldquournoasisnamestcxacml10functionrdquo relative name space identifier
A141Equality predicatesThe following functions are the equality functions for the various primitive types Each function for a particular data-type follows a specified standard convention for that data-type If an argument of one of these functions were to evaluate to Indeterminate then the function SHALL be set to Indeterminate
string-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if and only if the value of both of its arguments are of equal length and each string is determined to be equal byte-by-byte according to the function ldquointeger-equalrdquo
boolean-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemabooleanrdquo and SHALL return True if and only if both values are equal
integer-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on integers according to IEEE 754 [IEEE 754]
double-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on doubles according to IEEE 754 [IEEE 754]
date-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdate-equalrdquo function [XF Section 8311]
time-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquooptime-equalrdquo function [XF Section 8314]
dateTime-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdateTime-equalrdquo function [XF Section 838]
oasis--xacml-11pdf 100
206
3634
36353636
3637
3638363936403641
3642
3643364436453646
3647
364836493650
3651
3652365336543655
3656
3657365836593660
3661
3662366336643665
3666
3667366836693670
3671
3672367336743675
207
dayTimeDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opdayTimeDuration-equal function [XF Section 835] Note that the lexical representation of each argument MUST be converted to a value expressed in fractional seconds [XF Section 822]
yearMonthDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opyearMonthDuration-equal function [XF Section 832] Note that the lexical representation of each argument MUST be converted to a value expressed in integer months [XF Section 821]
anyURI-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaanyURIrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopanyURI-equalrdquo function [XF Section 1021]
x500Name-equal
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if each Relative Distinguished Name (RDN) in the two arguments matches Two RDNs shall be said to match if and only if the result of the following operations is ldquoTruerdquo3
1 Normalize the two arguments according to IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
2 If any RDN contains multiple attributeTypeAndValue pairs re-order the Attribute ValuePairs in that RDN in ascending order when compared as octet strings (described in ITU-T Rec X690 (1997 E) Section 116 Set-of components)
3 Compare RDNs using the rules in IETF RFC 3280 Internet X509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Section 4124 Issuer
rfc822Name-equal
This function SHALL take two arguments of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL determine whether two ldquournoasisnamestcxacml10data-typerfc822Namerdquo arguments are equal An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive Perform the following operations
1 Normalize the domain-part of each argument to lower case
2 Compare the expressions by applying the function ldquournoasisnamestcxacml10functionstring-equalrdquo to the normalized arguments
3 ITU-T Rec X520 contains rules for matching X500 names but these are very complex and require knowledge of the syntax of various AttributeTypes IETF RFC 3280 contains simplified matching rules that the XACML x500Name-equal function uses
oasis--xacml-11pdf 101
208
367636773678367936803681368236833684368536863687368836893690
3691369236933694
3695
36963697369836993700
37013702
370337043705
370637073708
3709
3710371137123713371437153716
3717
37183719
209210211
212
hexBinary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemahexBinaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8215]
base64Binary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemabase64Binaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8216]
A142Arithmetic functionsAll of the following functions SHALL take two arguments of the specified data-type integer or double and SHALL return an element of integer or double data-type respectively However the ldquoaddrdquo functions MAY take more than two arguments Each function evaluation SHALL proceed as specified by their logical counterparts in IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate In the case of the divide functions if the divisor is zero then the function SHALL evaluate to ldquoIndeterminaterdquo
integer-add
This function MAY have two or more arguments
double-add
This function MAY have two or more arguments
integer-subtract
double-subtract
integer-multiply
double-multiply
integer-divide
double-divide
integer-mod
The following functions SHALL take a single argument of the specified data-type The round and floor functions SHALL take a single argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and return data-type ldquohttpwwww3org2001XMLSchemadoublerdquo In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-abs
oasis--xacml-11pdf 102
213
3720
3721372237233724372537263727
3728
3729373037313732373337343735
3736
3737373837393740374137423743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
375537563757375837593760
3761
214
double-abs
round
floor
A143String conversion functionsThe following functions convert between values of the XACML ldquohttpwwww3org2001XMLSchemastringrdquo primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-normalize-space
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by stripping off all leading and trailing whitespace characters
string-normalize-to-lower-case
This function SHALL take one argument of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by converting each upper case character to its lower case equivalent
A144Numeric data-type conversion functionsThe following functions convert between the XACML ldquohttpwwww3org2001XMLSchemaintegerrdquo andrdquo httpwwww3org2001XMLSchemadoublerdquo primitive types In any expression in which the functions defined below are applied if any argument while being evaluated results in Indeterminate the expression SHALL return Indeterminate
double-to-integer
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL truncate its numeric value to a whole number and return an element of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo
integer-to-double
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL promote its value to an element of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo of the same numeric value
A145Logical functionsThis section contains the specification for logical functions that operate on arguments of the ldquohttpwwww3org2001XMLSchemabooleanrdquo data-type
or
This function SHALL return False if it has no arguments and SHALL return True if one of its arguments evaluates to True The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of True if any argument evaluates to True leaving the rest of the arguments unevaluated In an expression that contains any of these
oasis--xacml-11pdf 103
215
3762
3763
3764
3765
3766376737683769
3770
377137723773
3774
377537763777
3778
3779378037813782
3783
3784378537863787
3788
378937903791
3792
37933794
3795
3796
3797379837993800
216
functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
and
This function SHALL return True if it has no arguments and SHALL return False if one of its arguments evaluates to False The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of False if any argument evaluates to False leaving the rest of the arguments unevaluated In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
n-of
The first argument to this function SHALL be of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo specifying the number of the remaining arguments that MUST evaluate to True for the expression to be considered True If the first argument is 0 the result SHALL be True If the number of arguments after the first one is less than the value of the first argument then the expression SHALL result in Indeterminate The order of evaluation SHALL be first evaluate the integer value then evaluate each subsequent argument The evaluation SHALL stop and return True if the specified number of arguments evaluate to True The evaluation of arguments SHALL stop if it is determined that evaluating the remaining arguments will not satisfy the requirement In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
not
This function SHALL take one logical argument If the argument evaluates to True then the result of the expression SHALL be False If the argument evaluates to False then the result of the expression SHALL be True In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
Note For an expression that is an application of AND OR or N-OF it MAY NOT be necessary to attempt a full evaluation of each boolean argument to a truth value in order to determine whether the evaluation of the argument would result in Indeterminate Analysis of the argument regarding its necessary attributes or other analysis regarding errors such as divide-by-zero may render the argument error free Such arguments occurring in the expression in a position after the evaluation is stated to stop need not be processed
A146Arithmetic comparison functionsThese functions form a minimal set for comparing two numbers yielding a boolean result They SHALL comply with the rules governed by IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-greater-than
integer-greater-than-or-equal
integer-less-than
integer-less-than-or-equal
double-greater-than
oasis--xacml-11pdf 104
217
38013802
3803
380438053806380738083809
3810
381138123813381438153816381738183819382038213822
3823
38243825382638273828
382938303831383238333834
3835
3836383738383839
3840
3841
3842
3843
3844
218
double-greater-than-or-equal
double-less-than
double-less-than-or-equal
A147Date and time arithmetic functionsThese functions perform arithmetic operations with the date and time In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
dateTime-add-dayTimeDuration
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is of data-type ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-subtract-dayTimeDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-dayTimeDurationrdquo had been applied to the corresponding positive duration
dateTime-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
date-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It
oasis--xacml-11pdf 105
219
3845
3846
3847
3848
384938503851
3852
385338543855385638573858
3859
386038613862386338643865
3866
386738683869387038713872387338743875
3876
387738783879388038813882388338843885
3886
388738883889
220
return a result of ldquohttpwwww3org2001XMLSchemadaterdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date [XS Appendix E]
date-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadaterdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
A148Non-numeric comparison functionsThese functions perform comparison operations on two arguments of non-numerical types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments that are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is greater than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-equalrdquo
string-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated with the logical function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-greater-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
string-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is less than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-less-thanrdquo
string-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated
oasis--xacml-11pdf 106
221
389038913892
3893
389438953896389738983899390039013902
3903
390439053906
3907
39083909391039113912391339143915
3916
391739183919392039213922
3923
39243925392639273928392939303931
3932
393339343935
222
with the function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-less-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
time-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
dateTime-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
oasis--xacml-11pdf 107
223
393639373938
3939
39403941394239433944
3945
39463947394839493950
3951
39523953395439553956
3957
39583959396039613962
3963
39643965396639673968
3969
39703971397239733974
3975
39763977397839793980
224
dateTime-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchema dateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
date-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
A149Bag functionsThese functions operate on a bag of type values where data-type is one of the primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate Some additional conditions defined for each function below SHALL cause the expression to evaluate to Indeterminate
type-one-and-only
This function SHALL take an argument of a bag of type values and SHALL return a value of data-type It SHALL return the only value in the bag If the bag does not have one and only one value then the expression SHALL evaluate to Indeterminate
type-bag-size
This function SHALL take a bag of type values as an argument and SHALL return an ldquohttpwwww3org2001XMLSchemaintegerrdquo indicating the number of values in the bag
oasis--xacml-11pdf 108
225
3981
3982
39833984398539863987
3988
39893990399139923993
3994
39953996399739983999
4000
40014002400340044005
4006
40074008400940104011
4012
4013401440154016
4017
401840194020
4021
40224023
226
type-is-in
This function SHALL take an argument of data-type type as the first argument and a bag of type values as the second argument The expression SHALL evaluate to True if the first argument matches by the urnoasisnamestcxacml10functiontype-equal to any value in the bag
type-bag
This function SHALL take any number of arguments of a single data-type and return a bag of type values containing the values of the arguments An application of this function to zero arguments SHALL produce an empty bag of the specified data-type
A1410 Set functionsThese functions operate on bags mimicking sets by eliminating duplicate elements from a bag In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
type-intersection
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type values such that it contains only elements that are common between the two bags which is determined by urnoasisnamestcxacml10functiontype-equal No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-at-least-one-member-of
This function SHALL take two arguments that are both a bag of type values The expression SHALL evaluate to True if at least one element of the first argument is contained in the second argument as determined by urnoasisnamestcxacml10functiontype-is-in
type-union
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type such that it contains all elements of both bags No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-subset
This function SHALL take two arguments that are both a bag of type values It SHALL return True if the first argument is a subset of the second argument Each argument is considered to have its duplicates removed as determined by urnoasisnamestcxacml10functiontype-equal before subset calculation
type-set-equals
This function SHALL take two arguments that are both a bag of type values and SHALL return the result of applying urnoasisnamestcxacml10functionand to the application of urnoasisnamestcxacml10functiontype-subset to the first and second arguments and the application of urnoasisnamestcxacml10functiontype-subset to the second and first arguments
oasis--xacml-11pdf 109
227
4024
4025
4026
4027402840294030
4031
403240334034
4035
403640374038
4039
40404041404240434044
4045
4046404740484049
4050
4051405240534054
4055
4056405740584059
4060
40614062406340644065
228
A1411 Higher-order bag functionsThis section describes functions in XACML that perform operations on bags such that functions may be applied to the bags in general
In this section a general-purpose functional language called Haskell [Haskell] is used to formally specify the semantics of these functions Although the English description is adequate a formal specification of the semantics is helpful
For a quick summary in the following Haskell notation a function definition takes the form of clauses that are applied to patterns of structures namely lists The symbol ldquo[]rdquo denotes the empty list whereas the expression ldquo(xxs)rdquo matches against an argument of a non-empty list of which ldquoxrdquo represents the first element of the list and ldquoxsrdquo is the rest of the list which may be an empty list We use the Haskell notion of a list which is an ordered collection of elements to model the XACML bags of values
A simple Haskell definition of a familiar function ldquournoasisnamestcxacml10functionandrdquo that takes a list of booleans is defined as follows
and [Bool] -gt Bool
and [] = True
and (xxs) = x ampamp (and xs)
The first definition line denoted by a ldquordquo formally describes the data-type of the function which takes a list of booleans denoted by ldquo[Bool]rdquo and returns a boolean denoted by ldquoBoolrdquo The second definition line is a clause that states that the function ldquoandrdquo applied to the empty list is True The second definition line is a clause that states that for a non-empty list such that the first element is ldquoxrdquo which is a value of data-type Bool the function ldquoandrdquo applied to x SHALL be combined with using the logical conjunction function which is denoted by the infix symbol ldquoampamprdquo the result of recursively applying the function ldquoandrdquo to the rest of the list Of course an application of the ldquoandrdquo function is True if and only if the list to which it is applied is empty or every element of the list is True For example the evaluation of the following Haskell expressions
(and []) (and [True]) (and [TrueTrue]) (and [TrueTrueFalse])
evaluate to True True True and False respectively
In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
any-of
This function applies a boolean function between a specific primitive value and a bag of values and SHALL return True if and only if the predicate is True for at least one element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element is applied to the second argument and each element of the third argument (the bag) and the results are combined with ldquournoasisnamestcxacml10functionorrdquo
In Haskell the semantics of this operation are as follows
oasis--xacml-11pdf 110
229
4066
40674068
406940704071
407240734074407540764077
40784079
4080
4081
4082
408340844085408640874088408940904091
4092
4093
40944095
4096
409740984099
4100410141024103
410441054106
4107
230
any_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolany_of f a [] = Falseany_of f a (xxs) = (f a x) || (any_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL return TrueltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is equal to at least one of the elements of the bag
all-of
This function applies a boolean function between a specific primitive value and a bag of values and returns True if and only if the predicate is True for every element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to the second argument and each element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo
In Haskell the semantics of this operation are as follows
all_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolall_of f a [] = Falseall_of f a (xxs) = (f a x) ampamp (all_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 111
231
410841094110
41114112
4113411441154116411741184119412041214122412341244125412641274128
41294130
4131
41324133
4134413541364137
413841394140
4141
414241434144
41454146
4147
232
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-ofrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt9ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is greater than all of the elements of the bag
any-of-any
This function applies a boolean function between each element of a bag of values and each element of another bag of values and returns True if and only if the predicate is True for at least one comparison
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any comparison of elements from the two bags
In Haskell taking advantage of the ldquoany_ofrdquo function defined above the semantics of the ldquoany_of_anyrdquo function are as follows
any_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_any f [] ys = Falseany_of_any f (xxs) ys = (any_of f x ys) || (any_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 112
233
4148414941504151415241534154415541564157415841594160416141624163
41644165
4166
416741684169
4170417141724173
41744175417641774178
41794180
418141824183
41844185
4186
234
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtMaryltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one of the elements of the first bag namely ldquoRingordquo is equal to at least one of the string values of the second bag
all-of-any
This function applies a boolean function between the elements of two bags The expression is True if and only if the predicate is True between each and all of the elements of the first bag collectively against at least one element of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for each element of the first bag and any element of the second bag
In Haskell taking advantage of the ldquoany_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_anyrdquo function are as follows
all_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_any f [] ys = Falseall_of_any f (xxs) ys = (any_of f x ys) ampamp (all_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 113
235
4187418841894190419141924193419441954196419741984199420042014202420342044205
42064207
4208
420942104211
4212421342144215
42164217421842194220
42214222
422342244225
42264227
4228
236
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt20ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt21ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all of the elements of the first bag each ldquo10rdquo and ldquo20rdquo are greater than at least one of the integer values ldquo1rdquo rdquo3rdquo rdquo5rdquo rdquo21rdquo of the second bag
any-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between at least one of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any element of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoany_of_allrdquo function are as follows
any_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_all f [] ys = Falseany_of_all f (xxs) ys = (all_of f x ys) || ( any_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 114
237
42294230423142324233423442354236423742384239424042414242424342444245424642474248
42494250
4251
425242534254
4255425642574258
42594260426142624263
42644265
426642674268
42694270
4271
238
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one element of the first bag namely ldquo5rdquo is greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
all-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between each and all of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression is evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression is True if and only if the applied predicate is True for all elements of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_allrdquo function is as follows
all_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_all f [] ys = Falseall_of_all f (xxs) ys = (all_of f x ys) ampamp (all_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 115
239
42724273427442754276427742784279428042814282428342844285428642874288428942904291
42924293
4294
429542964297
4298429943004301
43024303430443054306
43074308
430943104311
43124313
4314
240
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt6ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all elements of the first bag ldquo5rdquo and ldquo6rdquo are each greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
map
This function converts a bag of values to another bag of values
This function SHALL take two arguments The first function SHALL be a ltFunctiongt element naming a function that takes a single argument of a primitive data-type and returns a value of a primitive data-type The second argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to each element in the bag resulting in a bag of the converted value The result SHALL be a bag of the primitive data-type that is the same data-type that is returned by the function named in the ltFunctiongt element
In Haskell this function is defined as follows
map (a -gt b) -gt [a] -gt [b]
map f [] = []
map f (xxs) = (f x) (map f xs)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expressionltApply FunctionId=rdquournoasisnamestcxacml10functionmaprdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-normalize-to-lower-caserdquogt
ltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtHelloltAttributeValuegtltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtWorld
ltAttributeValuegtltApplygt
ltApplygt
evaluates to a bag containing ldquohellordquo and ldquoworldrdquo
oasis--xacml-11pdf 116
241
43154316431743184319432043214322432343244325432643274328432943304331433243334334
43354336
4337
4338
433943404341
434243434344
4345
4346
4347
4348
4349
43504351
43524353435443554356435743584359436043614362
4363
242
A1412 Special match functionsThese functions operate on various types and evaluate to ldquohttpwwww3org2001XMLSchemabooleanrdquo based on the specified standard matching algorithm In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
regexp-string-match
This function decides a regular expression match It SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The first argument SHALL be a regular expression and the second argument SHALL be a general string The function specification SHALL be that of the ldquoxfmatchesrdquo function with the arguments reversed [XF Section 6315]
x500Name-match
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if the first argument matches some terminal sequence of RDNs from the second argument when compared using x500Name-equal
rfc822Name-match
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and the second is of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if the first argument matches the second argument according to the following specification
An RFC822 name consists of a local-part followed by followed by domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS name) is not case-sensitive4
The second argument contains a complete rfc822Name The first argument is a complete or partial rfc822Name used to select appropriate values in the second argument as follows
In order to match a particular mailbox in the second argument the first argument must specify the complete mail address to be matched For example if the first argument is ldquoAndersonsuncomrdquo this matches a value in the second argument of ldquoAndersonsuncomrdquo and ldquoAndersonSUNCOMrdquo but not ldquoAnneAndersonsuncomrdquo ldquoandersonsuncomrdquo or ldquoAndersoneastsuncomrdquo
In order to match any mail address at a particular domain in the second argument the first argument must specify only a domain name (usually a DNS name) For example if the first argument is ldquosuncomrdquo this matches a value in the first argument of ldquoAndersonsuncomrdquo or ldquoBaxterSUNCOMrdquo but not ldquoAndersoneastsuncomrdquo
In order to match any mail address in a particular domain in the second argument the first argument must specify the desired domain-part with a leading For example if the first argument is ldquoeastsuncomrdquo this matches a value in the second argument of Andersoneastsuncom and anneandersonISRGEASTSUNCOM but not Andersonsuncom
4 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part Many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This anomaly is considered an error by mail-system designers and is not encouraged For this reason rfc822Name-match treats local-part as case sensitive
oasis--xacml-11pdf 117
243
4364
4365436643674368
4369
437043714372437343744375
4376
4377437843794380
4381
43824383438443854386
438743884389
43904391
43924393439443954396
4397439843994400
44014402440344044405
244245246247
248
A1413 XPath-based functionsThis section specifies functions that take XPath expressions for arguments An XPath expression evaluates to a node-set which is a set of XML nodes that match the expression A node or node-set is not in the formal data-type system of XACML All comparison or other operations on node-sets are performed in the isolation of the particular function specified The XPath expressions in these functions are restricted to the XACML request context The ltxacml-contextRequestgt element is a context node for every XPath expression The following functions are defined
xpath-node-count
This function SHALL take an ldquohttpwwww3org2001XMLSchemastringrdquo as an argument which SHALL be interpreted as an XPath expression and evaluates to an ldquohttpwwww3org2001XMLSchemaintegerrdquo The value returned from the function SHALL be the count of the nodes within the node-set that matches the given XPath expression
xpath-node-equal
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if any XML node from the node-set matched by the first argument equals according to the ldquoopnode-equalrdquo function [XF Section 1316] any XML node from the node-set matched by the second argument
xpath-node-match
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if either of the following two conditions is satisfied (1) Any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument (2) Any attribute and element node below any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument
NOTE The first condition is equivalent to xpath-node-equal and guarantees that xpath-node-equal is a special case of xpath-node-match
A1414 Extension functions and primitive typesFunctions and primitive types are specified by string identifiers allowing for the introduction of functions in addition to those specified by XACML This approach allows one to extend the XACML module with special functions and special primitive data-types
In order to preserve some integrity to the XACML evaluation strategy the result of all function applications SHALL depend only on the values of its arguments Global and hidden parameters SHALL NOT affect the evaluation of an expression Functions SHALL NOT have side effects as evaluation order cannot be guaranteed in a standard way
oasis--xacml-11pdf 118
249
4406
4407440844094410
44114412
4413
44144415441644174418
4419
442044214422442344244425
4426
442744284429443044314432443344344435
44364437
4438
443944404441
4442444344444445
250
Appendix B XACML identifiers (normative)This section defines standard identifiers for commonly used entities All XACML-defined identifiers have the common base
urnoasisnamestcxacml10
B1 XACML namespacesThere are currently two defined XACML namespaces
Policies are defined using this identifierurnoasisnamestcxacml10policy
Request and response contexts are defined using this identifierurnoasisnamestcxacml10context
B2 Access subject categoriesThis identifier indicates the system entity that initiated the access request That is the initial entity in a request chain If subject category is not specified this is the default value
urnoasisnamestcxacml10subject-categoryaccess-subject
This identifier indicates the system entity that will receive the results of the request Used when it is distinct from the access-subject
urnoasisnamestcxacml10subject-categoryrecipient-subject
This identifier indicates a system entity through which the access request was passed There may be more than one No means is provided to specify the order in which they passed the message
urnoasisnamestcxacml10subject-categoryintermediary-subject
This identifier indicates a system entity associated with a local or remote codebase that generated the request Corresponding subject attributes might include the URL from which it was loaded andor the identity of the code-signer There may be more than one No means is provided to specify the order they processed the request
urnoasisnamestcxacml10subject-categorycodebase
This identifier indicates a system entity associated with the computer that initiated the access request An example would be an IPsec identity
urnoasisnamestcxacml10subject-categoryrequesting-machine
B3 XACML functionsThis identifier is the base for all the identifiers in the table of functions See Section A1
urnoasisnamestcxacml10function
B4 Data-typesThe following identifiers indicate useful data-types
X500 distinguished name
oasis--xacml-11pdf 119
251
4446
44474448
4449
4450
4451
44524453
44544455
4456
44574458
4459
44604461
4462
44634464
4465
4466446744684469
4470
44714472
4473
4474
44754476
4477
4478
4479
252
urnoasisnamestcxacml10data-typex500Name
An x500Name contains an ITU-T Rec X520 Distinguished Name The valid syntax for such a name is described in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
RFC822 Nameurnoasisnamestcxacml10data-typerfc822Name
An rfc822Name contains an e-mail name The valid syntax for such a name is described in IETF RFC 2821 Section 412 Command Argument Syntax under the term Mailbox
The following data-type identifiers are defined by XML Schemahttpwwww3org2001XMLSchemastringhttpwwww3org2001XMLSchemabooleanhttpwwww3org2001XMLSchemaintegerhttpwwww3org2001XMLSchemadoublehttpwwww3org2001XMLSchematimehttpwwww3org2001XMLSchemadatehttpwwww3org2001XMLSchemadateTimehttpwwww3org2001XMLSchemaanyURIhttpwwww3org2001XMLSchemahexBinaryhttpwwww3org2001XMLSchemabase64Binary
The following data-type identifiers correspond to the dayTimeDuration and yearMonthDuration data-types defined in [XF Sections 822 and 821 respectively]
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationhttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
B5 Subject attributesThese identifiers indicate attributes of a subject When used they SHALL appear within a ltSubjectgt element of the request context They SHALL be accessed via a ltSubjectAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into a ltSubjectgt element of the request context
At most one of each of these attributes is associated with each subject Each attribute associated with authentication included within a single ltSubjectgt element relates to the same authentication event
This identifier indicates the name of the subject The default format is httpwwww3org2001XMLSchemastring To indicate other formats use DataType attributes listed in B4
urnoasisnamestcxacml10subjectsubject-id
This identifier indicates the subject category ldquoaccess-subjectrdquo is the defaulturnoasisnamestcxacml10subject-category
This identifier indicates the security domain of the subject It identifies the administrator and policy that manages the name-space in which the subject id is administered
urnoasisnamestcxacml10subjectsubject-id-qualifier
This identifier indicates a public key used to confirm the subjectrsquos identityurnoasisnamestcxacml10subjectkey-info
This identifier indicates the time at which the subject was authenticatedurnoasisnamestcxacml10subjectauthentication-time
This identifier indicates the method used to authenticate the subjecturnoasisnamestcxacml10subjectauthentication-method
oasis--xacml-11pdf 120
253
4480
448144824483
44844485
44864487
44884489449044914492449344944495449644974498
44994500
45014502
4503
4504450545064507
450845094510
451145124513
4514
45154516
45174518
4519
45204521
45224523
45244525
254
This identifier indicates the time at which the subject initiated the access request according to the PEP
urnoasisnamestcxacml10subjectrequest-time
This identifier indicates the time at which the subjectrsquos current session began according to the PEP
urnoasisnamestcxacml10subjectsession-start-time
The following identifiers indicate the location where authentication credentials were activated They are intended to support the corresponding entities from the SAML authentication statement
This identifier indicates that the location is expressed as an IP addressurnoasisnamestcxacml10subjectauthn-localityip-address
This identifier indicates that the location is expressed as a DNS nameurnoasisnamestcxacml10subjectauthn-localitydns-name
Where a suitable attribute is already defined in LDAP [LDAP-1 LDAP-2] the XACML identifier SHALL be formed by adding the attribute name to the URI of the LDAP specification For example the attribute name for the userPassword defined in the rfc2256 SHALL be
httpwwwietforgrfcrfc2256txtuserPassword
B6 Resource attributesThese identifiers indicate attributes of the resource When used they SHALL appear within the ltResourcegt element of the request context They SHALL be accessed via a ltResourceAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltResourcegt element of the request context
This identifier indicates the entire URI of the resourceurnoasisnamestcxacml10resourceresource-id
A resource attribute used to indicate values extracted from the resourceurnoasisnamestcxacml10resourceresource-content
This identifier indicates the last (rightmost) component of the file name For example if the URI is ldquofilehomemystatuspointerrdquo the simple-file-name is status
urnoasisnamestcxacml10resourcesimple-file-name
This identifier indicates that the resource is specified by an XPath expressionurnoasisnamestcxacml10resourcexpath
This identifier indicates a UNIX file-system pathurnoasisnamestcxacml10resourceufs-path
This identifier indicates the scope of the resource as described in Section 78urnoasisnamestcxacml10resourcescope
The allowed value for this attribute is of data-type httpwwww3org2001XMLSchemastring and is either Immediate Children or Descendants
B7 Action attributesThese identifiers indicate attributes of the action being requested When used they SHALL appear within the ltActiongt element of the request context They SHALL be accessed via an ltActionAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltActiongt element of the request context
oasis--xacml-11pdf 121
255
45264527
4528
45294530
4531
45324533
45344535
45364537
453845394540
4541
4542
4543454445454546
45474548
45494550
45514552
4553
45544555
45564557
45584559
45604561
4562
4563456445654566
256
urnoasisnamestcxacml10actionaction-id
Action namespaceurnoasisnamestcxacml10actionaction-namespace
Implied action This is the value for action-id attribute when action is impliedurnoasisnamestcxacml10actionimplied-action
B8 Environment attributesThese identifiers indicate attributes of the environment within which the decision request is to be evaluated When used in the decision request they SHALL appear in the ltEnvironmentgt element of the request context They SHALL be accessed via an ltEnvironmentAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltEnvironmentgt element of the request context
This identifier indicates the current time at the PDP In practice it is the time at which the request context was created
urnoasisnamestcxacml10environmentcurrent-timeurnoasisnamestcxacml10environmentcurrent-dateurnoasisnamestcxacml10environmentcurrent-dateTime
B9 Status codesThe following status code identifiers are defined
This identifier indicates successurnoasisnamestcxacml10statusok
This identifier indicates that attributes necessary to make a policy decision were not availableurnoasisnamestcxacml10statusmissing-attribute
This identifier indicates that some attribute value contained a syntax error such as a letter in a numeric field
urnoasisnamestcxacml10statussyntax-error
This identifier indicates that an error occurred during policy evaluation An example would be division by zero
urnoasisnamestcxacml10statusprocessing-error
B10Combining algorithmsThe deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId
urnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
The deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
The permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
The permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
oasis--xacml-11pdf 122
257
4567
45684569
45704571
4572
457345744575
45764577
45784579
458045814582
4583
4584
45854586
45874588
45894590
4591
45924593
4594
4595
45964597
45984599
4600
46014602
46034604
4605
258
The first-applicable rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
The first-applicable policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
The only-one-applicable-policy policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
The ordered-deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overrides
The ordered-deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-deny-overrides
The ordered-permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-permit-overrides
The ordered-permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
oasis--xacml-11pdf 123
259
46064607
46084609
4610
46114612
4613
46144615461646174618
4619462046214622
4623462446254626
46274628
260
Appendix C Combining algorithms (normative)This section contains a description of the rule-combining and policy-combining algorithms specified by XACML
C1 Deny-overridesThe following specification defines the ldquoDeny-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Deny then the result of the rule combination SHALL be Deny If any rule evaluates to Permit and all other rules evaluate to NotApplicable then the result of the rule combination SHALL be Permit In other words Deny takes precedence regardless of the result of evaluating any of the other rules in the combination If all rules are found to be NotApplicable to the decision request then the rule combination SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect value of Deny then the evaluation SHALL continue to evaluate subsequent rules looking for a result of Deny If no other rule evaluates to Deny then the combination SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Permit all other rules that do not have evaluation errors evaluate to Permit or NotApplicable and all rules that do have evaluation errors contain effects of Permit then the result of the combination SHALL be Permit
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision denyOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialDeny = falseBoolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(rules) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Deny)
potentialDeny = truecontinue
oasis--xacml-11pdf 124
261
4629
46304631
4632
4633
463446354636463746384639
4640464146424643
464446454646
4647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677
262
if (potentialDeny)
return Indeterminateif (atLeastOnePermit)
return Permitif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoDeny-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Deny then the result of the policy combination SHALL be Deny In other words Deny takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision denyOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
return Deny
if (atLeastOnePermit)
return Permitreturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
oasis--xacml-11pdf 125
263
4678467946804681468246834684468546864687468846894690469146924693
46944695
46964697469846994700
470147024703
4704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734
4735
264
C2 Ordered-deny-overrides (non-normative)The following specification defines the Ordered-deny-overridesrdquo rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Deny-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-deny-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Deny-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C3 Permit-overridesThe following specification defines the ldquoPermit-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Permit then the result of the rule combination SHALL be Permit If any rule evaluates to Deny and all other rules evaluate to NotApplicable then the policy SHALL evaluate to Deny In other words Permit takes precedence regardless of the result of evaluating any of the other rules in the policy If all rules are found to be NotApplicable to the decision request then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect of Permit then the evaluation SHALL continue looking for a result of Permit If no other rule evaluates to Permit then the policy SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Deny all other rules that do not have evaluation errors evaluate to Deny or NotApplicable and all rules that do have evaluation errors contain an effect value of Deny then the policy SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision permitOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialPermit = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(rule) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 126
265
4736
47374738
473947404741
47424743
474447454746
4747
4748
474947504751475247534754
4755475647574758
475947604761
476247634764476547664767476847694770477147724773477447754776477747784779478047814782
266
if (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Permit)
potentialPermit = truecontinue
if (potentialPermit)
return Indeterminateif (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoPermit-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Permit then the result of the policy combination SHALL be Permit In other words Permit takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status provided no other policies evaluate to Permit or Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision permitOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOneError = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 127
267
47834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808
48094810
48114812481348144815
4816481748184819
482048214822482348244825482648274828482948304831483248334834483548364837483848394840
268
if (decision == Indeterminate)
atLeastOneError = truecontinue
if (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
C4 Ordered-permit-overrides (non-normative)The following specification defines the Ordered-permit-overrides rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Permit-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-permit-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Permit-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C5 First-applicable The following specification defines the First-Applicable rule-combining algorithm of a policy
Each rule SHALL be evaluated in the order in which it is listed in the policy For a particular rule if the target matches and the condition evaluates to True then the evaluation of the policy SHALL halt and the corresponding effect of the rule SHALL be the result of the evaluation of the policy (ie Permit or Deny) For a particular rule selected in the evaluation if the target evaluates to False or the condition evaluates to False then the next rule in the order SHALL be evaluated If no further rule in the order exists then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule then the evaluation SHALL halt and the policy shall evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision firstApplicableEffectRuleCombiningAlgorithm(Rule rule[])
for( i = 0 i lt lengthOf(rule) i++ )
oasis--xacml-11pdf 128
269
4841484248434844484548464847484848494850485148524853485448554856
4857
4858
48594860
486148624863
48644865
486648674868
4869
4870
4871487248734874487548764877
487848794880
48814882488348844885
270
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
return Permitif (decision == NotApplicable)
continueif (decision == Indeterminate)
return Indeterminate
return NotApplicable
The following specification defines the ldquoFirst-applicablerdquo policy-combining algorithm of a policy set
Each policy is evaluated in the order that it appears in the policy set For a particular policy if the target evaluates to True and the policy evaluates to a determinate value of Permit or Deny then the evaluation SHALL halt and the policy set SHALL evaluate to the effect value of that policy For a particular policy if the target evaluate to False or the policy evaluates to NotApplicable then the next policy in the order SHALL be evaluated If no further policy exists in the order then the policy set SHALL evaluate to NotApplicable
If an error were to occur when evaluating the target or when evaluating a specific policy the reference to the policy is considered invalid or the policy itself evaluates to Indeterminate then the evaluation of the policy-combining algorithm shall halt and the policy set shall evaluate to Indeterminate with an appropriate error status
The following pseudo-code represents the evaluation strategy of this policy-combination algorithm
Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policy[]) for( i = 0 i lt lengthOf(policy) i++ ) Decision decision = evaluate(policy[i]) if(decision == Deny) return Deny if(decision == Permit) return Permit if (decision == NotApplicable) continue if (decision == Indeterminate) return Indeterminate return NotApplicable
oasis--xacml-11pdf 129
271
48864887488848894890489148924893489448954896489748984899490049014902490349044905
49064907
4908490949104911491249134914
4915491649174918
4919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943
272
Obligations of the individual policies shall be combined as described in Section 711
C6 Only-one-applicableThe following specification defines the ldquoOnly-one-applicable policy-combining algorithm of a policy set
In the entire set of policies in the policy set if no policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be NotApplicable If more than one policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be Indeterminate
If only one policy is considered applicable by evaluation of the policy targets then the result of the policy-combining algorithm SHALL be the result of evaluating the policy
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this policy combining algorithmDecision onlyOneApplicablePolicyPolicyCombiningAlogrithm(Policy policy[]) Boolean atLeastOne = false Policy selectedPolicy = null ApplicableResult appResult
for ( i = 0 i lt lengthOf(policy) i++ ) appResult = isApplicable(policy[I])
if ( appResult == Indeterminate ) return Indeterminate if( appResult == Applicable ) if ( atLeastOne ) return Indeterminate else atLeastOne = true selectedPolicy = policy[i] if ( appResult == NotApplicable ) continue if ( atLeastOne ) return evaluate(selectedPolicy) else return NotApplicable
oasis--xacml-11pdf 130
273
4944
4945
4946
49474948
4949495049514952
49534954
495549564957
495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996
274
oasis--xacml-11pdf 131
275
49974998
4999
276
Appendix D AcknowledgmentsThe following individuals contributed to the development of the specification
Anne AndersonBill ParducciCarlisle AdamsDaniel EngovatovDon FlinnErnesto DamianiGerald BroseHal LockhartJames MacLeanJohn MerrellsKen YagenKonstantin BeznosovMichiharu KudoPierangela SamaratiPirasenna Velandai ThiyagarajanPolar HumennSatoshi HadaSekhar VajjhalaSeth ProctorSimon GodikSteve AndersonSteve CrockerSuresh DamodaranTim Moses
oasis--xacml-11pdf 132
277
5000
5001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025
5026
278
Appendix E Revision historyRev Date By whom What
OS V10 18 Feb 2003 XACML Technical Committee
OASIS Standard
oasis--xacml-11pdf 133
279
5027
5028
280
Appendix F NoticesOASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available neither does it represent that it has made any effort to identify any such rights Information on OASISs procedures with respect to rights in OASIS specifications can be found at the OASIS website Copies of claims of rights made available for publication and any assurances of licenses to be made available or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the OASIS Executive Director
OASIS has been notified of intellectual property rights claimed in regard to some or all of the contents of this specification For more information consult the online list of claimed rights
OASIS invites any interested party to bring to its attention any copyrights patents or patent applications or other proprietary rights which may cover technology that may be required to implement this specification Please address the information to the OASIS Executive Director
Copyright (C) OASIS Open 2003 All Rights Reserved
This document and translations of it may be copied and furnished to others and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared copied published and distributed in whole or in part without restriction of any kind provided that the above copyright notice and this paragraph are included on all such copies and derivative works However this document itself may not be modified in any way such as by removing the copyright notice or references to OASIS except as needed for the purpose of developing OASIS specifications in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed or as required to translate it into languages other than English
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns
This document and the information contained herein is provided on an ldquoAS ISrdquo basis and OASIS DISCLAIMS ALL WARRANTIES EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
oasis--xacml-11pdf 134
281
5029
503050315032503350345035503650375038
50395040
504150425043
5044
50455046504750485049505050515052
50535054
50555056505750585059
282
6 Context syntax (normative with the exception of the schema fragments)64
61 Element ltRequestgt64
62 Element ltSubjectgt65
63 Element ltResourcegt66
64 Element ltResourceContentgt66
65 Element ltActiongt67
66 Element ltEnvironmentgt67
67 Element ltAttributegt67
68 Element ltAttributeValuegt68
69 Element ltResponsegt68
610 Element ltResultgt69
611 Element ltDecisiongt70
612 Element ltStatusgt70
613 Element ltStatusCodegt71
614 Element ltStatusMessagegt71
615 Element ltStatusDetailgt71
7 Functional requirements (normative)72
71 Policy enforcement point72
72 Base policy72
73 Target evaluation73
74 Condition evaluation73
75 Rule evaluation73
76 Policy evaluation73
77 Policy Set evaluation74
78 Hierarchical resources75
79 Attributes76
791 Attribute Matching76
792 Attribute Retrieval76
793 Environment Attributes77
710 Authorization decision77
711 Obligations 77
712 Unsupported functionality78
713 Syntax and type errors78
8 XACML extensibility points (non-normative)78
81 Extensible XML attribute types78
82 Structured attributes79
9 Security and privacy considerations (non-normative)79
oasis--xacml-11pdf 5
10
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
11
91 Threat model 79
911 Unauthorized disclosure80
912 Message replay80
913 Message insertion80
914 Message deletion80
915 Message modification80
916 NotApplicable results81
917 Negative rules81
92 Safeguards82
921 Authentication82
922 Policy administration82
923 Confidentiality82
924 Policy integrity83
925 Policy identifiers83
926 Trust model84
927 Privacy 84
10 Conformance (normative)84
101 Introduction84
102 Conformance tables84
1021 Schema elements85
1022 Identifier Prefixes86
1023 Algorithms86
1024 Status Codes86
1025 Attributes87
1026 Identifiers87
1027 Data-types87
1028 Functions88
11 References 92
Appendix A Standard data-types functions and their semantics (normative)94
A1 Introduction 94
A2 Primitive types 94
A3 Structured types 95
A4 Representations 95
A5 Bags 96
A6 Expressions 96
A7 Element ltAttributeValuegt97
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt97
oasis--xacml-11pdf 6
12
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
13
A9 Element ltApplygt97
A10 Element ltConditiongt97
A11 Element ltFunctiongt98
A12 Matching elements98
A13 Arithmetic evaluation99
A14 XACML standard functions100
A141 Equality predicates100
A142 Arithmetic functions102
A143 String conversion functions103
A144 Numeric data-type conversion functions103
A145 Logical functions103
A146 Arithmetic comparison functions104
A147 Date and time arithmetic functions105
A148 Non-numeric comparison functions106
A149 Bag functions108
A1410 Set functions109
A1411 Higher-order bag functions110
A1412 Special match functions117
A1413 XPath-based functions118
A1414 Extension functions and primitive types118
Appendix B XACML identifiers (normative)119
B1 XACML namespaces119
B2 Access subject categories119
B3 XACML functions119
B4 Data-types 119
B5 Subject attributes120
B6 Resource attributes121
B7 Action attributes 121
B8 Environment attributes122
B9 Status codes 122
B10 Combining algorithms122
Appendix C Combining algorithms (normative)124
C1 Deny-overrides124
C2 Ordered-deny-overrides (non-normative)126
C3 Permit-overrides126
C4 Ordered-permit-overrides (non-normative)128
C5 First-applicable128
oasis--xacml-11pdf 7
14
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
15
C6 Only-one-applicable130
Appendix D Acknowledgments132
Appendix E Revision history133
Appendix F Notices134
oasis--xacml-11pdf 8
16
221
222
223
224225
226
17
Errata
Errata can be found at the following location
httpwwwoasis-openorgcommitteesxacmlrepositoryerrata-001pdf
oasis--xacml-11pdf 9
18
227
228
229
19
1 Introduction (non-normative)
11 Glossary
111 Preferred terms
Access - Performing an action
Access control - Controlling access in accordance with a policy
Action - An operation on a resource
Applicable policy - The set of policies and policy sets that governs access for a specific decision request
Attribute - Characteristic of a subject resource action or environment that may be referenced in a predicate or target
Authorization decision - The result of evaluating applicable policy returned by the PDP to the PEP A function that evaluates to Permitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicable and (optionally) a set of obligations
Bag ndash An unordered collection of values in which there may be duplicate values
Condition - An expression of predicates A function that evaluates to True False or ldquoIndeterminaterdquo
Conjunctive sequence - a sequence of boolean elements combined using the logical lsquoANDrsquo operation
Context - The canonical representation of a decision request and an authorization decision
Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format
Decision ndash The result of evaluating a rule policy or policy set
Decision request - The request by a PEP to a PDP to render an authorization decision
Disjunctive sequence - a sequence of boolean elements combined using the logical lsquoORrsquo operation
Effect - The intended consequence of a satisfied rule (either Permit or Deny)
Environment - The set of attributes that are relevant to an authorization decision and are independent of a particular subject resource or action
oasis--xacml-11pdf 10
20
230
231
232
233
234
235
236
237238
239240
241242243
244
245246
247248
249
250251252
253
254
255256
257
258259
21
Obligation - An operation specified in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision
Policy - A set of rules an identifier for the rule-combining algorithm and (optionally) a set of obligations May be a component of a policy set
Policy administration point (PAP) - The system entity that creates a policy or policy set
Policy-combining algorithm - The procedure for combining the decision and obligations from multiple policies
Policy decision point (PDP) - The system entity that evaluates applicable policy and renders an authorization decision
Policy enforcement point (PEP) - The system entity that performs access control by making decision requests and enforcing authorization decisions
Policy information point (PIP) - The system entity that acts as a source of attribute values
Policy set - A set of policies other policy sets a policy-combining algorithm and (optionally) a set of obligations May be a component of another policy set
Predicate - A statement about attributes whose truth can be evaluated
Resource - Data service or system component
Rule - A target an effect and a condition A component of a policy
Rule-combining algorithm - The procedure for combining decisions from multiple rules
Subject - An actor whose attributes may be referenced by a predicate
Target - The set of decision requests identified by definitions for resource subject and action that a rule policy or policy set is intended to evaluate
Type Unification - The method by which two type expressions are unified The type expressions are matched along their structure Where a type variable appears in one expression it is then unified to represent the corresponding structure element of the other expression be it another variable or subexpression All variable assignments must remain consistent in both structures Unification fails if the two expressions cannot be aligned either by having dissimilar structure or by having instance conflicts such as a variable needs to represent both xsstring and xsinteger For a full explanation of type unification please see [Hancock]
112 Related termsIn the field of access control and authorization there are several closely related terms in common use For purposes of precision and clarity certain of these terms are not used in this specification
For instance the term attribute is used in place of the terms group and role
In place of the terms privilege permission authorization entitlement and right we use the term rule
The term object is also in common use but we use the term resource in this specification
Requestors and initiators are covered by the term subject
oasis--xacml-11pdf 11
22
260261
262263
264
265266
267268
269270
271
272273
274
275
276
277
278
279280
281282283284285286287
288
289290
291
292293
294
295
23
12 NotationThis specification contains schema conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded policy statements
The key words MUST MUST NOT REQUIRED SHALL SHALL NOT SHOULD SHOULD NOT RECOMMENDED MAY and OPTIONAL in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119]
they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (eg limiting retransmissions)
These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations When these words are not capitalized they are meant in their natural-language sense
Listings of XACML schemas appear like this
Example code listings appear like this
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows whether or not a namespace declaration is present in the example
The prefix xacml stands for the XACML policy namespace
The prefix xacml-context stands for the XACML context namespace
The prefix ds stands for the W3C XML Signature namespace [DS]
The prefix xs stands for the W3C XML Schema namespace [XS]
The prefix xf stands for the XQuery 10 and XPath 20 Function and Operators specification namespace [XF]
This specification uses the following typographical conventions in text ltXACMLElementgt ltnsForeignElementgt Attribute Datatype OtherCode Terms in italic bold-face are intended to have the meaning defined in the Glossary
13 Schema organization and namespacesThe XACML policy syntax is defined in a schema associated with the following XML namespace
urnoasisnamestcxacml10policy
The XACML context syntax is defined in a schema associated with the following XML namespaceurnoasisnamestcxacml10context
The XML Signature [DS] is imported into the XACML schema and is associated with the following XML namespace
httpwwww3org200009xmldsig
2 Background (non-normative)The economics of scale have driven computing platform vendors to develop products with very generalized functionality so that they can be used in the widest possible range of situations Out
oasis--xacml-11pdf 12
24
296
297298
299300301
302303
304305306307308309310
311312313
314
315
316
317
318319
320321322
323
324325
326327
328329330
331
332333
25
of the box these products have the maximum possible privilege for accessing data and executing software so that they can be used in as many application environments as possible including those with the most permissive security policies In the more common case of a relatively restrictive security policy the platforms inherent privileges must be constrained by configuration
The security policy of a large enterprise has many elements and many points of enforcement Elements of policy may be managed by the Information Systems department by Human Resources by the Legal department and by the Finance department And the policy may be enforced by the extranet mail WAN and remote-access systems platforms which inherently implement a permissive security policy The current practice is to manage the configuration of each point of enforcement independently in order to implement the security policy as accurately as possible Consequently it is an expensive and unreliable proposition to modify the security policy And it is virtually impossible to obtain a consolidated view of the safeguards in effect throughout the enterprise to enforce the policy At the same time there is increasing pressure on corporate and government executives from consumers shareholders and regulators to demonstrate best practice in the protection of the information assets of the enterprise and its customers
For these reasons there is a pressing need for a common language for expressing security policy If implemented throughout an enterprise a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems Managing security policy may include some or all of the following steps writing reviewing testing approving issuing combining analyzing modifying withdrawing retrieving and enforcing policy
XML is a natural choice as the basis for the common security-policy language due to the ease with which its syntax and semantics can be extended to accommodate the unique requirements of this application and the widespread support that it enjoys from all the main platform and tool vendors
21 RequirementsThe basic requirements of a policy language for expressing information system security policy are
To provide a method for combining individual rules and policies into a single policy set that applies to a particular decision request
To provide a method for flexible definition of the procedure by which rules and policies are combined
To provide a method for dealing with multiple subjects acting in different capacities
To provide a method for basing an authorization decision on attributes of the subject and resource
To provide a method for dealing with multi-valued attributes
To provide a method for basing an authorization decision on the contents of an information resource
To provide a set of logical and mathematical operators on attributes of the subject resource and environment
To provide a method for handling a distributed set of policy components while abstracting the method for locating retrieving and authenticating the policy components
To provide a method for rapidly identifying the policy that applies to a given action based upon the values of attributes of the subjects resource and action
oasis--xacml-11pdf 13
26
334335336337
338339340341342343344345346347348
349350351352353354
355356357
358
359
360361
362363
364
365366
367
368369
370371
372373
374375
27
To provide an abstraction-layer that insulates the policy-writer from the details of the application environment
To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement
The motivation behind XACML is to express these well-established ideas in the field of access-control policy using an extension language of XML The XACML solutions for each of these requirements are discussed in the following sections
22 Rule and policy combiningThe complete policy applicable to a particular decision request may be composed of a number of individual rules or policies For instance in a personal privacy application the owner of the personal information may define certain aspects of disclosure policy whereas the enterprise that is the custodian of the information may define certain other aspects In order to render an authorization decision it must be possible to combine the two separate policies to form the single policy applicable to the request
XACML defines three top-level policy elements ltRulegt ltPolicygt and ltPolicySetgt The ltRulegt element contains a boolean expression that can be evaluated in isolation but that is not intended to be accessed in isolation by a PDP So it is not intended to form the basis of an authorization decision by itself It is intended to exist in isolation only within an XACML PAP where it may form the basic unit of management and be re-used in multiple policies
The ltPolicygt element contains a set of ltRulegt elements and a specified procedure for combining the results of their evaluation It is the basic unit of policy used by the PDP and so it is intended to form the basis of an authorization decision
The ltPolicySetgt element contains a set of ltPolicygt or other ltPolicySetgt elements and a specified procedure for combining the results of their evaluation It is the standard means for combining separate policies into a single combined policy
Hinton et al [Hinton94] discuss the question of the compatibility of separate policies applicable to the same decision request
23 Combining algorithmsXACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the ltPolicygt or ltPolicySetgt elements respectively The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules Similarly the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies Standard combining algorithms are defined for
Deny-overrides (Ordered and Unordered)
Permit-overrides (Ordered and Unordered)
First applicable and
Only-one-applicable
oasis--xacml-11pdf 14
28
376377
378379
380381382
383
384385386387388389
390391392393394
395396397
398399400
401402
403
404405406407408409410
411
412
413
414
29
In the first case if a single ltRulegt or ltPolicygt element is encountered that evaluates to Deny then regardless of the evaluation result of the other ltRulegt or ltPolicygt elements in the applicable policy the combined result is Deny Likewise in the second case if a single Permit result is encountered then the combined result is Permit In the case of the ldquoFirst-applicablerdquo combining algorithm the combined result is the same as the result of evaluating the first ltRulegt ltPolicygt or ltPolicySetgt element in the list of rules whose target is applicable to the decision request The Only-one-applicable policy-combining algorithm only applies to policies The result of this combining algorithm ensures that one and only one policy or policy set is applicable by virtue of their targets If no policy or policy set applies then the result is NotApplicable but if more than one policy or policy set is applicable then the result is Indeterminate When exactly one policy or policy set is applicable the result of the combining algorithm is the result of evaluating the single applicable policy or policy set
Users of this specification may if necessary define their own combining algorithms
24 Multiple subjectsAccess-control policies often place requirements on the actions of more than one subject For instance the policy governing the execution of a high-value financial transaction may require the approval of more than one individual acting in different capacities Therefore XACML recognizes that there may be more than one subject relevant to a decision request An attribute called ldquosubject-categoryrdquo is used to differentiate between subjects acting in different capacities Some standard values for this attribute are specified and users may define additional ones
25 Policies based on subject and resource attributesAnother common requirement is to base an authorization decision on some characteristic of the subject other than its identity Perhaps the most common application of this idea is the subjects role [RBAC] XACML provides facilities to support this approach Attributes of subjects may be identified by the ltSubjectAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular subject attribute value by its location in the context (see Section 211 for an explanation of context) XACML provides a standard way to reference the attributes defined in the LDAP series of specifications [LDAP-1 LDAP-2] This is intended to encourage implementers to use standard attribute identifiers for some common subject attributes
Another common requirement is to base an authorization decision on some characteristic of the resource other than its identity XACML provides facilities to support this approach Attributes of resource may be identified by the ltResourceAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular resource attribute value by its location in the context
26 Multi-valued attributesThe most common techniques for communicating attributes (LDAP XPath SAML etc) support multiple values per attribute Therefore when an XACML PDP retrieves the value of a named attribute the result may contain multiple values A collection of such values is called a bag A bag differs from a set in that it may contain duplicate values whereas a set may not Sometimes this situation represents an error Sometimes the XACML rule is satisfied if any one of the attribute values meets the criteria expressed in the rule
oasis--xacml-11pdf 15
30
415416417418
419420421422423424425426
427
428
429430431432433434
435
436437438
439440441442443444445
446447
448449450451
452
453454455456457458
31
XACML provides a set of functions that allow a policy writer to be absolutely clear about how the PDP should handle the case of multiple attribute values These are the ldquohigher-orderrdquo functions
27 Policies based on resource contentsIn many applications it is required to base an authorization decision on data contained in the information resource to which access is requested For instance a common component of privacy policy is that a person should be allowed to read records for which he or she is the subject The corresponding policy must contain a reference to the subject identified in the information resource itself
XACML provides facilities for doing this when the information resource can be represented as an XML document The ltAttributeSelectorgt element may contain an XPath expression over the request context to identify data in the information resource to be used in the policy evaluation
In cases where the information resource is not an XML document specified attributes of the resource can be referenced as described in Section 24
28 OperatorsInformation security policies operate upon attributes of subjects the resource and the action to be performed on the resource in order to arrive at an authorization decision In the process of arriving at the authorization decision attributes of many different types may have to be compared or computed For instance in a financial application a persons available credit may have to be calculated by adding their credit limit to their account balance The result may then have to be compared with the transaction value This sort of situation gives rise to the need for arithmetic operations on attributes of the subject (account balance and credit limit) and the resource (transaction value)
Even more commonly a policy may identify the set of roles that are permitted to perform a particular action The corresponding operation involves checking whether there is a non-empty intersection between the set of roles occupied by the subject and the set of roles identified in the policy Hence the need for set operations
XACML includes a number of built-in functions and a method of adding non-standard functions These functions may be nested to build arbitrarily complex expressions This is achieved with the ltApplygt element The ltApplygt element has an XML attribute called FunctionId that identifies the function to be applied to the contents of the element Each standard function is defined for specific argument data-type combinations and its return data-type is also specified Therefore data-type consistency of the policy can be checked at the time the policy is written or parsed And the types of the data values presented in the request context can be checked against the values expected by the policy to ensure a predictable outcome
In addition to operators on numerical and set arguments operators are defined for date time and duration arguments
Relationship operators (equality and comparison) are also defined for a number of data-types including the RFC822 and X500 name-forms strings URIs etc
Also noteworthy are the operators over boolean data-types which permit the logical combination of predicates in a rule For example a rule may contain the statement that access may be permitted during business hours AND from a terminal on business premises
The XACML method of representing functions borrows from MathML [MathML] and from the XQuery 10 and XPath 20 Functions and Operators specification [XF]
oasis--xacml-11pdf 16
32
459460
461
462463464465466
467468469
470471
472
473474475476477478479480
481482483484
485486
487488489490491492
493494
495496
497498499
500501
33
29 Policy distributionIn a distributed system individual policy statements may be written by several policy writers and enforced at several enforcement points In addition to facilitating the collection and combination of independent policy components this approach allows policies to be updated as required XACML policy statements may be distributed in any one of a number of ways But XACML does not describe any normative way to do this Regardless of the means of distribution PDPs are expected to confirm by examining the policys ltTargetgt element that the policy is applicable to the decision request that it is processing
ltPolicygt elements may be attached to the information resources to which they apply as described by Perritt [Perritt93] Alternatively ltPolicygt elements may be maintained in one or more locations from which they are retrieved for evaluation In such cases the applicable policy may be referenced by an identifier or locator closely associated with the information resource
210 Policy indexingFor efficiency of evaluation and ease of management the overall security policy in force across an enterprise may be expressed as multiple independent policy components In this case it is necessary to identify and retrieve the applicable policy statement and verify that it is the correct one for the requested action before evaluating it This is the purpose of the ltTargetgt element in XACML
Two approaches are supported
1 Policy statements may be stored in a database whose data-model is congruent with that of the ltTargetgt element The PDP should use the contents of the decision request that it is processing to form the database read command by which applicable policy statements are retrieved Nevertheless the PDP should still evaluate the ltTargetgt element of the retrieved policy or policy set statements as defined by the XACML specification
2 Alternatively the PDP may evaluate the ltTargetgt element from each of the policies or policy sets that it has available to it in the context of a particular decision request in order to identify the policies and policy sets that are applicable to that request
The use of constraints limiting the applicability of a policy were described by Sloman [Sloman94]
211 Abstraction layerPEPs come in many forms For instance a PEP may be part of a remote-access gateway part of a Web server or part of an email user-agent etc It is unrealistic to expect that all PEPs in an enterprise do currently or will in the future issue decision requests to a PDP in a common format Nevertheless a particular policy may have to be enforced by multiple PEPs It would be inefficient to force a policy writer to write the same policy several different ways in order to accommodate the format requirements of each PEP Similarly attributes may be contained in various envelope types (eg X509 attribute certificates SAML attribute assertions etc) Therefore there is a need for a canonical form of the request and response handled by an XACML PDP This canonical form is called the XACML Context Its syntax is defined in XML schema
Naturally XACML-conformant PEPs may issue requests and receive responses in the form of an XACML context But where this situation does not exist an intermediate step is required to convert between the requestresponse format understood by the PEP and the XACML context format understood by the PDP
oasis--xacml-11pdf 17
34
502
503504505506507
508509
510511512513
514
515516517
518519
520
521522523
524525
526527528
529
530
531532533534535536537538539
540541542543
35
The benefit of this approach is that policies may be written and analyzed independent of the specific environment in which they are to be enforced
In the case where the native requestresponse format is specified in XML Schema (eg a SAML-conformant PEP) the transformation between the native format and the XACML context may be specified in the form of an Extensible Stylesheet Language Transformation [XSLT]
Similarly in the case where the resource to which access is requested is an XML document the resource itself may be included in or referenced by the request context Then through the use of XPath expressions [XPath] in the policy values in the resource may be included in the policy evaluation
212 Actions performed in conjunction with enforcementIn many applications policies specify actions that MUST be performed either instead of or in addition to actions that MAY be performed This idea was described by Sloman [Sloman94] XACML provides facilities to specify actions that MUST be performed in conjunction with policy evaluation in the ltObligationsgt element This idea was described as a provisional action by Kudo [Kudo00] There are no standard definitions for these actions in version 10 of XACML Therefore bilateral agreement between a PAP and the PEP that will enforce its policies is required for correct interpretation PEPs that conform with v10 of XACML are required to deny access unless they understand all the ltObligationsgt elements associated with the applicable policy ltObligationsgt elements are returned to the PEP for enforcement
3 Models (non-normative)The data-flow model and language model of XACML are described in the following sub-sections
31 Data-flow modelThe major actors in the XACML domain are shown in the data-flow diagram of Figure 1
oasis--xacml-11pdf 18
36
544545
546547548
549550551552
553
554555556
557558559560
561562
563
564
565
566
37
Figure 1 - Data-flow diagram
Note some of the data-flows shown in the diagram may be facilitated by a repository For instance the communications between the context handler and the PIP or the communications between the PDP and the PAP may be facilitated by a repository The XACML specification is not intended to place restrictions on the location of any such repository or indeed to prescribe a particular communication protocol for any of the data-flows
The model operates by the following steps
1 PAPs write policies and policy sets and make them available to the PDP These policies or policy sets represent the complete policy for a specified target
2 The access requester sends a request for access to the PEP
3 The PEP sends the request for access to the context handler in its native request format optionally including attributes of the subjects resource and action The context handler constructs an XACML request context in accordance with steps 456 and 7
4 Subject resource and environment attributes may be requested from a PIP
5 The PIP obtains the requested attributes
6 The PIP returns the requested attributes to the context handler
oasis--xacml-11pdf 19
38
567
568
569570571572573
574
575576
577
578579580
581
582
583
39
7 Optionally the context handler includes the resource in the context
8 The context handler sends a decision request including the target to the PDP The PDP identifies the applicable policy and retrieves the required attributes and (optionally) the resource from the context handler The PDP evaluates the policy
9 The PDP returns the response context (including the authorization decision) to the context handler
10 The context handler translates the response context to the native response format of the PEP The context handler returns the response to the PEP
11 The PEP fulfills the obligations
12 (Not shown) If access is permitted then the PEP permits access to the resource otherwise it denies access
32 XACML contextXACML is intended to be suitable for a variety of application environments The core language is insulated from the application environment by the XACML context as shown in Figure 2 in which the scope of the XACML specification is indicated by the shaded area The XACML context is defined in XML schema describing a canonical representation for the inputs and outputs of the PDP Attributes referenced by an instance of XACML policy may be in the form of XPath expressions on the context or attribute designators that identify the attribute by subject resource action or environment and its identifier Implementations must convert between the attribute representations in the application environment (eg SAML J2SE CORBA and so on) and the attribute representations in the XACML context How this is achieved is outside the scope of the XACML specification In some cases such as SAML this conversion may be accomplished in an automated way through the use of an XSLT transformation
domain-specificinputs
domain-specificoutputs
xacml ContextRequestxml
xacml ContextResponsexmlPDP
xacmlPolicyxml
Figure 2 - XACML context
Note The PDP may be implemented such that it uses a processed form of the XML files
See Section 79 for a more detailed discussion of the request context
33 Policy language modelThe policy language model is shown in Figure 3 The main components of the model are
Rule
Policy and
oasis--xacml-11pdf 20
40
584
585586587
588589
590591
592
593594
595
596597598599600601602603604605606
607
608
609
610
611
612
613
614
41
Policy set
These are described in the following sub-sections
1
1
1
1
1
1
Condition
Target
Rule
1
01
Policy
1
1
Obligations
1
1
1
0
1 01
ActionResourceSubject
PolicySet
1
0
1
1
PolicyCombiningAlogorithm
1
0
RuleCombiningAlgorithm
1
0
1
01
101
Effect
1 1
Figure 3 - Policy language model
331 RuleA rule is the most elementary unit of policy It may exist in isolation only within one of the major actors of the XACML domain In order to exchange rules between major actors they must be encapsulated in a policy A rule can be evaluated on the basis of its contents The main components of a rule are
oasis--xacml-11pdf 21
42
615
616
617
618
619
620621622623
43
a target
an effect and
a condition
These are discussed in the following sub-sections
3311 Rule target
The target defines the set of
resources
subjects and
actions
to which the rule is intended to apply The ltConditiongt element may further refine the applicability established by the target If the rule is intended to apply to all entities of a particular data-type then an empty element named ltAnySubjectgt ltAnyResourcegt or ltAnyActiongt is used An XACML PDP verifies that the subjects resource and action identified in the request context are all present in the target of the rules that it uses to evaluate the decision request Target definitions are discrete in order that applicable rules may be efficiently identified by the PDP
The ltTargetgt element may be absent from a ltRulegt In this case the target of the ltRulegt is the same as that of the parent ltPolicygt element
Certain subject name-forms resource name-forms and certain types of resource are internally structured For instance the X500 directory name-form and RFC 822 name-form are structured subject name-forms whereas an account number commonly has no discernible structure UNIX file-system path-names and URIs are examples of structured resource name-forms And an XML document is an example of a structured resource
Generally the name of a node (other than a leaf node) in a structured name-form is also a legal instance of the name-form So for instance the RFC822 name medicocom is a legal RFC822 name identifying the set of mail addresses hosted by the medicocom mail server And the XPathXPointer value ctxResourceContentmdrecordmdpatient is a legal XPathXPointer value identifying a node-set in an XML document
The question arises how should a name that identifies a set of subjects or resources be interpreted by the PDP whether it appears in a policy or a request context Are they intended to represent just the node explicitly identified by the name or are they intended to represent the entire sub-tree subordinate to that node
In the case of subjects there is no real entity that corresponds to such a node So names of this type always refer to the set of subjects subordinate in the name structure to the identified node Consequently non-leaf subject names should not be used in equality functions only in match functions such as ldquournoasisnamestcxacml10functionrfc822Name-matchrdquo not ldquournoasisnamestcxacml10functionrfc822Name-equalrdquo (see Appendix A)
On the other hand in the case of resource names and resources themselves three options exist The name could refer to
1 the contents of the identified node only
2 the contents of the identified node and the contents of its immediate child nodes or
3 the contents of the identified node and all its descendant nodes
oasis--xacml-11pdf 22
44
624
625
626
627
628
629
630
631
632
633634
635636637638639
640641
642643644645646
647648649
650651
652653654655
656657658659660
661662
663
664
665
45
All three options are supported in XACML
3312 Effect
The effect of the rule indicates the rule-writers intended consequence of a True evaluation for the rule Two values are allowed Permit and Deny
3313 Condition
Condition represents a boolean expression that refines the applicability of the rule beyond the predicates implied by its target Therefore it may be absent
332 Policy From the data-flow model one can see that rules are not exchanged amongst system entities Therefore a PAP combines rules in a policy A policy comprises four main components
a target
a rule-combining algorithm-identifier
a set of rules and
obligations
Rules are described above The remaining components are described in the following sub-sections
3321 Policy target
An XACML ltPolicySetgt ltPolicygt or ltRulegt element contains a ltTargetgt element that specifies the set of subjects resources and actions to which it applies The ltTargetgt of a ltPolicySetgt or ltPolicygt may be declared by the writer of the ltPolicySetgt or ltPolicygt or it may be calculated from the ltTargetgt elements of the ltPolicySetgt ltPolicygt and ltRulegt elements that it contains
A system entity that calculates a ltTargetgt in this way is not defined by XACML but there are two logical methods that might be used In one method the ltTargetgt element of the outer ltPolicySetgt or ltPolicygt (the outer component) is calculated as the union of all the ltTargetgt elements of the referenced ltPolicySetgt ltPolicygt or ltRulegt elements (the inner components) In another method the ltTargetgt element of the outer component is calculated as the intersection of all the ltTargetgt elements of the inner components The results of evaluation in each case will be very different in the first case the ltTargetgt element of the outer component makes it applicable to any decision request that matches the ltTargetgt element of at least one inner component in the second case the ltTargetgt element of the outer component makes it applicable only to decision requests that match the ltTargetgt elements of every inner component Note that computing the intersection of a set of ltTargetgt elements is likely only practical if the target data-model is relatively simple
In cases where the ltTargetgt of a ltPolicygt is declared by the policy writer any component ltRulegt elements in the ltPolicygt that have the same ltTargetgt element as the ltPolicygt element may omit the ltTargetgt element Such ltRulegt elements inherit the ltTargetgt of the ltPolicygt in which they are contained
oasis--xacml-11pdf 23
46
666
667
668669
670
671672
673
674675
676
677
678
679
680681
682
683684685686687
688689690691692693694695696697698699
700701702703
47
3322 Rule-combining algorithm
The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined when evaluating the policy ie the Decision value placed in the response context by the PDP is the value of the policy as defined by the rule-combining algorithm
See Appendix C for definitions of the normative rule-combining algorithms
3323 Obligations
The XACML ltRulegt syntax does not contain an element suitable for carrying obligations therefore if required in a policy obligations must be added by the writer of the policy
When a PDP evaluates a policy containing obligations it returns certain of those obligations to the PEP in the response context Section 711 explains which obligations are to be returned
333 Policy set A policy set comprises four main components
a target
a policy-combining algorithm-identifier
a set of policies and
obligations
The target and policy components are described above The other components are described in the following sub-sections
3331 Policy-combining algorithm
The policy-combining algorithm specifies the procedure by which the results of evaluating the component policies are combined when evaluating the policy set iethe Decision value placed in the response context by the PDP is the result of evaluating the policy set as defined by the policy-combining algorithm
See Appendix C for definitions of the normative policy-combining algorithms
3332 Obligations
The writer of a policy set may add obligations to the policy set in addition to those contained in the component policies and policy sets
When a PDP evaluates a policy set containing obligations it returns certain of those obligations to the PEP in its response context Section 711 explains which obligations are to be returned
oasis--xacml-11pdf 24
48
704
705706707708
709
710
711712
713714
715
716
717
718
719
720
721722
723
724725726727
728
729
730731
732733
734
49
4 Examples (non-normative)This section contains two examples of the use of XACML for illustrative purposes The first example is a relatively simple one to illustrate the use of target context matching functions and subject attributes The second example additionally illustrates the use of the rule-combining algorithm conditions and obligations
41 Example one
411 Example policyAssume that a corporation named Medi Corp (medicocom) has an access control policy that states in English
Any user with an e-mail name in the medicocom namespace is allowed to perform any action on any resource
An XACML policy consists of header information an optional text description of the policy a target one or more rules and an optional set of obligations
The header for this policy is[p01] ltxml version=10 encoding=UTF-8gt[p02] ltPolicy xmlns=urnoasisnamestcxacml10policy[p03] xmlnsxsi=httpwwww3org2001XMLSchema-instance[p04] xsischemaLocation=urnoasisnamestcxacml10policy[p05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-policy-01xsd[p06] PolicyId=identifierexampleSimplePolicy1[p07] RuleCombiningAlgId=identifierrule-combining-algorithmdeny-overridesgt
[p01] is a standard XML document tag indicating which version of XML is being used and what the character encoding is
[p02] introduces the XACML Policy itself
[p03-p05] are XML namespace declarations
[p05] gives a URL to the schema for XACML policies
[p06] assigns a name to this policy instance The name of a policy should be unique for a given PDP so that there is no ambiguity if one policy is referenced from another policy
[p07] specifies the algorithm that will be used to resolve the results of the various rules that may be in the policy The deny-overrides rule-combining algorithm specified here says that if any rule evaluates to ldquoDenyrdquo then that policy must return ldquoDenyrdquo If all rules evaluate to ldquoPermitrdquo then the policy must return ldquoPermitrdquo The rule-combining algorithm which is fully described in Appendix C also says what to do if an error were to occur when evaluating any rule and what to do with rules that do not apply to a particular decision request[p08] ltDescriptiongt[p09] Medi Corp access control policy[p10] ltDescriptiongt
[p08-p10] provide a text description of the policy This description is optional[p11] ltTargetgt[p12] ltSubjectsgt[p13] ltAnySubjectgt[p14] ltSubjectsgt[p15] ltResourcesgt
oasis--xacml-11pdf 25
50
735
736737738739
740
741
742743
744745
746747
748
749750
751
752
753
754755
756757758759760761
762
51
[p16] ltAnyResourcegt[p17] ltResourcesgt[p18] ltActionsgt[p19] ltAnyActiongt[p20] ltActionsgt[p21] ltTargetgt
[p11-p21] describe the decision requests to which this policy applies If the subject resource and action in a decision request do not match the values specified in the target then the remainder of the policy does not need to be evaluated This target section is very useful for creating an index to a set of policies In this simple example the target section says the policy is applicable to any decision request[p22] ltRule[p23] RuleId= urnoasisnamestcxacml10exampleSimpleRule1[p24] Effect=Permitgt
[p22] introduces the one and only rule in this simple policy Just as for a policy each rule must have a unique identifier (at least unique for any PDP that will be using the policy)
[p23] specifies the identifier for this rule
[p24] says what effect this rule has if the rule evaluates to ldquoTruerdquo Rules can have an effect of either ldquoPermitrdquo or ldquoDenyrdquo In this case the rule will evaluate to ldquoPermitrdquo meaning that as far as this one rule is concerned the requested access should be permitted If a rule evaluates to ldquoFalserdquo then it returns a result of ldquoNotApplicablerdquo If an error occurs when evaluating the rule the rule returns a result of ldquoIndeterminaterdquo As mentioned above the rule-combining algorithm for the policy tells how various rule values are combined into a single policy value[p25] ltDescriptiongt[p26] Any subject with an e-mail name in the medicocom domain[p27] can perform any action on any resource[p28] ltDescriptiongt
[p25-p28] provide a text description of this rule This description is optional[p29] ltTargetgt
[p29] introduces the target of the rule As described above for the target of a policy the target of a rule describes the decision requests to which this rule applies If the subject resource and action in a decision request do not match the values specified in the rule target then the remainder of the rule does not need to be evaluated and a value of ldquoNotApplicablerdquo is returned to the policy evaluation[p30] ltSubjectsgt[p31] ltSubjectgt[p32] ltSubjectMatch MatchId=
urnoasisnamestcxacml10functionrfc822Name-matchgt[p33] ltSubjectAttributeDesignator[p34]
AttributeId=urnoasisnamestcxacml10subjectsubject-id[p35] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[p36] ltAttributeValue[p37] DataType=urnoasisnamestcxacml10data-
typerfc822Namegtmedicocom[p38] ltAttributeValuegt[p39] ltSubjectMatchgt[p40] ltSubjectgt[p41] ltSubjectsgt[p42] ltResourcesgt[p43] ltAnyResourcegt[p44] ltResourcesgt[p45] ltActionsgt[p46] ltAnyActiongt[p47] ltActionsgt[p48] ltTargetgt
oasis--xacml-11pdf 26
52
763764765766767
768769
770
771772773774775776
777
778779780781782
53
The rule target is similar to the target of the policy itself but with one important difference [p32-p41] do not say ltAnySubjectgt but instead spell out a specific value that the subject in the decision request must match The ltSubjectMatchgt element specifies a matching function in the MatchId attribute a pointer to a specific subject attribute in the request context by means of the ltSubjectAttributeDesignatorgt element and a literal value of ldquomedicocomrdquo The matching function will be used to compare the value of the subject attribute with the literal value Only if the match returns ldquoTruerdquo will this rule apply to a particular decision request If the match returns ldquoFalserdquo then this rule will return a value of ldquoNotApplicablerdquo[p49] ltRulegt[p50] lt Policygt
[p49] closes the rule we have been examining In this rule all the work is done in the ltTargetgt element In more complex rules the ltTargetgt may have been followed by a ltConditiongt (which could also be a set of conditions to be ANDed or ORed together)
[p50] closes the policy we have been examining As mentioned above this policy has only one rule but more complex policies may have any number of rules
412 Example request contextLets examine a hypothetical decision request that might be submitted to a PDP using the policy above In English the access request that generates the decision request may be stated as follows
Bart Simpson with e-mail name bssimpsonscom wants to read his medical record at Medi Corp
In XACML the information in the decision request is formatted into a request context statement that looks as follows[c01] ltxml version=10 encoding=UTF-8gt[c02] ltRequest xmlns=urnoasisnamestcxacml10context[c03] Xmlnsxsi=httpwwww3org2001XMLSchema-instance[c04] xsischemaLocation=urnoasisnamestcxacml10context[c05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-01xsdgt
[c01-c05] are the header for the request context and are used the same way as the header for the policy explained above[c06] ltSubjectgt[c07] ltAttribute AttributeId=urnoasisnamestcxacml10subjectsubject-
id[c08] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[c09] ltAttributeValuegtbssimpsonscomltAttributeValuegt[c10] ltAttributegt[c11] ltSubjectgt
The ltSubjectgt element contains one or more attributes of the entity making the access request There can be multiple subjects and each subject can have multiple attributes In this case in [c06-c11] there is only one subject and the subject has only one attribute the subjects identity expressed as an e-mail name is ldquobssimpsonscomrdquo[c12] ltResourcegt[c13] ltAttribute AttributeId=urnoasisnamestcxacml10resourceufs-
path[c14] DataType=httpwwww3org2001XMLSchemaanyURIgt[c15] ltAttributeValuegtmedicorecordpatientBartSimpsonltAttributeValuegt[c16] ltAttributegt[c17] ltResourcegtThe ltResourcegt element contains one or more attributes of the resource to which the subject (or subjects) has requested access There can be only one ltResourcegt
oasis--xacml-11pdf 27
54
783784785786787788789790
791792793
794795
796
797798799
800801
802803
804805
806807808809
810811
55
per decision request Lines [c13-c16] contain the one attribute of the resource to which Bart Simpson has requested access the resource unix file-system path-name which is ldquomedicorecordpatientBartSimpsonrdquo[c18] ltActiongt[c19] ltAttribute AttributeId=urnoasisnamestcxacml10actionaction-id[c20] DataType=httpwwww3org2001XMLSchemastringgt[c21] ltAttributeValuegtreadltAttributeValuegt[c22] ltAttributegt[c23] ltActiongt
The ltActiongt element contains one or more attributes of the action that the subject (or subjects) wishes to take on the resource There can be only one action per decision request [c18-c23] describe the identity of the action Bart Simpson wishes to take which is ldquoreadrdquo[c24] ltRequestgt
[c24] closes the request context A more complex request context may have contained some attributes not associated with the subject the resource or the action These would have been placed in an optional ltEnvironmentgt element following the ltActiongt element
The PDP processing this request context locates the policy in its policy repository It compares the subject resource and action in the request context with the subjects resources and actions in the policy target Since the policy target matches the ltAnySubjectgt ltAnyResourcegt and ltAnyActiongt elements the policy matches this context
The PDP now compares the subject resource and action in the request context with the target of the one rule in this policy The requested resource matches the ltAnyResourcegt element and the requested action matches the ltAnyActiongt element but the requesting subject-id attribute does not match medicocom
413 Example response contextAs a result there is no rule in this policy that returns a Permit result for this request The rule-combining algorithm for the policy specifies that in this case a result of NotApplicable should be returned The response context looks as follows[r01] ltxml version=10 encoding=UTF-8gt[r02] ltResponse xmlns=urnoasisnamestcxacml10context[r03] xsischemaLocation=urnoasisnamestcxacml10context[r04] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-
01xsdgt
[r01-r04] contain the same sort of header information for the response as was described above for a policy[r05] ltResultgt[r06] ltDecisiongtNotApplicableltDecisiongt[r07] ltResultgt
The ltResultgt element in lines [r05-r07] contains the result of evaluating the decision request against the policy In this case the result is ldquoNotApplicablerdquo A policy can return ldquoPermitrdquo ldquoDenyrdquo ldquoNotApplicablerdquo or ldquoIndeterminaterdquo[r08] ltResponsegt
[r08] closes the response context
42 Example twoThis section contains an example XML document an example request context and example XACML rules The XML document is a medical record Four separate rules are defined These illustrate a rule-combining algorithm conditions and obligations
oasis--xacml-11pdf 28
56
812813
814
815816817
818819
820
821822
823824
825826827828
829
830831832
833834
835836837
838
839
840841842
57
421 Example medical record instanceThe following is an instance of a medical record to which the example XACML rules can be applied The ltrecordgt schema is defined in the registered namespace administered by medicocom
ltxml version=10 encoding=UTF-8gtltrecord xmlns=httpwwwmedicocomschemasrecordxsd xmlnsxsi=httpwwww3org2001XMLSchema-instancerdquogt
ltpatientgtltpatientNamegt
ltfirstgtBartholomewltfirstgtltlastgtSimpsonltlastgt
ltpatientNamegtltpatientContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgt
ltpatientContactgtltpatientDoBgt1992-03-21ltpatientDoBgtltpatientGendergtmaleltpatientGendergtltpatient-numbergt555555ltpatient-numbergt
ltpatientgtltparentGuardiangt
ltparentGuardianIdgtHS001ltparentGuardianIdgtltparentGuardianNamegt
ltfirstgtHomerltfirstgtltlastgtSimpsonltlastgt
ltparentGuardianNamegtltparentGuardianContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgthomersaolcomltemailgt
ltparentGuardianContactgtltparentGuardiangtltprimaryCarePhysiciangt
ltphysicianNamegtltfirstgtJuliusltfirstgtltlastgtHibbertltlastgt
ltphysicianNamegtltphysicianContactgt
ltstreetgt1 First StltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551239012ltphonegtltfaxgt5551239013ltfaxgtltemailgt
ltphysicianContactgtltregistrationIDgtABC123ltregistrationIDgt
ltprimaryCarePhysiciangtltinsurergt
ltnamegtBlue Crossltnamegtltstreetgt1234 Main StltstreetgtltcitygtSpringfieldltcitygt
oasis--xacml-11pdf 29
58
843
844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903
59
ltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551235678ltphonegtltfaxgt5551235679ltfaxgtltemailgt
ltinsurergtltmedicalgt
lttreatmentgtltdruggt
ltnamegtmethylphenidate hydrochlorideltnamegtltdailyDosagegt30mgsltdailyDosagegtltstartDategt1999-01-12ltstartDategt
ltdruggtltcommentgtpatient exhibits side-effects of skin coloration and carpal
degenerationltcommentgtlttreatmentgtltresultgt
lttestgtblood pressurelttestgtltvaluegt12080ltvaluegtltdategt2001-06-09ltdategtltperformedBygtNurse BettyltperformedBygt
ltresultgtltmedicalgt
ltrecordgt
422 Example request contextThe following example illustrates a request context to which the example rules may be applicable It represents a request by the physician Julius Hibbert to read the patient date of birth in the record of Bartholomew Simpson
[01] ltxml version=10 encoding=UTF-8gt[02] ltRequest xmlns=urnoasisnamestcxacml10context[03] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo [04] ltSubject SubjectCategory=urnoasisnamestcxacml10subject-categoryaccess-subjectgt[05] ltAttribute AttributeId=[06] urnoasisnamestcxacml10subjectsubject-id[07] DataType=[08] rdquournoasisnamestcxacml10data-typex500namerdquo[09] Issuer=wwwmedicocom [10] IssueInstant=2001-12-17T093047-0500gt[11] ltAttributeValuegtCN=Julius HibbertltAttributeValuegt[12] ltAttributegt[13] ltAttribute AttributeId=[14] urnoasisnamestcxacml10exampleattributerole[15] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[16] Issuer=wwwmedicocom [17] IssueInstant=2001-12-17T093047-0500gt[18] ltAttributeValuegtphysicianltAttributeValuegt[19] ltAttributegt[20] ltAttribute AttributeId=[21] urnoasisnamestcxacml10exampleattributephysician-id[22] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[23] Issuer=wwwmedicocom [24] IssueInstant=2001-12-17T093047-0500gt[25] ltAttributeValuegtjh1234ltAttributeValuegt[26] ltAttributegt[27] ltSubjectgt[28] ltResourcegt[29] ltResourceContentgt[30] ltmdrecord[31] xmlnsmd=httpwwwmedicocomschemasrecordxsdgt
oasis--xacml-11pdf 30
60
904905906907908909910911912913914915916917918919920921922923924925926927
928
929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963
61
[32] ltmdpatientgt[33] ltmdpatientDoBgt1992-03-21ltmdpatientDoBgt[34] ltmdpatientgt[35] lt-- other fields --gt[36] ltmdrecordgt[37] ltResourceContentgt[38] ltAttribute AttributeId=[39] urnoasisnamestcxacml10resourceresource-id[40] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[41] ltAttributeValuegt[42] medicocomrecordsbart-simpsonxml[43] xmlns(md=httpwwwmedicocomschemasrecordxsd)[44] xpointer(mdrecordmdpatientmdpatientDoB)[45] ltAttributeValuegt[46] ltAttributegt[47] ltAttribute AttributeId=[48] urnoasisnamestcxacml10resourcexpath[49] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[50] ltAttributeValuegt[51] xmlns(md=httpwwwmedicocomschemasrecordxsd)[52] xpointer(mdrecordmdpatientmdpatientDoB)[53] ltAttributeValuegt[54] ltAttributegt[55] ltAttribute AttributeId=[56] rdquournoasisnamestcxacml10resourcetarget-namespacerdquo[57] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[58] ltAttributeValuegt[59] httpwwwmedicocomschemasrecordxsd[60] ltAttributeValuegt[61] ltAttributegt[62] ltResourcegt[63] ltActiongt[64] ltAttribute AttributeId=[65] urnoasisnamestcxacml10actionaction-id[66] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[67] ltAttributeValuegtreadltAttributeValuegt[68] ltAttributegt[69] ltActiongt[70] ltRequestgt
[02]-[03] Standard namespace declarations
[04]-[27] Subject attributes are placed in the Subject section of the Request Each attribute consists of the attribute meta-data and the attribute value
[04] Each Subject element has SubjectCategory xml attribute The value of this attribute describes the role that the subject plays in making the decision request The value of ldquoaccess-subjectrdquo denotes the identity for which the request was issued
[05]-[12] Subject subject-id attribute
[13]-[19] Subject role attribute
[20]-[26] Subject physician-id attribute
[28]-[62] Resource attributes are placed in the Resource section of the Request Each attribute consists of attribute meta-data and an attribute value
[29]-[36] Resource content The XML document that is being requested is placed here
[38]-[46] Resource identifier
oasis--xacml-11pdf 31
62
964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999
100010011002
1003
10041005
100610071008
1009
1010
1011
10121013
1014
1015
63
[47]-[61] The Resource is identified with an Xpointer expression that names the URI of the file that is accessed the target namespace of the document and the XPath location path to the specific element
[47]-[54] The XPath location path in the ldquoresource-idrdquo attribute is extracted and placed in the xpath attribute
[55]-[61] Resource target-namespace attribute
[63]-[69] Action attributes are placed in the Action section of the Request
[64]-[68] Action identifier
423 Example plain-language rulesThe following plain-language rules are to be enforced
Rule 1 A person identified by his or her patient number may read any record for which he or she is the designated patient
Rule 2 A person may read any record for which he or she is the designated parent or guardian and for which the patient is under 16 years of age
Rule 3 A physician may write to any medical element for which he or she is the designated primary care physician provided an email is sent to the patient
Rule 4 An administrator shall not be permitted to read or write to medical elements of a patient record
These rules may be written by different PAPs operating independently or by a single PAP
424 Example XACML rule instances
4241 Rule 1
Rule 1 illustrates a simple rule with a single ltConditiongt element The following XACML ltRulegt instance expresses Rule 1
[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid1[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomschemasrecordxsd namespace[12] for which he or she is a designated patient[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt
oasis--xacml-11pdf 32
64
101610171018
10191020
1021
1022
1023
1024
1025
10261027
10281029
10301031
10321033
1034
1035
1036
10371038
10391040104110421043104410451046104710481049105010511052105310541055105610571058
65
[22] ltResourceMatch MatchId=urnoasisnamestcxacml10functionstring-equalgt
[23] ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] ltActionMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[40] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[41] ltActionAttributeDesignator AttributeId=[42] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[43] ltActionMatchgt[44] ltActiongt[45] ltActionsgt[46] ltTargetgt[47] lt-- compare policy number in the document with [48] policy-number attribute --gt[49] ltCondition FunctionId=urnoasisnamestcxacml10functionstring-
equalgt[50] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[51] lt-- policy-number attribute --gt[52] ltSubjectAttributeDesignator AttributeId=[53] urnoasisnamestcxacml10examplesattributepolicy-number
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[54] ltApplygt[55] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[56] lt-- policy number in the document --gt[57] ltAttributeSelector RequestContextPath=[58] mdrecordmdpatientmdpatient-numbertext()
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[59] ltAttributeSelectorgt[60] ltApplygt[61] ltConditiongt[62] ltRulegt
[02]-[06] XML namespace declarations
[07] Rule identifier
[08] When a rule evaluates to lsquoTruersquo it emits the value of the Effect attribute This value is combined with the Effect values of other rules according to the rule-combining algorithm
oasis--xacml-11pdf 33
66
10591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114
1115
1116
11171118
67
[09]-[13] Free form description of the rule
[14]-[46] A rule target defines a set of decision requests that are applicable to the rule A decision request such that the value of the ldquournoasisnamestcxacml10resourcetarget-namespacerdquo resource attribute is equal to ldquohttpwwwmedicocomschemarecordsxsdrdquo and the value of the ldquournoasisnamestcxacml10resourcexpathrdquo resource attribute matches the XPath expression ldquomdrecordldquo and the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute is equal to ldquoreadrdquo matches the target of this rule
[15]-[17] The Subjects element may contain either a disjunctive sequence of Subject elements or AnySubject element
[16] The AnySubject element is a special element that matches any subject in the request context
[18]-[36] The Resources element may contain either a disjunctive sequence of Resource elements or AnyResource element
[20]-[35] The Resource element encloses the conjunctive sequence of ResourceMatch elements
[22]-[28] The ResourceMatch element compares its first and second child elements according to the matching function A match is positive if the value of the first argument matches any of the values selected by the second argument This match compares the target namespace of the requested document with the value of ldquohttpwwwmedicocomschemarecordsxsdrdquo
[22] The MatchId attribute names the matching function
[23]-[25] Literal attribute value to match
[26]-[27] The ResourceAttributeDesignator element selects the resource attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values
[30]-[34] The ResourceMatch This match compares the results of two XPath expressions The first XPath expression is mdrecord and the second XPath expression is the location path to the requested xml element The ldquoxpath-node-matchrdquo function evaluates to ldquoTruerdquo if the requested XML element is below the mdrecord element
[30] MatchId attribute names the matching function
[31] The literal XPath expression to match The md prefix is resolved using a standard namespace declaration
[32]-[33] The ResourceAttributeDesignator selects the bag of values for the ldquournoasisnamestcxacml10xpathrdquo resource attribute Here there is just one element in the bag which is the location path for the requested XML element
[37]-[45] The Actions element may contain either a disjunctive sequence of Action elements or an AnyAction element
[38]-[44] The Action element contains a conjunctive sequence of ActionMatch elements
[39]-[43] The ActionMatch element compares its first and second child elements according to the matching function Match is positive if the value of the first argument matches any of the values selected by the second argument In this case the value of the action-id action attribute in the request context is compared with the value ldquoreadrdquo
oasis--xacml-11pdf 34
68
1119
11201121
11221123
1124112511261127
11281129
11301131
11321133
11341135
1136113711381139
1140
1141
114211431144
114511461147
1148
1149
11501151
115211531154
11551156
1157
11581159
11601161
69
[39] The MatchId attribute names the matching function
[40] The Attribute value to match This is an action name
[41]-[42] The ActionAttributeDesignator selects action attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values ldquournoasisnamestcxacml10actionaction-idrdquo is the predefined name for the action identifier
[49]-[61] The ltConditiongt element A condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the patient-number subject attribute is equal to the patient-number in the XML document
[49] The FunctionId attribute of the ltConditiongt element names the function to be used for comparison In this case comparison is done with urnoasisnamestcxacml10functionstring-equal this function takes two arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[50] The first argument to the urnoasisnamestcxacml10functionstring-equal in the Condition Functions can take other functions as arguments The Apply element encodes the function call with the FunctionId attribute naming the function Since urnoasisnamestcxacml10functionstring-equal takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and SubjectAttributeDesignator selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[52]-[53] The SubjectAttributeDesignator selects a bag of values for the policy-number subject attribute in the request context
[55] The second argument to the ldquournoasisnamestcxacml10functionstring-equalrdquo in the Condition Functions can take other functions as arguments The Apply element encodes function call with the FunctionId attribute naming the function Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and the AttributeSelector selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[57] The AttributeSelector element selects a bag of values from the request context The AttributeSelector is a free-form XPath pointing device into the request context The RequestContextPath attribute specifies an XPath expression over the content of the requested XML document selecting the policy number Note that the namespace prefixes in the XPath expression are resolved with the standard XML namespace declarations
4242 Rule 2
Rule 2 illustrates the use of a mathematical function ie the ltApplygt element with functionId urnoasisnamestcxacml10functiondate-add-yearMonthDuration to calculate date It also illustrates the use of predicate expressions with the functionId urnoasisnamestcxacml10functionand
[01] ltxml version=10 encoding=UTF-8gt
oasis--xacml-11pdf 35
70
1162
1163
1164116511661167
116811691170
11711172
11731174
117511761177117811791180118111821183
1184
11851186
11871188118911901191119211931194
1195
11961197119811991200
1201
12021203
120412051206
71
[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid2[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomrecordsxsd namespace[12] for which he or she is the designated parent or guardian [13] and for which the patient is under 16 years of age[14] ltDescriptiongt[15] ltTargetgt[16] ltSubjectsgt[17] ltAnySubjectgt[18] ltSubjectsgt[19] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt[22] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[23] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=rdquournoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] lt-- match read action --gt[40] ltActionMatch
MatchId=rdquournoasisnamestcxacml10functionstring-equalgt[41] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[42] ltActionAttributeDesignator AttributeId=[43] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[44] ltActionMatchgt[45] ltActiongt[46] ltActionsgt[47] ltTargetgt[48] ltCondition FunctionId=ldquournoasisnamestcxacml10functionandgt[49] lt-- compare parent-guardian-id subject attribute with [50] the value in the document --gt[51] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-equalgt[52] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[53] lt-- parent-guardian-id subject attribute --gt
oasis--xacml-11pdf 36
72
120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269
73
[54] ltSubjectAttributeDesignator AttributeId=[55] urnoasisnamestcxacml10examplesattribute[56] parent-guardian-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[57] ltApplygt[58] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[59] lt-- parent-guardian-id element in the document --gt[60] ltAttributeSelector RequestContextPath=[61] mdrecordmdparentGuardianmdparentGuardianIdtext()[62] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[63] ltAttributeSelectorgt[64] ltApplygt[65] ltApplygt[66] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-less-or-
equalrdquogt[67] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-one-
and-onlyrdquogt[68] ltEnvironmentAttributeDesignator AttributeId=[69] rdquournoasisnamestcxacml10environmentcurrent-daterdquo
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[70] ltApplygt[71] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-add-
yearMonthDurationrdquogt[73] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-
one-and-onlyrdquogt[74] lt-- patient dob recorded in the document --gt[75] ltAttributeSelector RequestContextPath=[76] mdrecordmdpatientmdpatientDoBtext()
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[77] ltAttributeSelectorgt[78] ltApplygt[79] ltAttributeValue DataType=rdquohttpwwww3orgTR2002WD-xquery-
operators-20020816yearMonthDurationrdquogt[80] P16Y[81] ltAttributeValuegt[82] ltApplygt[83] ltApplygt[84] ltConditiongt[85] ltRulegt
[02]-[47] Rule declaration and rule target See Rule 1 in Section 4241 for the detailed explanation of these elements
[48]-[82] The Condition element Condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the requestor is the designated parent or guardian and the patient is under 16 years of age
[48] The Condition is using the ldquournoasisnamestcxacml10functionandrdquo function This is a boolean function that takes one or more boolean arguments (2 in this case) and performs the logical ldquoANDrdquo operation to compute the truth value of the expression
[51]-[65] The truth of the first part of the condition is evaluated The requestor is the designated parent or guardian The Apply element contains a function invocation The function name is contained in the FunctionId attribute The comparison is done with ldquournoasisnamestcxacml10functionstring-equalrdquo that takes 2 arguments of ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[52] Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo in
oasis--xacml-11pdf 37
74
1270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309
13101311
131213131314
131513161317
13181319132013211322
1323132413251326
75
the request context contains one and only one value ldquournoasisnamestcxacml10functionstring-equalrdquo takes an argument expression that evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[54] Value of the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo is selected from the request context with the ltSubjectAttributeDesignatorgt element This expression evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[58] ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[60] The value of the mdparentGuardianId element is selected from the resource content with the AttributeSelector element AttributeSelector is a free-form XPath expression pointing into the request context The RequestContextPath XML attribute contains an XPath expression over the request context Note that all namespace prefixes in the XPath expression are resolved with standard namespace declarations The AttributeSelector evaluates to the bag of values of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[66]-[83] The expression ldquothe patient is under 16 years of agerdquo is evaluated The patient is under 16 years of age if the current date is less than the date computed by adding 16 to the patientrsquos date of birth
[66] ldquournoasisnamestcxacml10functiondate-less-or-equalrdquo is used to compute the difference of two dates
[67] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by its argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemadaterdquo
[68]-[69] Current date is evaluated by selecting the ldquournoasisnamestcxacml10environmentcurrent-daterdquo environment attribute
[71] ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo is used to compute the date by adding 16 to the patientrsquos date of birth The first argument is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second argument is an ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo
[73] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type rdquohttpwwww3org2001XMLSchemadaterdquo
[75]-[76] The ltAttributeSelectorgt element selects the patientrsquos date of birth by taking the XPath expression over the document content
[79]-[81] Year Month Duration of 16 years
4243 Rule 3
Rule 3 illustrates the use of an obligation The XACML ltRulegt element syntax does not include an element suitable for carrying an obligation therefore Rule 3 has to be formatted as a ltPolicygt element
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicy
oasis--xacml-11pdf 38
76
1327132813291330
1331133213331334
13351336
1337
1338133913401341
13421343
134413451346
13471348
13491350
1351
13521353
13541355
135613571358
13591360
1361
13621363
1364
1365
13661367
136813691370
77
[03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] PolicyId=urnoasisnamestcxacmlexamplespolicyid3[08] RuleCombiningAlgId=urnoasisnamestcxacml10[09] rule-combining-algorithmdeny-overridesgt[10] ltDescriptiongt[11] Policy for any medical record in the[12] httpwwwmedicocomschemasrecordxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- match document target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomschemasrecordxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltAnyActiongt[32] ltActionsgt[33] ltTargetgt[34] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid3[35] Effect=Permitgt[36] ltDescriptiongt[37] A physician may write any medical element in a record[38] for which he or she is the designated primary care[39] physician provided an email is sent to the patient[40] ltDescriptiongt[41] ltTargetgt[42] ltSubjectsgt[43] ltSubjectgt[44] lt-- match subject group attribute --gt[45] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[46] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtphysicianltAttributeValuegt
[47] ltSubjectAttributeDesignator AttributeId=[48] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[49] ltSubjectMatchgt[50] ltSubjectgt[51] ltSubjectsgt[52] ltResourcesgt[53] ltResourcegt[54] lt-- match requested xml element --gt[55] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[56] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
oasis--xacml-11pdf 39
78
137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433
79
[57] mdrecordmdmedical[58] ltAttributeValuegt[59] ltResourceAttributeDesignator AttributeId=[60] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[61] ltResourceMatchgt[62] ltResourcegt[63] ltResourcesgt[64] ltActionsgt[65] ltActiongt[66] lt-- match action --gt[67] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[68] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwriteltAttributeValuegt[069] ltActionAttributeDesignator AttributeId=[070] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[071] ltActionMatchgt[072] ltActiongt[073] ltActionsgt[074] ltTargetgt[075] ltCondition FunctionId=ldquournoasisnamestcxacml10functionstring-
equalgt[076] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[077] lt-- physician-id subject attribute --gt[078] ltSubjectAttributeDesignator AttributeId=[079] urnoasisnamestcxacml10example[080] attributephysician-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[081] ltApplygt[082] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[083] ltAttributeSelector RequestContextPath=[084] mdrecordmdprimaryCarePhysicianmdregistrationIDtext()[085] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[086] ltApplygt[087] ltConditiongt[089] ltRulegt[090] ltObligationsgt[091] lt-- send e-mail message to the document owner --gt[092] ltObligation ObligationId=[093] urnoasisnamestcxacmlexampleobligationemail[094] FulfillOn=Permitgt[095] ltAttributeAssignment AttributeId=[096] urnoasisnamestcxacml10exampleattributemailto[097] DataType=httpwwww3org2001XMLSchemastringgt[098] ltAttributeSelector RequestContextPath=[099] mdrecordmdpatientmdpatientContactmdemail[100] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[101] ltAttributeAssignmentgt[102] ltAttributeAssignment AttributeId=[103] urnoasisnamestcxacml10exampleattributetext[104] DataType=httpwwww3org2001XMLSchemastringgt[105] ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgt[106] Your medical record has been accessed by[107] ltAttributeValuegt[108] ltAttributeAssignmentgt[109] ltAttributeAssignment AttributeId=[110] urnoasisnamestcxacmlexampleattributetext[111] DataType=httpwwww3org2001XMLSchemastringgt
oasis--xacml-11pdf 40
80
143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496
81
[112] ltSubjectAttributeDesignator AttributeId=[113] urnosasisnamestcxacml10subjectsubject-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[114] ltAttributeAssignmentgt[115] ltObligationgt[116] ltObligationsgt[117] ltPolicygt
[01]-[09] The Policy element includes standard namespace declarations as well as policy specific parameters such as PolicyId and RuleCombiningAlgId
[07] Policy identifier This parameter is used for the inclusion of the Policy in the PolicySet element
[08]-[09] Rule combining algorithm identifier This parameter is used to compute the combined outcome of rule effects for rules that are applicable to the decision request
[10-13] Free-form description of the policy
[14]-[33] Policy target The policy target defines a set of applicable decision requests The structure of the Target element in the Policy is identical to the structure of the Target element in the Rule In this case the policy target is a set of all XML documents conforming to the ldquohttpwwwmedicocomschemasrecordxsdrdquo target namespace For the detailed description of the Target element see Rule 1 Section 4241
[34]-[89] The only Rule element included in this Policy Two parameters are specified in the rule header RuleId and Effect For the detailed description of the Rule structure see Rule 1 Section 4241
[41]-[74] A rule target narrows down a policy target Decision requests with the value of ldquournoasisnamestcxacml10exampeattributerolerdquo subject attribute equal to ldquophysicianrdquo [42]-[51] and that access elements of the medical record that ldquoxpath-node-matchrdquo the ldquomdrecordmdmedicalrdquo XPath expression [52]-[63] and that have the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute equal to ldquoreadrdquo
[65]-[73] match the target of this rule For a detailed description of the rule target see example 1 Section 4241
[75]-[87] The Condition element For the rule to be applicable to the authorization request condition must evaluate to True This rule condition compares the value of the ldquournoasisnamestcxacml10examplesattributephysician-idrdquo subject attribute with the value of the physician id element in the medical record that is being accessed For a detailed explanation of rule condition see Rule 1 Section 4241
[90]-[116] The Obligations element Obligations are a set of operations that must be performed by the PEP in conjunction with an authorization decision An obligation may be associated with a positive or negative authorization decision
[92]-[115] The Obligation element consists of the ObligationId the authorization decision value for which it must fulfill and a set of attribute assignments
[92]-[93] ObligationId identifies an obligation Obligation names are not interpreted by the PDP
[94] FulfillOn attribute defines an authorization decision value for which this obligation must be fulfilled
[95]-[101] Obligation may have one or more parameters The obligation parameter ldquournoasisnamestcxacml10examplesattributemailtordquo is assigned the value from the content of the xml document
oasis--xacml-11pdf 41
82
1497149814991500150115021503
15041505
15061507
15081509
1510
1511151215131514
1515
151615171518
15191520152115221523
15241525
15261527
152815291530
153115321533
15341535
15361537
15381539
154015411542
83
[95-96] AttributeId declares ldquournoasisnamestcxacml10examplesattributemailtordquo obligation parameter
[97] The obligation parameter data-type is defined
[98]-[100] The obligation parameter value is selected from the content of the XML document that is being accessed with the XPath expression over request context
[102]-[108] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of data-type ldquohttpwwww3org2001XMLSchemastringrdquo is assigned the literal value ldquoYour medical record has been accessed byrdquo
[109]-[114] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type is assigned the value of the ldquournoasisnamestcxacml10subjectsubject-idrdquo subject attribute
4244 Rule 4
Rule 4 illustrates the use of the Deny Effect value and a Rule with no Condition element[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexampleruleid4 [08] Effect=Denygt[09] ltDescriptiongt[10] An Administrator shall not be permitted to read or write [11] medical elements of a patient record in the[12] httpwwwmedicocomrecordsxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltSubjectgt[17] lt-- match role subject attribute --gt[18] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[19] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtadministratorltAttributeValuegt
[20] ltSubjectAttributeDesignator AttributeId=[21] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[22] ltSubjectMatchgt[23] ltSubjectgt[24] ltSubjectsgt[25] ltResourcesgt[26] ltResourcegt[27] lt-- match document target namespace --gt[28] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[29] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[30] httpwwwmedicocomschemasrecordxsd[31] ltAttributeValuegt[32] ltResourceAttributeDesignator AttributeId=
oasis--xacml-11pdf 42
84
15431544
1545
15461547
1548154915501551
155215531554
1555
1556
155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595
85
[33] urnoasisnamestcxacml10resourcetarget-namespace DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[34] ltResourceMatchgt[35] lt-- match requested xml element --gt[36] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[37] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[38] mdrecordmdmedical[39] ltAttributeValuegt[40] ltResourceAttributeDesignator AttributeId=[41] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[42] ltResourceMatchgt[43] ltResourcegt[44] ltResourcesgt[45] ltActionsgt[46] ltActiongt[47] lt-- match read action --gt[48] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[49] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtread
ltAttributeValuegt[50] ltActionAttributeDesignator AttributeId=[51] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[52] ltActionMatchgt[53] ltActiongt[54] ltActiongt[55] lt-- match write action --gt[56] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[57] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwrite
ltAttributeValuegt[58] ltActionAttributeDesignator AttributeId=[59] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[60] ltActionMatchgt[61] ltActiongt[62] ltActionsgt[63] ltTargetgt[64] ltRulegt
[01]-[08] The Rule element declaration The most important parameter here is Effect See Rule 1 Section 4241 for a detailed explanation of the Rule structure
[08] Rule Effect Every rule that evaluates to ldquoTruerdquo emits rule effect as its value that will be combined later on with other rule effects according to the rule combining algorithm This rule Effect is ldquoDenyrdquo meaning that according to this rule access must be denied
[09]-[13] Free form description of the rule
[14]-[63] Rule target The Rule target defines a set of decision requests that are applicable to the rule This rule is matched by
a decision request with subject attribute ldquournoasisnamestcxacml10examplesattributerolerdquo equal to ldquoadministratorrdquo
oasis--xacml-11pdf 43
86
1596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641
16421643
16441645
1646
1647
16481649
165016511652
87
the value of resource attribute ldquournoasisnamestcxacml10resourcetarget-namespacerdquo is equal to ldquohttpwwwmedicocomschemasrecordxsdrdquo
the value of the requested XML element matches the XPath expression ldquomdrecordmdmedicalrdquo
the value of action attribute ldquournoasisnamestcxacml10actionaction-idrdquo is equal to ldquoreadrdquo
See Rule 1 Section 4241 for the detailed explanation of the Target element
This rule does not have a Condition element
4245 Example PolicySet
This section uses the examples of the previous sections to illustrate the process of combining policies The policy governing read access to medical elements of a record is formed from each of the four rules described in Section 423 In plain language the combined rule is
Either the requestor is the patient or
the requestor is the parent or guardian and the patient is under 16 or
the requestor is the primary care physician and a notification is sent to the patient and
the requestor is not an administrator
The following XACML ltPolicySetgt illustrates the combined policies Policy 3 is included by reference and policy 2 is explicitly included
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicySet [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] PolicySetId=[06] urnoasisnamestcxacml10examplespolicysetid1[07] PolicyCombiningAlgId=rdquournoasisnamestcxacml10[071] policy-combining-algorithmdeny-overridesrdquogt[08] ltDescriptiongt[09] Example policy set[10] ltDescriptiongt[11] ltTargetgt[12] ltSubjectsgt[13] ltSubjectgt[14] lt-- any subject --gt[15] ltAnySubjectgt[16] ltSubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- any resource in the target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomrecordsxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt
oasis--xacml-11pdf 44
88
165316541655
16561657
16581659
1660
1661
1662
166316641665
1666
1667
1668
1669
167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702
89
[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltActiongt[32] lt-- any action --gt[33] ltAnyActiongt[34] ltActiongt[35] ltActionsgt[36] ltTargetgt[37] lt-- include policy from the example 3 by reference --gt[38] ltPolicyIdReferencegt[39] urnoasisnamestcxacml10examplespolicyid3[40] ltPolicyIdReferencegt[41] lt-- policy 2 combines rules from the examples 1 2 [42] and 4 is included by value --gt[43] ltPolicy [44] PolicyId=urnoasisnamestcxacmlexamplespolicyid2[45] RuleCombiningAlgId=[46] urnoasisnamestcxacml10rule-combining-algorithmdeny-overridesgt[47] ltDescriptiongt[48] Policy for any medical record in the[49] httpwwwmedicocomschemasrecordxsd namespace[50] ltDescriptiongt[51] ltTargetgt ltTargetgt[52] ltRule [53] RuleId=urnoasisnamestcxacmlexamplesruleid1[54] Effect=Permitgt ltRulegt[55] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid2 [56] Effect=Permitgt ltRulegt[57] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid4[58] Effect=Denygt ltRulegt[59] ltObligationsgt ltObligationsgt[60] ltPolicygt[61] ltPolicySetgt
[02]-[07] PolicySet declaration Standard XML namespace declarations are included as well as PolicySetId and policy combining algorithm identifier
[05]-[06] PolicySetId is used for identifying this policy set and for possible inclusion of this policy set into another policy set
[07] Policy combining algorithm identifier Policies in the policy set are combined according to the specified policy combining algorithm identifier when the authorization decision is computed
[08]-[10] Free form description of the policy set
[11]-[36] PolicySet Target element defines a set of decision requests that are applicable to this PolicySet
[38]-[40] PolicyIdReference includes policy by id
[43]-[60] Policy 2 is explicitly included in this policy set
oasis--xacml-11pdf 45
90
17031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737
17381739
17401741
174217431744
1745
17461747
1748
1749
91
5 Policy syntax (normative with the exception of the schema fragments)
51 Element ltPolicySetgtThe ltPolicySetgt element is a top-level element in the XACML policy schema ltPolicySetgt is an aggregation of other policy sets and policies Policy sets MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicySetgt element or indirectly using the ltPolicySetIdReferencegt element Policies MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicygt element or indirectly using the ltPolicyIdReferencegt element
If a ltPolicySetgt element contains references to other policy sets or policies in the form of URLs then these references MAY be resolvable
Policies included in the ltPolicySetgt element MUST be combined using the algorithm specified by the PolicyCombiningAlgId attribute ltPolicySetgt is treated exactly like a ltPolicygt in all the policy combining algorithms
The ltTargetgt element defines the applicability of the ltPolicySetgt to a set of decision requests If the ltTargetgt element within ltPolicySetgt matches the request context then the ltPolicySetgt element MAY be used by the PDP in making its authorization decision
The ltObligationsgt element contains a set of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision If the PEP does not understand any of the obligations then it MUST act as if the PDP had returned a ldquoDenyrdquo authorization decision value
ltxselement name=PolicySet type=xacmlPolicySetTypegtltxscomplexType name=PolicySetTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicySetDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxschoice minOccurs=0 maxOccurs=unboundedgt
ltxselement ref=xacmlPolicySetgtltxselement ref=xacmlPolicygtltxselement ref=xacmlPolicySetIdReferencegtltxselement ref=xacmlPolicyIdReferencegt
ltxschoicegtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicySetId type=xsanyURI use=requiredgtltxsattribute name=PolicyCombiningAlgId type=rdquoxsanyURI
use=requiredgtltxscomplexTypegt
The ltPolicySetgt element is of PolicySetType complex type
The ltPolicySetgt element contains the following attributes and elements
PolicySetId [Required]
Policy set identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy set identifier is in the form of a URL then it MAY be resolvable
oasis--xacml-11pdf 46
92
1750
1751
1752
17531754
1755175617571758
17591760
176117621763
176417651766
176717681769177017711772177317741775177617771778177917801781178217831784178517861787
1788
1789
1790
1791179217931794
1795
93
PolicyCombiningAlgId [Required]
The identifier of the policy-combining algorithm by which the ltPolicySetgt components MUST be combined Standard policy-combining algorithms are listed in Appendix C Standard policy-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the ltPolicySetgt
ltPolicySetDefaultsgt [Optional]
A set of default values applicable to the ltPolicySetgt The scope of the ltPolicySetDefaultsgt element SHALL be the enclosing policy set
ltTargetgt [Required]
The ltTargetgt element defines the applicability of a ltPolicySetgt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicySetgt or it MAY be computed from the ltTargetgt elements of the referenced ltPolicygt elements either as an intersection or as a union
ltPolicySetgt [Any Number]
A policy set component that is included in this policy set
ltPolicygt [Any Number]
A policy component that is included in this policy set
ltPolicySetIdReferencegt [Any Number]
A reference to a ltPolicySetgt component that MUST be included in this policy set If ltPolicySetIdReferencegt is a URL then it MAY be resolvable
ltPolicyIdReferencegt [Any Number]
A reference to a ltPolicygt component that MUST be included in this policy set If the ltPolicyIdReferencegt is a URL then it MAY be resolvable
ltObligationsgt [Optional]
Contains the set of ltObligationgt elements See Section 711 for a description of how the set of obligations to be returned by the PDP shall be determined
52 Element ltDescriptiongtThe ltDescriptiongt element is used for a free-form description of the ltPolicySetgt element ltPolicygt element and ltRulegt element The ltDescriptiongt element is of xsstring simple type
ltxselement name=Description type=xsstringgt
53 Element ltPolicySetDefaultsgtThe ltPolicySetDefaultsgt element SHALL specify default values that apply to the ltPolicySetgt element
oasis--xacml-11pdf 47
94
1796
179717981799
1800
1801
1802
18031804
1805
18061807
180818091810
1811
1812
1813
1814
1815
18161817
1818
18191820
1821
18221823
1824
1825182618271828
1829
18301831
95
ltxselement name=PolicySetDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicySetDefaultsgt element is of DefaultsType complex type
The ltPolicySetDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
54 Element ltXPathVersiongtThe ltXPathVersiongt element SHALL specify the version of the XPath specification to be used by ltAttributeSelectorgt elements
ltxselement name=XPathVersion type=xsanyURIgt
The URI for the XPath 10 specification is ldquohttpwwww3orgTR1999Rec-xpath-19991116rdquo The ltXPathVersiongt element is REQUIRED if the XACML enclosing policy set or policy contains ltAttributeSelectorgt elements or XPath-based functions
55 Element ltTargetgtThe ltTargetgt element identifies the set of decision requests that the parent element is intended to evaluate The ltTargetgt element SHALL appear as a child of ltPolicySetgt ltPolicygt and ltRulegt elements It contains definitions for subjects resources and actions
The ltTargetgt element SHALL contain a conjunctive sequence of ltSubjectsgt ltResourcesgt and ltActionsgt elements For the parent of the ltTargetgt element to be applicable to the decision request there MUST be at least one positive match between each section of the ltTargetgt element and the corresponding section of the ltxacml-contextRequestgt element
ltxselement name=Target type=xacmlTargetTypegtltxscomplexType name=TargetTypegt
ltxssequencegtltxselement ref=xacmlSubjectsgtltxselement ref=xacmlResourcesgtltxselement ref=xacmlActionsgt
ltxssequencegtltxscomplexTypegt
The ltTargetgt element is of TargetType complex type
The ltTargetgt element contains the following elements
ltSubjectsgt [Required]
Matching specification for the subject attributes in the context
ltResourcesgt [Required]
Matching specification for the resource attributes in the context
oasis--xacml-11pdf 48
96
18321833183418351836183718381839
1840
1841
1842
1843
1844
18451846
1847
184818491850
1851
185218531854
185518561857
185818591860186118621863186418651866
1867
1868
1869
1870
1871
1872
1873
97
ltActionsgt [Required]
Matching specification for the action attributes in the context
56 Element ltSubjectsgtThe ltSubjectsgt element SHALL contains a disjunctive sequence of ltSubjectgt elements
ltxselement name=Subjects type=xacmlSubjectsTypegtltxscomplexType name=SubjectsTypegt
ltxschoicegtltxselement ref=xacmlSubject maxOccurs=unboundedgtltxselement ref=xacmlAnySubjectgt
ltxschoicegtltxscomplexTypegt
The ltSubjectsgt element is of SubjectsType complex type
The ltSubjectsgt element contains the following elements
ltSubjectgt [One To Many Required Choice]
See Section 57
ltAnySubjectgt [Required Choice]
See Section 58
57 Element ltSubjectgtThe ltSubjectgt element SHALL contain a conjunctive sequence of ltSubjectMatchgt elements
ltxselement name=Subject type=xacmlSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacmlSubjectMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
ltSubjectMatchgt [One to Many]
A conjunctive sequence of individual matches of the subject attributes in the context and the embedded attribute values
58 Element ltAnySubjectgtThe ltAnySubjectgt element SHALL match any subject attribute in the context
ltxselement name=AnySubjectgt
59 Element ltSubjectMatchgtThe ltSubjectMatchgt element SHALL identify a set of subject-related entities by matching attribute values in a ltxacml-contextSubjectgt element of the context with the embedded attribute value
oasis--xacml-11pdf 49
98
1874
1875
1876
18771878187918801881188218831884
1885
1886
1887
1888
1889
1890
1891
18921893189418951896189718981899
1900
1901
1902
19031904
1905
19061907
1908
190919101911
99
ltxselement name=SubjectMatch type=xacmlSubjectMatchTypegtltxscomplexType name=SubjectMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltSubjectMatchgt element is of SubjectMatchType complex type
The ltSubjectMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltSubjectAttributeDesignatorgt [Required choice]
Identifies one or more attribute values in a ltSubjectgt element of the context
ltAttributeSelectorgt [Required choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in a ltSubjectgt element of the context
510 Element ltResourcesgtThe ltResourcesgt element SHALL contain a disjunctive sequence of ltResourcegt elements
ltxselement name=Resources type=xacmlResourcesTypegtltxscomplexType name=ResourcesTypegt
ltxschoicegtltxselement ref=xacmlResource maxOccurs=unboundedgtltxselement ref=xacmlAnyResourcegt
ltxschoicegtltxscomplexTypegt
The ltResourcesgt element is of ResourcesType complex type
The ltResourcesgt element contains the following elements
ltResourcegt [One To Many Required Choice]
See Section 511
ltAnyResourcegt [Required Choice]
See Section 512
511 Element ltResourcegtThe ltResourcegt element SHALL contain a conjunctive sequence of ltResourceMatchgt elements
oasis--xacml-11pdf 50
100
19121913191419151916191719181919192019211922
1923
1924
1925
19261927
1928
1929
1930
1931
1932
19331934
1935
19361937193819391940194119421943
1944
1945
1946
1947
1948
1949
1950
19511952
101
ltxselement name=Resource type=xacmlResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacmlResourceMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceMatchgt [One to Many]
A conjunctive sequence of individual matches of the resource attributes in the context and the embedded attribute values
512 Element ltAnyResourcegtThe ltAnyResourcegt element SHALL match any resource attribute in the context
ltxselement name=AnyResourcegt
513 Element ltResourceMatchgtThe ltResourceMatchgt element SHALL identify a set of resource-related entities by matching attribute values in the ltxacml-contextResourcegt element of the context with the embedded attribute value
ltxselement name=ResourceMatch type=xacmlResourceMatchTypegtltxscomplexType name=ResourceMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyMatch use=requiredgt
ltxscomplexTypegt
The ltResourceMatchgt element is of ResourceMatchType complex type
The ltResourceMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function Values of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltResourceAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltResourcegt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltResourcegt element of the context
oasis--xacml-11pdf 51
102
195319541955195619571958
1959
1960
1961
19621963
1964
19651966
1967
19681969197019711972197319741975197619771978197919801981
1982
1983
1984
19851986
1987
1988
1989
1990
1991
19921993
103
514 Element ltActionsgtThe ltActionsgt element SHALL contain a disjunctive sequence of ltActiongt elements
ltxselement name=Actions type=xacmlActionsTypegtltxscomplexType name=ActionsTypegt
ltxschoicegtltxselement ref=xacmlAction maxOccurs=unboundedgtltxselement ref=xacmlAnyActiongt
ltxschoicegtltxscomplexTypegt
The ltActionsgt element is of ActionsType complex type
The ltActionsgt element contains the following elements
ltActiongt [One To Many Required Choice]
See Section 515
ltAnyActiongt [Required Choice]
See Section 516
515 Element ltActiongtThe ltActiongt element SHALL contain a conjunctive sequence of ltActionMatchgt elements
ltxselement name=Action type=xacmlActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacmlActionMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltActionMatchgt [One to Many]
A conjunctive sequence of individual matches of the action attributes in the context and the embedded attribute values
516 Element ltAnyActiongtThe ltAnyActiongt element SHALL match any action attribute in the context
ltxselement name=AnyActiongt
517 Element ltActionMatchgtThe ltActionMatchgt element SHALL identify a set of action-related entities by matching attribute values in the ltxacml-contextActiongt element of the context with the embedded attribute value
ltxselement name=ActionMatch type=xacmlActionMatchTypegtltxscomplexType name=ActionMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegt
oasis--xacml-11pdf 52
104
1994
19951996199719981999200020012002
2003
2004
2005
2006
2007
2008
2009
2010201120122013201420152016
2017
2018
2019
20202021
2022
20232024
2025
2026
2027202820292030203120322033
105
ltxschoicegtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltActionMatchgt element is of ActionMatchType complex type
The ltActionMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltActionAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltActiongt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltActiongt element of the context
518 Element ltPolicySetIdReferencegtThe ltPolicySetIdReferencegt element SHALL be used to reference a ltPolicySetgt element by id If ltPolicySetIdReferencegt is a URL then it MAY be resolvable to the ltPolicySetgt The mechanism for resolving a policy set reference to the corresponding policy set is outside the scope of this specification
ltxselement name=PolicySetIdReference type=xsanyURIgt
Element ltPolicySetIdReferencegt is of xsanyURI simple type
519 Element ltPolicyIdReferencegtThe ltxacmlPolicyIdReferencegt element SHALL be used to reference a ltPolicygt element by id If ltPolicyIdReferencegt is a URL then it MAY be resolvable to the ltPolicygt The mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification
ltxselement name=PolicyIdReference type=xsanyURIgt
Element ltPolicyIdReferencegt is of xsanyURI simple type
520 Element ltPolicygtThe ltPolicygt element is the smallest entity that SHALL be presented to the PDP for evaluation
The main components of this element are the ltTargetgt ltRulegt and ltObligationsgt elements and the RuleCombiningAlgId attribute
oasis--xacml-11pdf 53
106
2034203520362037203820392040
2041
2042
2043
20442045
2046
2047
2048
2049
2050
20512052
2053
20542055205620572058
2059
2060
20612062206320642065
2066
2067
2068
20692070
107
The ltTargetgt element SHALL define the applicability of the ltPolicygt to a set of decision requests
Rules included in the ltPolicygt element MUST be combined by the algorithm specified by the RuleCombiningAlgId attribute
The ltObligationsgt element SHALL contain a set of obligations that MUST be fulfilled by the PDP in conjunction with the authorization decision
ltxselement name=Policy type=xacmlPolicyTypegtltxscomplexType name=PolicyTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicyDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxselement ref=xacmlRule minOccurs=0 maxOccurs=unboundedgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicyId type=xsanyURI use=requiredgtltxsattribute name=RuleCombiningAlgId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltPolicygt element is of PolicyType complex type
The ltPolicygt element contains the following attributes and elements
PolicyId [Required]
Policy identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy identifier is in the form of a URL then it MAY be resolvable
RuleCombiningAlgId [Required]
The identifier of the rule-combining algorithm by which the ltPolicygt components MUST be combined Standard rule-combining algorithms are listed in Appendix C Standard rule-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the policy See Section 52 Element ltDescriptiongt
ltPolicyDefaultsgt [Optional]
Defines a set of default values applicable to the policy The scope of the ltPolicyDefaultsgt element SHALL be the enclosing policy
ltTargetgt [Required]
The ltTargetgt element SHALL define the applicability of a ltPolicygt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicygt element or it MAY be computed from the ltTargetgt elements of the referenced ltRulegt elements either as an intersection or as a union
ltRulegt [Any Number]
A sequence of authorizations that MUST be combined according to the RuleCombiningAlgId attribute Rules whose ltTargetgt elements match the decision request MUST be considered Rules whose ltTargetgt elements do not match the decision request SHALL be ignored
oasis--xacml-11pdf 54
108
20712072
20732074
20752076207720782079208020812082208320842085208620872088
2089
2090
2091
209220932094
2095
209620972098
2099
2100
2101
21022103
2104
21052106
210721082109
2110
2111211221132114
109
ltObligationsgt [Optional]
A conjunctive sequence of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision See Section 711 for a description of how the set of obligations to be returned by the PDP SHALL be determined
521 Element ltPolicyDefaultsgtThe ltPolicyDefaultsgt element SHALL specify default values that apply to the ltPolicygt element
ltxselement name=PolicyDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicyDefaultsgt element is of DefaultsType complex type
The ltPolicyDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
522 Element ltRulegtThe ltRulegt element SHALL define the individual rules in the policy The main components of this element are the ltTargetgt and ltConditiongt elements and the Effect attribute
ltxselement name=Rule type=xacmlRuleTypegtltxscomplexType name=RuleTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlTarget minOccurs=0gtltxselement ref=xacmlCondition minOccurs=0gt
ltxssequencegtltxsattribute name=RuleId type=xsanyURI use=requiredgtltxsattribute name=Effect type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltRulegt element is of RuleType complex type
The ltRulegt element contains the following attributes and elements
RuleId [Required]
A URN identifying this rule
Effect [Required]
Rule effect Values of this attribute are either ldquoPermitrdquo or ldquoDenyrdquo
ltDescriptiongt [Optional]
A free-form description of the rule
oasis--xacml-11pdf 55
110
2115
211621172118
2119
2120212121222123212421252126212721282129
2130
2131
2132
2133
2134
21352136
2137213821392140214121422143214421452146
2147
2148
2149
2150
2151
2152
2153
2154
2155
111
ltTargetgt [Optional]
Identifies the set of decision requests that the ltRulegt element is intended to evaluate If this element is omitted then the target for the ltRulegt SHALL be defined by the ltTargetgt element of the enclosing ltPolicygt element See Section 55 for details
ltConditiongt [Optional]
A predicate that MUST be satisfied for the rule to be assigned its Effect value A condition is a boolean function over a combination of subject resource action and environment attributes or other functions
523 Simple type EffectTypeThe EffectType simple type defines the values allowed for the Effect attribute of the ltRulegt element and for the FulfillOn attribute of the ltObligationgt element
ltxssimpleType name=EffectTypegtltxsrestriction base=xsstringgt
ltxsenumeration value=Permitgtltxsenumeration value=Denygt
ltxsrestrictiongtltxssimpleTypegt
524 Element ltConditiongtThe ltConditiongt element is a boolean function over subject resource action and environment attributes or functions of attributes If the ltConditiongt element evaluates to True then the enclosing ltRulegt element is assigned its Effect value
ltxselement name=Condition type=xacmlApplyTypegt
The ltConditiongt element is of ApplyType complex type
525 Element ltApplygtThe ltApplygt element denotes application of a function to its arguments thus encoding a function call The ltApplygt element can be applied to any combination of ltApplygt ltAttributeValuegt ltSubjectAttributeDesignatorgt ltResourceAttributeDesignatorgt ltActionAttributeDesignatorgt ltEnvironmentAttributeDesignatorgt and ltAttributeSelectorgt arguments
ltxselement name=Apply type=xacmlApplyTypegtltxscomplexType name=ApplyTypegt
ltxschoice minOccurs=0 maxOccurs=unboundedgtltxselement ref=rdquoxacmlFunctionrdquogt ltxselement ref=xacmlApplygtltxselement ref=xacmlAttributeValuegtltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlEnvironmentAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxsattribute name=FunctionId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltApplygt element is of ApplyType complex type
The ltApplygt element contains the following attributes and elements
oasis--xacml-11pdf 56
112
2156
215721582159
2160
216121622163
2164
21652166
216721682169217021712172
2173
217421752176
2177
2178
2179
2180218121822183
218421852186218721882189219021912192219321942195219621972198
2199
2200
113
FunctionId [Required]
The URN of a function XACML-defined functions are described in Appendix A
ltFunctiongt [Optional]
The name of a function that is applied to the elements of a bag See Section A1411
ltApplygt [Optional]
A nested function-call argument
ltAttributeValuegt [Optional]
A literal value argument
ltSubjectAttributeDesignatorgt [Optional]
A subject attribute argument
ltResourceAttributeDesignatorgt [Optional]
A resource attribute argument
ltActionAttributeDesignatorgt [Optional]
An action attribute argument
ltEnvironmentAttributeDesignatorgt [Optional]
An environment attribute argument
ltAttributeSelectorgt [Optional]
An attribute selector argument
526 Element ltFunctiongtThe Function element SHALL be used to name a function that is applied by the higher-order bag functions to every element of a bag The higher-order bag functions are described in Section A1411
ltxselement name=rdquoFunctionrdquo type=rdquoxacmlFunctionTyperdquogtltxscomplexType name=rdquoFunctionTyperdquogt
ltxsattribute name=rdquoFunctionIdrdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxscomplexTypegt
The Function element is of FunctionType complex type
The Function element contains the following attributes
FunctionId [Required]
The identifier for the function that is applied to the elements of a bag by the higher-order bag functions
527 Complex type AttributeDesignatorTypeThe AttributeDesignatorType complex type is the type for elements and extensions that identify attributes An element of this type contains properties by which it MAY be matched to attributes in the request context
oasis--xacml-11pdf 57
114
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220222122222223222422252226
2227
2228
2229
22302231
2232
223322342235
115
In addition elements of this type MAY control behaviour in the event that no matching attribute is present in the context
Elements of this type SHALL NOT alter the match semantics of named attributes but MAY narrow the search space
ltxscomplexType name=AttributeDesignatorTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsattribute name=Issuer type=xsstring use=optionalgtltxsattribute name=MustBePresent type=xsboolean use=optional
default=falsegtltxscomplexTypegt
A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and Issuer attributes match The attribute designatorrsquos AttributeId MUST match by URI equality the AttributeId of the attribute The attribute designatorrsquos DataType MUST match by URI equality the DataType of the same attribute
If the Issuer attribute is present in the attribute designator then it MUST match by string equality the Issuer of the same attribute If the Issuer is not present in the attribute designator then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone
The ltAttributeDesignatorTypegt contains the following attributes
AttributeId [Required]
This attribute SHALL specify the AttributeId with which to match the attribute
DataType [Required]
This attribute SHALL specify the data-type with which to match the attribute
Issuer [Optional]
This attribute if supplied SHALL specify the Issuer with which to match the attribute
MustBePresent [Optional]
This attribute governs whether the element returns ldquoIndeterminaterdquo in the case where the named attribute is absent If the named attribute is absent and MustBePresent is ldquoTruerdquo then this element SHALL result in ldquoIndeterminaterdquo The default value SHALL be ldquoFalserdquo
528 Element ltSubjectAttributeDesignatorgtThe ltSubjectAttributeDesignatorgt element is of the SubjectAttributeDesignatorType The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType complex type It is the base type for elements and extensions that refer to named categorized subject attributes A named categorized subject attribute is defined as follows
A subject is represented by a ltSubjectgt element in the ltxacml-contextRequestgt element Each ltSubjectgt element SHALL contain the XML attribute SubjectCategory This attribute is called the subject category attribute
A categorized subject is a subject that is identified by a particular subject category attribute
A subject attribute is an attribute of a particular subject ie contained within a ltSubjectgt element
oasis--xacml-11pdf 58
116
22362237
223822392240224122422243224422452246
2247224822492250
225122522253
2254
2255
2256
2257
2258
2259
2260
2261
2262
226322642265
2266
2267226822692270
227122722273
2274
22752276
117
A named subject attribute is a named attribute for a subject
A named categorized subject attribute is a named subject attribute for a particular categorized subject
The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType with a SubjectCategory attribute The SubjectAttributeDesignatorType extends the match semantics of the AttributeDesignatorType such that it narrows the attribute search space to the specific categorized subject such that the value of this elementrsquos SubjectCategory attribute matches by URI equality the value of the ltRequestgt elementrsquos subject category attribute
If there are multiple subjects with the same SubjectCategory xml attribute then they SHALL be treated as if they were one categorized subject
Elements and extensions of the SubjectAttributeDesignatorType complex type determine the presence of select attribute values associated with named categorized subject attributes Elements and extensions of the SubjectAttributeDesignatorType SHALL NOT alter the match semantics of named categorized subject attributes but MAY narrow the search space
ltxscomplexType name=SubjectAttributeDesignatorTypegtltxscomplexContentgt
ltxsextension base=xacmlAttributeDesignatorTypegt ltxsattribute name=SubjectCategory type=xsanyURI use=optional default= urnoasisnamestcxacml10subject-categoryaccess-subjectgt ltxsextensiongt ltxscomplexContentgtltxscomplexTypegt
The ltSubjectAttributeDesignatorTypegt complex type contains the following attribute in addition to the attributes of the AttributeDesignatorType complex type
SubjectCategory [Optional]
This attribute SHALL specify the categorized subject from which to match named subject attributes If SubjectCategory is not present then its default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used
529 Element ltResourceAttributeDesignatorgtThe ltResourceAttributeDesignatorgt element retrieves a bag of values for a named resource attribute A resource attribute is an attribute contained within the ltResourcegt element of the ltxacml-contextRequestgt element A named resource attribute is a named attribute that matches a resource attribute A named resource attribute SHALL be considered present if there is at least one resource attribute that matches the criteria set out below A resource attribute value is an attribute value that is contained within a resource attribute
The ltResourceAttributeDesignatorgt element SHALL return a bag containing all the resource attribute values that are matched by the named resource attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named resource attribute is absent If the named resource attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named resource attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named
oasis--xacml-11pdf 59
118
2277
22782279
228022812282
22832284
22852286
2287228822892290229122922293229422952296229722982299230023012302
23032304
2305
2306230723082309
2310
231123122313231423152316
23172318
23192320
23212322
23232324
119
resource attribute is present or not in the request context or the value of the named resource attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named resource attribute SHALL match a resource attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltResourceAttributeDesignatorgt MAY appear in the ltResourceMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ResourceAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltResourceAttributeDesignatorgt element is of the AttributeDesignatorType complex type
530 Element ltActionAttributeDesignatorgtThe ltActionAttributeDesignatorgt element retrieves a bag of values for a named action attribute An action attribute is an attribute contained within the ltActiongt element of the ltxacml-contextRequestgt element A named action attribute has specific criteria (described below) with which to match an action attribute A named action attribute SHALL be considered present if there is at least one action attribute that matches the criteria An action attribute value is an attribute value that is contained within an action attribute
The ltActionAttributeDesignatorgt element SHALL return a bag of all the action attribute values that are matched by the named action attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named action attribute is absent If the named action attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named action attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named action attribute is present or not present in the request context or the value of the named action attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named action attribute SHALL match an action attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltActionAttributeDesignatorgt MAY appear in the ltActionMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ActionAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltActionAttributeDesignatorgt element is of the AttributeDesignatorType complex type
531 Element ltEnvironmentAttributeDesignatorgtThe ltEnvironmentAttributeDesignatorgt element retrieves a bag of values for a named environment attribute An environment attribute is an attribute contained within the ltEnvironmentgt element of the ltxacml-contextRequestgt element A named environment attribute has specific criteria (described below) with which to match an environment attribute A named environment attribute SHALL be considered present if there is at least one environment attribute that matches the criteria An environment attribute value is an attribute value that is contained within an environment attribute
oasis--xacml-11pdf 60
120
23252326
23272328
23292330
23312332
23332334
2335
233623372338233923402341
234223432344
23452346
23472348234923502351
23522353
23542355
23562357
23582359
2360
23612362
23632364236523662367
121
The ltEnvironmentAttributeDesignatorgt element SHALL evaluate to a bag of all the environment attribute values that are matched by the named environment attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named environment attribute is absent If the named environment attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named environment attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named environment attribute is present or not present in the request context or the value of the named environment attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named environment attribute SHALL match an environment attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltEnvironmentAttributeDesignatorgt MAY be passed to the ltApplygt element as an argument
ltxselement name=EnvironmentAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltEnvironmentAttributeDesignatorgt element is of the AttributeDesignatorType complex type
532 Element ltAttributeSelectorgtThe AttributeSelector elements RequestContextPath XML attribute SHALL contain a legal XPath expression whose context node is the ltxacml-contextRequestgt element The AttributeSelector element SHALL evaluate to a bag of values whose data-type is specified by the elementrsquos DataType attribute If the DataType specified in the AttributeSelector is a primitive data type defined in [XF] or [XS] then the value returned by the XPath expression SHALL be converted to the DataType specified in the AttributeSelector using the constructor function below [XF Section 4] that corresponds to the DataType If an error results from using the constructor function then the value of the AttributeSelector SHALL be Indeterminate
xsstring() xsboolean() xsinteger() xsdouble() xsdateTime() xsdate() xstime() xshexBinary() xsbase64Binary() xsanyURI() xfyearMonthDuration() xfdayTimeDuration()
If the DataType specified in the AttributeSelector is not one of the preceding primitive DataTypes then the AttributeSelector SHALL return a bag of instances of the specified DataType If there are errors encountered in converting the values returned by the XPath expression to the specified DataType then the result of the AttributeSelector SHALL be Indeterminate
Each selected node by the specified XPath expression MUST be either a text node an attribute node a processing instruction node or a comment node The string representation of the value of each selected node MUST be converted to an attribute value of the specified data type and the
oasis--xacml-11pdf 61
122
23682369
23702371
23722373
2374237523762377
23782379
2380238123822383
23842385
238623872388238923902391
23922393239423952396239723982399240024012402240324042405240624072408
240924102411241224132414241524162417
123
result of the AttributeSelector is the bag of the attribute values generated from all the selected nodes
If the selected node is different from the node types listed above (a text node an attribute node a processing instruction node or a comment node) then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
Support for the ltAttributeSelectorgt element is OPTIONAL
ltxselement name=AttributeSelector type=xacmlAttributeSelectorTypegtltxscomplexType name=AttributeSelectorTypegt
ltxsattribute name=RequestContextPath type=xsstring use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=rdquoMustBePresentrdquo type=rdquoxsbooleanrdquo use=rdquooptionalrdquo
default=rdquofalserdquolt xscomplexTypegt
The ltAttributeSelectorgt element is of AttributeSelectorType complex type
The ltAttributeSelectorgt element has the following attributes
RequestContextPath [Required]
An XPath expression whose context node is the ltxacml-contextRequestgt element There SHALL be no restriction on the XPath syntax
DataType [Required]
The bag of values returned by the AttributeSelector SHALL be of this data type
MustBePresent [Optional]
Whether or not the designated attribute must be present in the context If the XPath expression selects no node and the MustBePresent attribute is TRUE then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusmissing-attribute If the XPath expression selects no node and the MustBePresent attribute is missing or FALSE then the result SHALL be an empty bag If the XPath expression selects at least one node and the selected node(s) could be successfully converted to a bag of values of the specified data-type then the result SHALL be the bag regardless of the value of the MustBePresent attribute If the XPath expression selects at least one node but there is an error in converting one or more of the nodes to values of the specified data-type then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusprocessing-error regardless of the value of the MustBePresent attribute
533 Element ltAttributeValuegtThe ltAttributeValuegt element SHALL contain a literal attribute value
ltxselement name=AttributeValue type=xacmlAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
oasis--xacml-11pdf 62
124
24182419242024212422
242324242425
24262427242824292430243124322433
2434
2435
2436
24372438
2439
2440
2441
244224432444
2445244624472448
244924502451
24522453
2454
2455245624572458245924602461246224632464
125
The ltAttributeValuegt element is of AttributeValueType complex type
The ltAttributeValuegt element has the following attributes
DataType [Required]
The data-type of the attribute value
534 Element ltObligationsgtThe ltObligationsgt element SHALL contain a set of ltObligationgt elements
Support for the ltObligationsgt element is OPTIONALltxselement name=Obligations type=xacmlObligationsTypegtltxscomplexType name=ObligationsTypegt
ltxssequencegtltxselement ref=xacmlObligation maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltObligationsgt element is of ObligationsType complexType
The ltObligationsgt element contains the following element
ltObligationgt [One to Many]
A sequence of obligations
535 Element ltObligationgtThe ltObligationgt element SHALL contain an identifier for the obligation and a set of attributes that form arguments of the action defined by the obligation The FulfillOn attribute SHALL indicate the effect for which this obligation applies
ltxselement name=Obligation type=xacmlObligationTypegtltxscomplexType name=ObligationTypegt
ltxssequencegtltxselement ref=xacmlAttributeAssignment maxOccurs=unboundedgt
ltxssequencegtltxsattribute name=ObligationId type=xsanyURI use=requiredgtltxsattribute name=FulfillOn type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltObligationgt element is of ObligationType complexType See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
The ltObligationgt element contains the following elements and attributes
ObligationId [Required]
Obligation identifier The value of the obligation identifier SHALL be interpreted by the PEP
FulfillOn [Required]
The effect for which this obligation applies
ltAttributeAssignmentgt [One To Many]
Obligation arguments assignment The values of the obligation arguments SHALL be interpreted by the PEP
oasis--xacml-11pdf 63
126
2465
2466
2467
2468
2469
2470
2471247224732474247524762477
2478
2479
2480
2481
2482
24832484248524862487248824892490249124922493
24942495
2496
2497
24982499
2500
2501
2502
25032504
127
536 Element ltAttributeAssignmentgtThe ltAttributeAssignmentgt element SHALL contain an AttributeId and the corresponding attribute value The AttributeId is part of attribute meta-data and is used when the attribute cannot be referenced by its location in the ltxacml-contextRequestgt This situation may arise in an ltObligationgt element if the obligation includes parameters The ltAttributeAssignmentgt element MAY be used in any way consistent with the schema syntax which is a sequence of ldquoanyrdquo The value specified SHALL be understood by the PEP but it is not further specified by XACML See section 711 ldquoObligationsrdquo
ltxselement name=AttributeAssignment type=xacmlAttributeAssignmentTypegt
ltxscomplexType name=AttributeAssignmentType mixed=truegtltxscomplexContentgt
ltxsextension base=xacmlAttributeValueTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgt
ltxsextensiongtltxscomplexContentgt
ltxscomplexTypegt
The ltAttributeAssignmentgt element is of AttributeAssignmentType complex type
The ltAttributeAssignmentgt element contains the following attributes
AttributeId [Required]
The attribute Identifier
6 Context syntax (normative with the exception of the schema fragments)
61 Element ltRequestgtThe ltRequestgt element is a top-level element in the XACML context schema The ltRequestgt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform its decision request into the form of an XACML context ltRequestgt
The ltRequestgt element contains ltSubjectgt ltResourcegt ltActiongt and ltEnvironmentgt elements There may be multiple ltSubjectgt elements Each child element contains a sequence of ltxacml-contextAttributegt elements associated with the subject resource action and environment respectively
ltxselement name=Request type=xacml-contextRequestTypegtltxscomplexType name=RequestTypegt
ltxssequencegtltxselement ref=xacml-contextSubject maxOccurs=unboundedgtltxselement ref=xacml-contextResourcegtltxselement ref=xacml-contextActiongtltxselement ref=xacml-contextEnvironment minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltRequestgt element is of RequestType complex type
The ltRequestgt element contains the following elements
oasis--xacml-11pdf 64
128
2505
2506250725082509251025112512251325142515251625172518251925202521
2522
2523
2524
2525
2526
2527
2528
252925302531
2532
2533253425352536253725382539254025412542254325442545
2546
2547
129
ltSubjectgt [One to Many]
Specifies information about a subject of the request context by listing a sequence of ltAttributegt elements associated with the subject One or more ltSubjectgt elements are allowed A subject is an entity associated with the access request One subject might represent the human user that initiated the application from which the request was issued Another subject might represent the applicationrsquos executable code that created the request Another subject might represent the machine on which the application was executing Another subject might represent the entity that is to be the recipient of the resource Attributes of each of these entities MUST be enclosed in a separate ltSubjectgt element
ltResourcegt [Required]
Specifies information about the resource for which access is being requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include a ltResourceContentgt element
ltActiongt [Required]
Specifies the requested action to be performed on the resource by listing a set of ltAttributegt elements associated with the action
ltEnvironmentgt [Optional]
Contains a set of ltAttributegt elements of the environment These ltAttributegt elements MAY form a part of policy evaluation
62 Element ltSubjectgtThe ltSubjectgt element specifies a subject by listing a sequence of ltAttributegt elements associated with the subject
ltxselement name=Subject type=xacml-contextSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=SubjectCategory type=xsanyURI use=optional
default=urnoasisnamestcxacml10subject-categoryaccess-subjectgtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
SubjectCategory [Optional]
This attribute indicates the role that the parent ltSubjectgt played in the formation of the access request If this attribute is not present in a given ltSubjectgt element then the default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used indicating that the parent ltSubjectgt element represents the entity ultimately responsible for initiating the access request
If more than one ltSubjectgt element contains a urnoasisnamestcxacml10subject-category attribute with the same value then the PDP SHALL treat the contents of those elements as if they were contained in the same ltSubjectgt element
ltAttributegt [Any Number]
oasis--xacml-11pdf 65
130
2548
25492550255125522553255425552556
2557
2558
255925602561
2562
25632564
2565
25662567
2568
25692570257125722573257425752576257725782579
2580
2581
2582
258325842585
25862587
25882589
2590
2591
131
A sequence of attributes that apply to the subject
Typically a ltSubjectgt element will contain an ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10subjectsubject-idrdquo containing the identity of the subject
A ltSubjectgt element MAY contain additional ltAttributegt elements
63 Element ltResourcegtThe ltResourcegt element specifies information about the resource to which access is requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include the resource content
ltxselement name=Resource type=xacml-contextResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacml-contextResourceContent minOccurs=0gtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceContentgt [Optional]
The resource content
ltAttributegt [Any Number]
A sequence of resource attributes The ltResourcegt element MUST contain one and only one ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10resourceresource-idrdquo This attribute specifies the identity of the resource to which access is requested
A ltResourcegt element MAY contain additional ltAttributegt elements
64 Element ltResourceContentgtThe ltResourceContentgt element is a notional placeholder for the resource content If an XACML policy references the contents of the resource then the ltResourceContentgt element SHALL be used as the reference point
ltxscomplexType name=ResourceContentType mixed=rdquotruerdquogtltxssequencegt
ltxsany namespace=any processContents=lax minOccurs=0 maxOccurs=unboundedgt
ltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltResourceContentgt element is of ResourceContentType complex type
The ltResourceContentgt element allows arbitrary elements and attributes
oasis--xacml-11pdf 66
132
2592
25932594
2595
2596
25972598259926002601260226032604260526062607
2608
2609
2610
2611
2612
2613261426152616
2617
2618
2619262026212622262326242625262626272628
2629
2630
133
65 Element ltActiongtThe ltActiongt element specifies the requested action on the resource by listing a set of ltAttributegt elements associated with the action
ltxselement name=Action type=xacml-contextActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltAttributegt [Any Number]
List of attributes of the action to be performed on the resource
66 Element ltEnvironmentgtThe ltEnvironmentgt element contains a set of attributes of the environment These attributes MAY form part of the policy evaluation
ltxselement name=Environment type=xacml-contextEnvironmentTypegtltxscomplexType name=EnvironmentTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltEnvironmentgt element is of EnvironmentType complex type
The ltEnvironmentgt element contains the following elements
ltAttributegt [Any Number]
A list of environment attributes Environment attributes are attributes that are not associated with either the resource the action or any of the subjects of the access request
67 Element ltAttributegtThe ltAttributegt element is the central abstraction of the request context It contains an attribute value and attribute meta-data The attribute meta-data comprises the attribute identifier the attribute issuer and the attribute issue instant Attribute designators and attribute selectors in the policy MAY refer to attributes by means of this meta-data
ltxselement name=Attribute type=xacml-contextAttributeTypegtltxscomplexType name=AttributeTypegt
ltxssequencegtltxselement ref=xacml-contextAttributeValuegt
ltxssequencegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=Issuer type=xsstring use=optionalgt
oasis--xacml-11pdf 67
134
2631
26322633
2634263526362637263826392640
2641
2642
2643
2644
2645
26462647
26482649265026512652265326542655
2656
2657
2658
265926602661
2662
266326642665266626672668266926702671267226732674
135
ltxsattribute name=IssueInstant type=xsdateTime use=optionalgtltxscomplexTypegt
The ltAttributegt element is of AttributeType complex type
The ltAttributegt element contains the following attributes and elements
AttributeId [Required]
Attribute identifier A number of identifiers are reserved by XACML to denote commonly used attributes
DataType [Required]
The data-type of the contents of the ltAttributeValuegt element This SHALL be either a primitive type defined by the XACML 10 specification or a type defined in a namespace declared in the ltxacml-contextgt element
Issuer [Optional]
Attribute issuer This attribute value MAY be an x500Name that binds to a public key or it may be some other identifier exchanged out-of-band by issuing and relying parties
IssueInstant [Optional]
The date and time at which the attribute was issued
ltAttributeValuegt [Required]
Exactly one attribute value The mandatory attribute value MAY have contents that are empty occur once or occur multiple times
68 Element ltAttributeValuegtThe ltAttributeValuegt element contains the value of an attribute
ltxselement name=AttributeValue type=xacml-contextAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltAttributeValuegt element is of AttributeValueType type
The data-type of the ltAttributeValuegt MAY be specified by using the DataType attribute of the parent ltAttributegt element
69 Element ltResponsegtThe ltResponsegt element is a top-level element in the XACML context schema The ltResponsegt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform an XACML context ltResponsegt into the form of its authorization decision
oasis--xacml-11pdf 68
136
26752676
2677
2678
2679
26802681
2682
26832684
2685
2686
26872688
2689
2690
2691
2692
26932694
2695
269626972698269927002701270227032704
2705
27062707
2708
2709271027112712
137
The ltResponsegt element encapsulates the authorization decision produced by the PDP It includes a sequence of one or more results with one ltResultgt element per requested resource Multiple results MAY be returned when the value of the ldquournoasisxacml10resourcescoperdquo resource attribute in the request context is ldquoDescendantsrdquo or ldquoChildrenrdquo Support for multiple results is OPTIONAL
ltxselement name=Response type=xacml-contextResponseTypegtltxscomplexType name=ResponseTypegt
ltxssequencegtltxselement ref=xacml-contextResult maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResponsegt element is of ResponseType complex type
The ltResponsegt element contains the following elements
ltResultgt [One to Many]
An authorization decision result
610 Element ltResultgtThe ltResultgt element represents an authorization decision result for the resource specified by the ResourceId attribute It MAY include a set of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource
ltxselement name=Result type=xacml-contextResultTypegtltxscomplexType name=ResultTypegt
ltxssequencegtltxselement ref=xacml-contextDecisiongtltxselement ref=xacml-contextStatusgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=ResourceId type=xsstring use=optionalgt
ltxscomplexTypegt
The ltResultgt element is of ResultType complex type
The ltResultgt element contains the following attributes and elements
ResourceId [Optional]
The identifier of the requested resource If this attribute is omitted then the resource identity is specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo resource attribute in the corresponding ltRequestgt element
ltDecisiongt [Required]
The authorization decision ldquoPermitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicablerdquo
ltStatusgt [Required]
Indicates whether errors occurred during evaluation of the decision request and optionally information about those errors
ltxacmlObligationsgt [Optional]
oasis--xacml-11pdf 69
138
27132714271527162717271827192720272127222723
2724
2725
2726
2727
2728
2729273027312732
2733273427352736273727382739274027412742
2743
2744
2745
274627472748
2749
2750
2751
27522753
2754
139
A list of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
611 Element ltDecisiongtThe ltDecisiongt element contains the result of policy evaluation
ltxselement name=Decision type=xacml-contextDecisionTypegtltxssimpleType name=DecisionTypegt
ltxsrestriction base=xsstringgtltxsenumeration value=Permitgtltxsenumeration value=Denygtltxsenumeration value=Indeterminategtltxsenumeration value=NotApplicablegt
ltxsrestrictiongtltxssimpleTypegt
The ltDecisiongt element is of DecisionType simple type
The values of the ltDecisiongt element have the following meanings
ldquoPermitrdquo the requested access is permitted
ldquoDenyrdquo the requested access is denied
ldquoIndeterminaterdquo the PDP is unable to evaluate the requested access Reasons for such inability include missing attributes network errors while retrieving policies division by zero during policy evaluation syntax errors in the decision request or in the policy etc
ldquoNotApplicablerdquo the PDP does not have any policy that applies to this decision request
612 Element ltStatusgtThe ltStatusgt element represents the status of the authorization decision result
ltxselement name=Status type=xacml-contextStatusTypegtltxscomplexType name=StatusTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCodegtltxselement ref=xacml-contextStatusMessage minOccurs=0gtltxselement ref=xacml-contextStatusDetail minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltStatusgt element is of StatusType complex type
The ltStatusgt element contains the following elements
ltStatusCodegt [Required]
Status code
ltStatusMessagegt [Optional]
A status message describing the status code
ltStatusDetailgt [Optional]
Additional status information
oasis--xacml-11pdf 70
140
2755275627572758
2759
2760276127622763276427652766276727682769
2770
2771
2772
2773
277427752776
2777
2778
277927802781278227832784278527862787
2788
2789
2790
2791
2792
2793
2794
2795
141
613 Element ltStatusCodegtThe ltStatusCodegt element contains a major status code value and an optional sequence of minor status codes
ltxselement name=StatusCode type=xacml-contextStatusCodeTypegtltxscomplexType name=StatusCodeTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCode minOccurs=0gt
ltxssequencegtltxsattribute name=Value type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltStatusCodegt element is of StatusCodeType complex type
The ltStatusCodegt element contains the following attributes and elements
Value [Required]
See Section B9 for a list of values
ltStatusCodegt [Any Number]
Minor status code This status code qualifies its parent status code
614 Element ltStatusMessagegtThe ltStatusMessagegt element is a free-form description of the status code
ltxselement name=StatusMessage type=xsstringgt
The ltStatusMessagegt element is of xsstring type
615 Element ltStatusDetailgtThe ltStatusDetailgt element qualifies the ltStatusgt element with additional information
ltxselement name=StatusDetail type=xacml-contextStatusDetailTypegtltxscomplexType name=StatusDetailTypegt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltStatusDetailgt element is of StatusDetailType complex type
The ltStatusDetailgt element allows arbitrary XML content
Inclusion of a ltStatusDetailgt element is optional However if a PDP returns one of the following XACML-defined ltStatusCodegt values and includes a ltStatusDetailgt element then the following rules apply
urnoasisnamestcxacml10statusok
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquookrdquo status value
urnoasisnamestcxacml10statusmissing-attribute
A PDP MAY choose not to return any ltStatusDetailgt information or MAY choose to return a ltStatusDetailgt element containing one or more ltxacml-contextAttributegt elements If the PDP includes ltAttributeValuegt elements in the ltAttributegt element then this indicates
oasis--xacml-11pdf 71
142
2796
279727982799280028012802280328042805
2806
2807
2808
2809
2810
2811
2812
28132814
2815
2816
28172818281928202821282228232824
2825
2826
282728282829
2830
2831
2832
283328342835
143
the acceptable values for that attribute If no ltAttributeValuegt elements are included then this indicates the names of attributes that the PDP failed to resolve during its evaluation The list of attributes may be partial or complete There is no guarantee by the PDP that supplying the missing values or attributes will be sufficient to satisfy the policy
urnoasisnamestcxacml10statussyntax-error
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquosyntax-errorrdquo status value A syntax error may represent either a problem with the policy being used or with the request context The PDP MAY return a ltStatusMessagegt describing the problem
urnoasisnamestcxacml10statusprocessing-error
A PDP MUST NOT return ltStatusDetailgt element in conjunction with the ldquoprocessing-errorrdquo status value This status code indicates an internal problem in the PDP For security reasons the PDP MAY choose to return no further information to the PEP In the case of a divide-by-zero error or other computational error the PDP MAY return a ltStatusMessagegt describing the nature of the error
7 Functional requirements (normative)This section specifies certain functional requirements that are not directly associated with the production or consumption of a particular XACML element
71 Policy enforcement pointThis section describes the requirements for the PEPAn application functions in the role of the PEP if it guards access to a set of resources and asks the PDP for an authorization decision The PEP MUST abide by the authorization decision in the following way
A PEP SHALL allow access to the resource only if a valid XACML response of Permit is returned by the PDP The PEP SHALL deny access to the resource in all other cases An XACML response of Permit SHALL be considered valid only if the PEP understands all of the obligations contained in the response
72 Base policyA PDP SHALL represent one policy or policy set called its base policy This base policy MAY be a ltPolicygt element containing a ltTargetgt element that matches every possible decision request or (for instance) it MAY be a ltPolicygt element containing a ltTargetgt element that matches only a specific subject In such cases the base policy SHALL form the root-node of a tree of policies connected by ltPolicyIdReferencegt and ltPolicySetIdReferencegt elements to all the rules that may be applicable to any decision request that the PDP is capable of evaluating
In the case of a PDP that retrieves policies according to the decision request that it is processing the base policy SHALL contain a ltPolicygt element containing a ltTargetgt element that matches every possible decision request and a PolicyCombiningAlgId attribute with the value ldquoOnly-one-applicable In other words the PDP SHALL return an error if it retrieves policies that do not form a single tree
oasis--xacml-11pdf 72
144
2836283728382839
2840
28412842
2843
2844
284528462847
28482849
2850
28512852
28532854285528562857
2858285928602861
2862
2863286428652866
286728682869
28702871287228732874
145
73 Target evaluationThe target value SHALL be Match if the subject resource and action specified in the target all match values in the request context The target value SHALL be No-match if one or more of the subject resource and action specified in the target do not match values in the request context The value of a ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element in which a referenced attribute value cannot be obtained depends on the value of the MustBePresent attribute of the ltAttributeDesignatorgt or ltAttributeSelectorgt element If the MustBePresent attribute is True then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be Indeterminate in this case If the MustBePresent attribute is False or missing then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be No-match
74 Condition evaluationThe condition value SHALL be True if the ltConditiongt element is absent or if it evaluates to True for the attribute values supplied in the request context Its value is False if the ltConditiongt element evaluates to False for the attribute values supplied in the request context If any attribute value referenced in the condition cannot be obtained then the condition SHALL evaluate to Indeterminate
75 Rule evaluationA rule has a value that can be calculated by evaluating its contents Rule evaluation involves separate evaluation of the rules target and condition The rule truth table is shown in Table 1
Target Condition Rule Value
ldquoMatchrdquo ldquoTruerdquo Effect
ldquoMatchrdquo ldquoFalserdquo ldquoNotApplicablerdquo
ldquoMatchrdquo ldquoIndeterminaterdquo ldquoIndeterminaterdquo
ldquoNo-matchrdquo Donrsquot care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot care ldquoIndeterminaterdquo
Table 1 - Rule truth table
If the target value is No-match or ldquoIndeterminaterdquo then the rule value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the condition For these cases therefore the condition need not be evaluated in order to determine the rule value
If the target value is ldquoMatchrdquo and the condition value is ldquoTruerdquo then the effect specified in the rule SHALL determine the rule value
76 Policy evaluationThe value of a policy SHALL be determined only by its contents considered in relation to the contents of the request context A policys value SHALL be determined by evaluation of the policys target and rules according to the specified rule-combining algorithm
oasis--xacml-11pdf 73
146
2875287628772878
2879288028812882288328842885
2886
28872888
288928902891
2892
28932894
2895
2896
2897
289828992900
29012902
2903
290429052906
147
The policys target SHALL be evaluated to determine the applicability of the policy If the target evaluates to Match then the value of the policy SHALL be determined by evaluation of the policys rules according to the specified rule-combining algorithm If the target evaluates to No-match then the value of the policy SHALL be NotApplicable If the target evaluates to Indeterminate then the value of the policy SHALL be Indeterminate
The policy truth table is shown in Table 2
Target Rule values Policy Value
ldquoMatchrdquo At least one rule value is its Effect
Specified by the rule-combining algorithm
ldquoMatchrdquo All rule values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
ldquoMatchrdquo At least one rule value is ldquoIndeterminaterdquo
Specified by the rule-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot-care ldquoIndeterminaterdquo
Table 2 - Policy truth table
A rules value of At least one rule value is its Effect SHALL be used if the ltRulegt element is absent or if one or more of the rules contained in the policy is applicable to the decision request (ie returns a value of ldquoEffectrdquo see Section 75) A rules value of ldquoAll rule values are lsquoNotApplicablersquordquo SHALL be used if no rule contained in the policy is applicable to the request and if no rule contained in the policy returns a value of ldquoIndeterminaterdquo If no rule contained in the policy is applicable to the request but one or more rule returns a value of ldquoIndeterminaterdquo then rules value SHALL evaluate to At least one rule value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the rules For these cases therefore the rules need not be evaluated in order to determine the policy value
If the target value is ldquoMatchrdquo and the rules value is ldquoAt least one rule value is itrsquos Effectrdquo or ldquoAt least one rule value is lsquoIndeterminatersquordquo then the rule-combining algorithm specified in the policy SHALL determine the policy value
77 Policy Set evaluationThe value of a policy set SHALL be determined by its contents considered in relation to the contents of the request context A policy sets value SHALL be determined by evaluation of the policy sets target policies and policy sets according to the specified policy-combining algorithm
The policy sets target SHALL be evaluated to determine the applicability of the policy set If the target evaluates to Match then the value of the policy set SHALL be determined by evaluation of the policy sets policies and policy sets according to the specified policy-combining algorithm If the target evaluates to No-match then the value of the policy set shall be NotApplicable If the target evaluates to Indeterminate then the value of the policy set SHALL be Indeterminate
The policy set truth table is shown in Table 3
Target Policy values Policy Set Value
oasis--xacml-11pdf 74
148
29072908290929102911
2912
2913
2914291529162917291829192920
292129222923
292429252926
2927
2928292929302931
29322933293429352936
2937
149
Match At least one policy value is its Decision
Specified by the policy-combining algorithm
Match All policy values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
Match At least one policy value is ldquoIndeterminaterdquo
Specified by the policy-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
Indeterminate Donrsquot-care ldquoIndeterminaterdquo
Table 3 ndash Policy set truth table
A policies value of At least one policy value is its Decision SHALL be used if there are no contained or referenced policies or policy sets or if one or more of the policies or policy sets contained in or referenced by the policy set is applicable to the decision request (ie returns a value determined by its rule-combining algorithm see Section 76) A policies value of ldquoAll policy values are lsquoNotApplicablersquordquo SHALL be used if no policy or policy set contained in or referenced by the policy set is applicable to the request and if no policy or policy set contained in or referenced by the policy set returns a value of ldquoIndeterminaterdquo If no policy or policy set contained in or referenced by the policy set is applicable to the request but one or more policy or policy set returns a value of ldquoIndeterminaterdquo then policies SHALL evaluate to At least one policy value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy set value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the policies For these cases therefore the policies need not be evaluated in order to determine the policy set value
If the target value is ldquoMatchrdquo and the policies value is ldquoAt least one policy value is itrsquos Decisionrdquo or ldquoAt least one policy value is lsquoIndeterminatersquordquo then the policy-combining algorithm specified in the policy set SHALL determine the policy set value
78 Hierarchical resourcesIt is often the case that a resource is organized as a hierarchy (eg file system XML document) Some access requesters may request access to an entire subtree of a resource specified by a node XACML allows the PEP (or context handler) to specify whether the decision request is just for a single resource or for a subtree below the specified resource The latter is equivalent to repeating a single request for each node in the entire subtree When a request context contains a resource attribute of type
urnoasisnamestcxacml10resourcescope
with a value of Immediate or if it does not contain that attribute then the decision request SHALL be interpreted to apply to just the single resource specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo attribute
When the
urnoasisnamestcxacml10resourcescope
oasis--xacml-11pdf 75
150
2938
2939294029412942294329442945294629472948
294929502951
295229532954
2955
295629572958295929602961
2962
29632964
2965
2966
2967
151
attribute has the value Children the decision request SHALL be interpreted to apply to the specified resource and its immediate children resources
When the
urnoasisnamestcxacml10resourcescope
attribute has the value Descendants the decision request SHALL be interpreted to apply to both the specified resource and all its descendant resources
In the case of Children and Descendants the authorization decision MAY include multiple results for the multiple sub-nodes in the resource sub-tree
An XACML authorization response MAY contain multiple ltResultgt elements
Note that the method by which the PDP discovers whether the resource is hierarchically organized or not is outside the scope of XACML
In the case where a child or descendant resource cannot be accessed the ltResultgt element associated with the parent element SHALL contain a ltStatusCodegt Value of ldquournoasisnamestcxacml10statusprocessing-errorrdquo
79 AttributesAttributes are specified in the request context regardless of whether or not they appeared in the original decision request and are referred to in the policy by subject resource action and environment attribute designators and attribute selectors A named attribute is the term used for the criteria that the specific subject resource action and environment attribute designators and selectors use to refer to attributes in the subject resource action and environment elements of the request context respectively
791 Attribute MatchingA named attribute has specific criteria with which to match attributes in the context An attribute specifies AttributeId DataType and Issuer attributes and each named attribute also specifies AttributeId DataType and optional Issuer attributes A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and optional Issuer attributes match within their particular element eg subject resource action or environment of the context The AttributeId of the named attribute MUST match by URI equality the AttributeId of the context attribute The DataType of the named attribute MUST match by URI equality the DataType of the same context attribute If Issuer is supplied in the named attribute then it MUST match by string equality the Issuer of the same context attribute If Issuer is not supplied in the named attribute then the matching of the context attribute to the named attribute SHALL be governed by AttributeId and DataType alone regardless of the presence absence or actual value of Issuer In the case of an attribute selector the matching of the attribute to the named attribute SHALL be governed by the XPath expression and DataType
792 Attribute RetrievalThe PDP SHALL request the values of attributes in the request context from the context handler The PDP SHALL reference the attributes as if they were in a physical request context document but the context handler is responsible for obtaining and supplying the requested values The context handler SHALL return the values of attributes that match the attribute designator or attribute selector and form them into a bag of values with the specified data-type If no attributes
oasis--xacml-11pdf 76
152
29682969
2970
2971
29722973
29742975
2976
29772978
297929802981
2982
298329842985298629872988
2989
29902991299229932994
29952996299729982999300030013002
3003
3004
30053006300730083009
153
from the request context match then the attribute SHALL be considered missing If the attribute is missing then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an ldquoIndeterminaterdquo result If MustBePresent is ldquoFalserdquo (default value) then a missing attribute SHALL result in an empty bag If MustBePresent is ldquoTruerdquo then a missing attribute SHALL result in ldquoIndeterminaterdquo This ldquoIndeterminaterdquo result SHALL be handled in accordance with the specification of the encompassing expressions rules policies and policy sets If the result is ldquoIndeterminaterdquo then the AttributeId DataType and Issuer of the attribute MAY be listed in the authorization decision as described in Section 710 However a PDP MAY choose not to return such information for security reasons
793 Environment AttributesEnvironment attributes are listed in Section B8 If a value for one of these attributes is supplied in the decision request then the context handler SHALL use that value Otherwise the context handler SHALL supply a value For the date and time attributes the supplied value SHALL have the semantics of date and time that apply to the decision request
710 Authorization decisionGiven a valid XACML policy or policy set a compliant XACML PDP MUST evaluate the policy as specified in Sections 5 and 42 The PDP MUST return a response context with one ltDecisiongt element of value Permit Deny Indeterminate or NotApplicable
If the PDP cannot make a decision then an Indeterminate ltDecisiongt element contents SHALL be returned The PDP MAY return a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
signifying that more information is needed In this case the ltStatusgt element MAY list the names and data-types of any attributes of the subjectsresource action or environment that are needed by the PDP to refine its decision A PEP MAY resubmit a refined request context in response to a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
by adding attribute values for the attribute names that were listed in the previous response When the PDP returns a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
it MUST NOT list the names and data-types of any attribute of the subjectresource action or environment for which values were supplied in the original request Note this requirement forces the PDP to eventually return an authorization decision of Permit Deny or Indeterminate with some other status code in response to successively-refined requests
711 ObligationsA policy or policy set may contain one or more obligations When such a policy or policy set is evaluated an obligation SHALL be passed up to the next level of evaluation (the enclosing or referencing policy set or authorization decision) only if the effect of the policy or policy set being evaluated matches the value of the xacmlFulfillOn attribute of the obligation
As a consequence of this procedure no obligations SHALL be returned to the PEP if the policies or policy sets from which they are drawn are not evaluated or if their evaluated result is
oasis--xacml-11pdf 77
154
301030113012301330143015
301630173018
3019
3020302130223023
3024
30253026
3027
302830293030
3031
303230333034
3035
3036
30373038
3039
3040304130423043
3044304530463047
3048304930503051
155
Indeterminate or NotApplicable or if the decision resulting from evaluating the policy or policy set does not match the decision resulting from evaluating an enclosing policy set
If the PDPs evaluation is viewed as a tree of policy sets and policies each of which returns Permit or Deny then the set of obligations returned by the PDP to the PEP will include only the obligations associated with those paths where the effect at each level of evaluation is the same as the effect being returned by the PDPA PEP that receives a valid XACML response of Permit with obligations SHALL be responsible for fulfilling all of those obligations A PEP that receives an XACML response of Deny with obligations SHALL be responsible for fulfilling all of the obligations that it understands
712 Unsupported functionalityIf the PDP attempts to evaluate a policy set or policy that contains an optional element type or feature that the PDP does not support then the PDP SHALL return a ltDecisiongt value of Indeterminate If a ltStatusCodegt element is also returned then its value SHALL be urnoasisnamestcxacml10statussyntax-error in the case of an unsupported element type and urnoasisnamestcxacml10statusprocessing-error in the case of an unsupported feature
713 Syntax and type errorsIf a policy that contains invalid syntax is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
If a policy that contains invalid static data-types is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statusprocessing-error
8 XACML extensibility points (non-normative)This section describes the points within the XACML model and schema where extensions can be added
81 Extensible XML attribute typesThe following XML attributes have values that are URIs These may be extended by the creation of new URIs associated with new semantics for these attributes
AttributeId
AttributeValue
DataType
FunctionId
MatchId
ObligationId
PolicyCombiningAlgId
RuleCombiningAlgId
oasis--xacml-11pdf 78
156
3052305330543055305630573058305930603061
3062
30633064306530663067
3068
306930703071
307230733074
3075
30763077
3078
30793080
3081
3082
3083
3084
3085
3086
3087
3088
157
StatusCode
SubjectCategory
See Section 5 for definitions of these attribute types
82 Structured attributesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type Section A3 describes a number of standard techniques to identify data items within such a structured attribute Listed here are some additional techniques that require XACML extensions
1 For a given structured data-type a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types Using these new attribute identifiers the PEPs or context handlers used by that community of users can flatten instances of the structured data-type into a sequence of individual ltAttributegt elements Each such ltAttributegt element can be compared using the XACML-defined functions Using this method the structured data-type itself never appears in an ltAttributeValuegt element
2 A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value This method may only be used by PDPs that support the new function
9 Security and privacy considerations (non-normative)
This section identifies possible security and privacy compromise scenarios that should be considered when implementing an XACML-based system The section is informative only It is left to the implementer to decide whether these compromise scenarios are practical in their environment and to select appropriate safeguards
91 Threat modelWe assume here that the adversary has access to the communication channel between the XACML actors and is able to interpret insert delete and modify messages or parts of messages
Additionally an actor may use information from a former transaction maliciously in subsequent transactions It is further assumed that rules and policies are only as reliable as the actors that create and use them Thus it is incumbent on each actor to establish appropriate trust in the other actors upon which it relies Mechanisms for trust establishment are outside the scope of this specification
The messages that are transmitted between the actors in the XACML model are susceptible to attack by malicious third parties Other points of vulnerability include the PEP the PDP and the PAP While some of these entities are not strictly within the scope of this specification their compromise could lead to the compromise of access control enforced by the PEP
It should be noted that there are other components of a distributed system that may be compromised such as an operating system and the domain-name system (DNS) that are outside the scope of this discussion of threat models Compromise in these components may also lead to a policy violation
oasis--xacml-11pdf 79
158
3089
3090
3091
3092
309330943095
3096309730983099
310031013102
310331043105
3106
3107
3108310931103111
3112
31133114
31153116311731183119
3120312131223123
3124312531263127
159
The following sections detail specific compromise scenarios that may be relevant to an XACML system
911 Unauthorized disclosureXACML does not specify any inherent mechanisms for confidentiality of the messages exchanged between actors Therefore an adversary could observe the messages in transit Under certain security policies disclosure of this information is a violation Disclosure of attributes or the types of decision requests that a subject submits may be a breach of privacy policy In the commercial sector the consequences of unauthorized disclosure of personal data may range from embarrassment to the custodian to imprisonment and large fines in the case of medical or financial data
Unauthorized disclosure is addressed by confidentiality mechanisms
912 Message replayA message replay attack is one in which the adversary records and replays legitimate messages between XACML actors This attack may lead to denial of service the use of out-of-date information or impersonation
Prevention of replay attacks requires the use of message freshness mechanisms
Note that encryption of the message does not mitigate a replay attack since the message is just replayed and does not have to be understood by the adversary
913 Message insertionA message insertion attack is one in which the adversary inserts messages in the sequence of messages between XACML actors
The solution to a message insertion attack is to use mutual authentication and a message sequence integrity mechanism between the actors It should be noted that just using SSL mutual authentication is not sufficient This only proves that the other party is the one identified by the subject of the X509 certificate In order to be effective it is necessary to confirm that the certificate subject is authorized to send the message
914 Message deletionA message deletion attack is one in which the adversary deletes messages in the sequence of messages between XACML actors Message deletion may lead to denial of service However a properly designed XACML system should not render an incorrect authorization decision as a result of a message deletion attack
The solution to a message deletion attack is to use a message integrity mechanism between the actors
915 Message modificationIf an adversary can intercept a message and change its contents then they may be able to alter an authorization decision Message integrity mechanisms can prevent a successful message modification attack
oasis--xacml-11pdf 80
160
31283129
3130
3131313231333134313531363137
3138
3139
314031413142
3143
31443145
3146
31473148
31493150315131523153
3154
3155315631573158
31593160
3161316231633164
161
916 NotApplicable resultsA result of NotApplicable means that the PDP did not have a policy whose target matched the information in the decision request In general we highly recommend using a default-deny policy so that when a PDP would have returned NotApplicable a result of Deny is returned instead
In some security models however such as is common in many Web Servers a result of NotApplicable is treated as equivalent to Permit There are particular security considerations that must be taken into account for this to be safe These are explained in the following paragraphs
If NotApplicable is to be treated as Permit it is vital that the matching algorithms used by the policy to match elements in the decision request are closely aligned with the data syntax used by the applications that will be submitting the decision request A failure to match will be treated as Permit so an unintended failure to match may allow unintended access
A common example of this is a Web Server Commercial http responders allow a variety of syntaxes to be treated equivalently The can be used to represent characters by hex value The URL path provides multiple ways of specifying the same value Multiple character sets may be permitted and in some cases the same printed character can be represented by different binary values Unless the matching algorithm used by the policy is sophisticated enough to catch these variations unintended access may be permitted
It is safe to treat NotApplicable as Permit only in a closed environment where all applications that formulate a decision request can be guaranteed to use the exact syntax expected by the policies used by the PDP In a more open environment where decision requests may be received from applications that may use any legal syntax it is strongly recommended that NotApplicable NOT be treated as Permit unless matching rules have been very carefully designed to match all possible applicable inputs regardless of syntax or type variations
917 Negative rulesA negative rule is one that is based on a predicate not being True If not used with care negative rules can lead to policy violation therefore some authorities recommend that they not be used However negative rules can be extremely efficient in certain cases so XACML has chosen to include them Nevertheless it is recommended that they be used with care and avoided if possible
A common use for negative rules is to deny access to an individual or subgroup when their membership in a larger group would otherwise permit them access For example we might want to write a rule that allows all Vice Presidents to see the unpublished financial data except for Joe who is only a Ceremonial Vice President and can be indiscreet in his communications If we have complete control of the administration of subject attributes a superior approach would be to define ldquoVice Presidentrdquo and ldquoCeremonial Vice Presidentrdquo as distinct groups and then define rules accordingly However in some environments this approach may not be feasible (It is worth noting in passing that generally speaking referring to individuals in rules does not scale well Generally shared attributes are preferred)
If not used with care negative rules can lead to policy violation in two common cases They are when attributes are suppressed and when the base group changes An example of suppressed attributes would be if we have a policy that access should be permitted unless the subject is a credit risk If it is possible that the attribute of being a credit risk may be unknown to the PDP for some reason then unauthorized access may be permitted In some environments the subject may be able to suppress the publication of attributes by the application of privacy controls or the server or repository that contains the information may be unavailable for accidental or intentional reasons
oasis--xacml-11pdf 81
162
3165
3166316731683169
3170317131723173
3174317531763177
317831793180318131823183
318431853186318731883189
3190
31913192319331943195
319631973198319932003201320232033204
32053206320732083209321032113212
163
An example of a changing base group would be if there is a policy that everyone in the engineering department may change software source code except for secretaries Suppose now that the department was to merge with another engineering department and the intent is to maintain the same policy However the new department also includes individuals identified as administrative assistants who ought to be treated in the same way as secretaries Unless the policy is altered they will unintentionally be permitted to change software source code Problems of this type are easy to avoid when one individual administers all policies but when administration is distributed as XACML allows this type of situation must be explicitly guarded against
92 Safeguards
921 Authentication Authentication provides the means for one party in a transaction to determine the identity of the other party in the transaction Authentication may be in one direction or it may be bilateral
Given the sensitive nature of access control systems it is important for a PEP to authenticate the identity of the PDP to which it sends decision requests Otherwise there is a risk that an adversary could provide false or invalid authorization decisions leading to a policy violation
It is equally important for a PDP to authenticate the identity of the PEP and assess the level of trust to determine what if any sensitive data should be passed One should keep in mind that even simple Permit or Deny responses could be exploited if an adversary were allowed to make unlimited requests to a PDP
Many different techniques may be used to provide authentication such as co-located code a private network a VPN or digital signatures Authentication may also be performed as part of the communication protocol used to exchange the contexts In this case authentication may be performed at the message level or at the session level
922 Policy administrationIf the contents of policies are exposed outside of the access control system potential subjects may use this information to determine how to gain unauthorized access
To prevent this threat the repository used for the storage of policies may itself require access control In addition the ltStatusgt element should be used to return values of missing attributes only when exposure of the identities of those attributes will not compromise security
923 Confidentiality Confidentiality mechanisms ensure that the contents of a message can be read only by the desired recipients and not by anyone else who encounters the message while it is in transit There are two areas in which confidentiality should be considered one is confidentiality during transmission the other is confidentiality within a ltPolicygt element
9231 Communication confidentiality
In some environments it is deemed good practice to treat all data within an access control system as confidential In other environments policies may be made freely available for distribution inspection and audit The idea behind keeping policy information secret is to make it more difficult for an adversary to know what steps might be sufficient to obtain unauthorized access Regardless of the approach chosen the security of the access control system should not depend on the secrecy of the policy
oasis--xacml-11pdf 82
164
32133214321532163217321832193220
3221
3222
32233224
322532263227
3228322932303231
3232323332343235
3236
32373238
323932403241
3242
324332443245
3246
3247
324832493250325132523253
165
Any security concerns or requirements related to transmitting or exchanging XACML ltPolicygt elements are outside the scope of the XACML standard While it is often important to ensure that the integrity and confidentiality of ltPolicygt elements is maintained when they are exchanged between two parties it is left to the implementers to determine the appropriate mechanisms for their environment
Communications confidentiality can be provided by a confidentiality mechanism such as SSL Using a point-to-point scheme like SSL may lead to other vulnerabilities when one of the end-points is compromised
9232 Statement level confidentiality
In some cases an implementation may want to encrypt only parts of an XACML ltPolicygt element
The XML Encryption Syntax and Processing Candidate Recommendation from W3C can be used to encrypt all or parts of an XML document This specification is recommended for use with XACML
It should go without saying that if a repository is used to facilitate the communication of cleartext (ie unencrypted) policy between the PAP and PDP then a secure repository should be used to store this sensitive data
924 Policy integrityThe XACML policy used by the PDP to evaluate the request context is the heart of the system Therefore maintaining its integrity is essential There are two aspects to maintaining the integrity of the policy One is to ensure that ltPolicygt elements have not been altered since they were originally created by the PAP The other is to ensure that ltPolicygt elements have not been inserted or deleted from the set of policies
In many cases both aspects can be achieved by ensuring the integrity of the actors and implementing session-level mechanisms to secure the communication between actors The selection of the appropriate mechanisms is left to the implementers However when policy is distributed between organizations to be acted on at a later time or when the policy travels with the protected resource it would be useful to sign the policy In these cases the XML Signature Syntax and Processing standard from W3C is recommended to be used with XACML
Digital signatures should only be used to ensure the integrity of the statements Digital signatures should not be used as a method of selecting or evaluating policy That is the PDP should not request a policy based on who signed it or whether or not it has been signed (as such a basis for selection would itself be a matter of policy) However the PDP must verify that the key used to sign the policy is one controlled by the purported issuer of the policy The means to do this are dependent on the specific signature technology chosen and are outside the scope of this document
925 Policy identifiersSince policies can be referenced by their identifiers it is the responsibility of the PAP to ensure that these are unique Confusion between identifiers could lead to misidentification of the applicable policy This specification is silent on whether a PAP must generate a new identifier when a policy is modified or may use the same identifier in the modified policy This is a matter of administrative practice However care must be taken in either case If the identifier is reused there is a danger that other policies or policy sets that reference it may be adversely affected Conversely if a new identifier is used these other policies may continue to use the prior policy unless it is deleted In either case the results may not be what the policy administrator intends
oasis--xacml-11pdf 83
166
32543255
325632573258
325932603261
3262
32633264
326532663267
326832693270
3271
32723273
327432753276
327732783279328032813282
328332843285328632873288
3289
32903291329232933294329532963297
167
926 Trust modelDiscussions of authentication integrity and confidentiality mechanisms necessarily assume an underlying trust model how can one actor come to believe that a given key is uniquely associated with a specific identified actor so that the key can be used to encrypt data for that actor or verify signatures (or other integrity structures) from that actor Many different types of trust model exist including strict hierarchies distributed authorities the Web the bridge and so on
It is worth considering the relationships between the various actors of the access control system in terms of the interdependencies that do and do not exist
None of the entities of the authorization system are dependent on the PEP They may collect data from it for example authentication but are responsible for verifying it
The correct operation of the system depends on the ability of the PEP to actually enforce policy decisions
The PEP depends on the PDP to correctly evaluate policies This in turn implies that the PDP is supplied with the correct inputs Other than that the PDP does not depend on the PEP
The PDP depends on the PAP to supply appropriate policies The PAP is not dependent on other components
927 PrivacyIt is important to be aware that any transactions that occur with respect to access control may reveal private information about the actors For example if an XACML policy states that certain data may only be read by subjects with ldquoGold Card Memberrdquo status then any transaction in which a subject is permitted access to that data leaks information to an adversary about the subjects status Privacy considerations may therefore lead to encryption andor to access control policies surrounding the enforcement of XACML policy instances themselves confidentiality-protected channels for the requestresponse protocol messages protection of subject attributes in storage and in transit and so on
Selection and use of privacy mechanisms appropriate to a given environment are outside the scope of XACML The decision regarding whether how and when to deploy such mechanisms is left to the implementers associated with the environment
10 Conformance (normative)
101 IntroductionThe XACML specification addresses the following aspect of conformance
The XACML specification defines a number of functions etc that have somewhat specialist application therefore they are not required to be implemented in an implementation that claims to conform with the OASIS standard
102Conformance tablesThis section lists those portions of the specification that MUST be included in an implementation of a PDP that claims to conform with XACML v10 A set of test cases has been created to assist in this process These test cases are hosted by Sun Microsystems and can be located from the
oasis--xacml-11pdf 84
168
3298
32993300330133023303
33043305
33063307
33083309
331033113312
33133314
3315
33163317331833193320332133223323
332433253326
3327
3328
3329
333033313332
3333
333433353336
169
XACML Web page The site hosting the test cases contains a full description of the test cases and how to execute them
Note M means mandatory-to-implement O means optional
1021 Schema elementsThe implementation MUST support those schema elements that are marked ldquoMrdquoElement name MOxacml-contextAction Mxacml-contextAttribute Mxacml-contextAttributeValue Mxacml-contextDecision Mxacml-contextEnvironment Mxacml-contextObligations Oxacml-contextRequest Mxacml-contextResource Mxacml-contextResourceContent Oxacml-contextResponse Mxacml-contextResult Mxacml-contextStatus Mxacml-contextStatusCode Mxacml-contextStatusDetail Oxacml-contextStatusMessage Oxacml-contextSubject MxacmlAction MxacmlActionAttributeDesignator MxacmlActionMatch MxacmlActions MxacmlAnyAction MxacmlAnyResource MxacmlAnySubject MxacmlApply MxacmlAttributeAssignment OxacmlAttributeSelector OxacmlAttributeValue MxacmlCondition MxacmlDescription MxacmlEnvironmentAttributeDesignator MxacmlFunction MxacmlObligation OxacmlObligations OxacmlPolicy MxacmlPolicyDefaults OxacmlPolicyIdReference MxacmlPolicySet MxacmlPolicySetDefaults OxacmlPolicySetIdReference MxacmlResource MxacmlResourceAttributeDesignator MxacmlResourceMatch MxacmlResources MxacmlRule MxacmlSubject MxacmlSubjectMatch MxacmlSubjects M
oasis--xacml-11pdf 85
170
33373338
3339
3340
3341
171
xacmlTarget MxacmlXPathVersion O
1022 Identifier PrefixesThe following identifier prefixes are reserved by XACML
Identifierurnoasisnamestcxacml10urnoasisnamestcxacml10conformance-testurnoasisnamestcxacml10contexturnoasisnamestcxacml10exampleurnoasisnamestcxacml10functionurnoasisnamestcxacml10policyurnoasisnamestcxacml10subjecturnoasisnamestcxacml10resourceurnoasisnamestcxacml10action
1023 AlgorithmsThe implementation MUST include the rule- and policy-combining algorithms associated with the following identifiers that are marked M
Algorithm MOurnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
M
urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11rule-combining-algorithmordered-permit-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
1024 Status CodesImplementation support for the urnoasisnamestcxacml10contextstatus element is optional but if the element is supported then the following status codes must be supported and must be used in the way XACML has specified
Identifier MOurnoasisnamestcxacml10statusmissing-attribute Murnoasisnamestcxacml10statusok Murnoasisnamestcxacml10statusprocessing-error M
oasis--xacml-11pdf 86
172
3342
3343
3344
33453346
3347
334833493350
173
urnoasisnamestcxacml10statussyntax-error M
1025 AttributesThe implementation MUST support the attributes associated with the following attribute identifiers as specified by XACML If values for these attributes are not present in the decision request then their values MUST be supplied by the PDP So unlike most other attributes their semantics are not transparent to the PDP
Identifier MOurnoasisnamestcxacml10environmentcurrent-time Murnoasisnamestcxacml10environmentcurrent-date Murnoasisnamestcxacml10environmentcurrent-dateTime M
1026 IdentifiersThe implementation MUST use the attributes associated with the following identifiers in the way XACML has defined This requirement pertains primarily to implementations of a PAP or PEP that use XACML since the semantics of the attributes are transparent to the PDP
Identifier MOurnoasisnamestcxacml10subjectauthn-localitydns-name Ournoasisnamestcxacml10subjectauthn-localityip-address Ournoasisnamestcxacml10subjectauthentication-method Ournoasisnamestcxacml10subjectauthentication-time Ournoasisnamestcxacml10subjectkey-info Ournoasisnamestcxacml10subjectrequest-time Ournoasisnamestcxacml10subjectsession-start-time Ournoasisnamestcxacml10subjectsubject-id Ournoasisnamestcxacml10subjectsubject-id-qualifier Ournoasisnamestcxacml10subject-categoryaccess-subject Murnoasisnamestcxacml10subject-categorycodebase Ournoasisnamestcxacml10subject-categoryintermediary-subject Ournoasisnamestcxacml10subject-categoryrecipient-subject Ournoasisnamestcxacml10subject-categoryrequesting-machine Ournoasisnamestcxacml10resourceresource-location Ournoasisnamestcxacml10resourceresource-id Murnoasisnamestcxacml10resourcescope Ournoasisnamestcxacml10resourcesimple-file-name Ournoasisnamestcxacml10actionaction-id Murnoasisnamestcxacml10actionimplied-action M
1027 Data-typesThe implementation MUST support the data-types associated with the following identifiers marked M
Data-type MOhttpwwww3org2001XMLSchemastring Mhttpwwww3org2001XMLSchemaboolean Mhttpwwww3org2001XMLSchemainteger Mhttpwwww3org2001XMLSchemadouble Mhttpwwww3org2001XMLSchematime Mhttpwwww3org2001XMLSchemadate Mhttpwwww3org2001XMLSchemadateTime Mhttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
M
oasis--xacml-11pdf 87
174
3351
3352335333543355
3356
335733583359
3360
33613362
175
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
M
httpwwww3org2001XMLSchemaanyURI Mhttpwwww3org2001XMLSchemahexBinary Mhttpwwww3org2001XMLSchemabase64Binary Murnoasisnamestcxacml10data-typerfc822Name Murnoasisnamestcxacml10data-typex500Name M
1028 FunctionsThe implementation MUST properly process those functions associated with the identifiers marked with an M
Function MOurnoasisnamestcxacml10functionstring-equal Murnoasisnamestcxacml10functionboolean-equal Murnoasisnamestcxacml10functioninteger-equal Murnoasisnamestcxacml10functiondouble-equal Murnoasisnamestcxacml10functiondate-equal Murnoasisnamestcxacml10functiontime-equal Murnoasisnamestcxacml10functiondateTime-equal Murnoasisnamestcxacml10functiondayTimeDuration-equal Murnoasisnamestcxacml10functionyearMonthDuration-equal Murnoasisnamestcxacml10functionanyURI-equal Murnoasisnamestcxacml10functionx500Name-equal Murnoasisnamestcxacml10functionrfc822Name-equal Murnoasisnamestcxacml10functionhexBinary-equal Murnoasisnamestcxacml10functionbase64Binary-equal Murnoasisnamestcxacml10functioninteger-add Murnoasisnamestcxacml10functiondouble-add Murnoasisnamestcxacml10functioninteger-subtract Murnoasisnamestcxacml10functiondouble-subtract Murnoasisnamestcxacml10functioninteger-multiply Murnoasisnamestcxacml10functiondouble-multiply Murnoasisnamestcxacml10functioninteger-divide Murnoasisnamestcxacml10functiondouble-divide Murnoasisnamestcxacml10functioninteger-mod Murnoasisnamestcxacml10functioninteger-abs Murnoasisnamestcxacml10functiondouble-abs Murnoasisnamestcxacml10functionround Murnoasisnamestcxacml10functionfloor Murnoasisnamestcxacml10functionstring-normalize-space Murnoasisnamestcxacml10functionstring-normalize-to-lower-case Murnoasisnamestcxacml10functiondouble-to-integer Murnoasisnamestcxacml10functioninteger-to-double Murnoasisnamestcxacml10functionor Murnoasisnamestcxacml10functionand Murnoasisnamestcxacml10functionn-of Murnoasisnamestcxacml10functionnot Murnoasisnamestcxacml10functionpresent Murnoasisnamestcxacml10functioninteger-greater-than Murnoasisnamestcxacml10functioninteger-greater-than-or-equal Murnoasisnamestcxacml10functioninteger-less-than Murnoasisnamestcxacml10functioninteger-less-than-or-equal Murnoasisnamestcxacml10functiondouble-greater-than Murnoasisnamestcxacml10functiondouble-greater-than-or-equal Murnoasisnamestcxacml10functiondouble-less-than M
oasis--xacml-11pdf 88
176
3363
33643365
177
urnoasisnamestcxacml10functiondouble-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-add-dayTimeDuration Murnoasisnamestcxacml10functiondateTime-add-yearMonthDuration Murnoasisnamestcxacml10functiondateTime-subtract-dayTimeDuration
M
urnoasisnamestcxacml10functiondateTime-subtract-yearMonthDuration
M
urnoasisnamestcxacml10functiondate-add-yearMonthDuration Murnoasisnamestcxacml10functiondate-subtract-yearMonthDuration Murnoasisnamestcxacml10functionstring-greater-than Murnoasisnamestcxacml10functionstring-greater-than-or-equal Murnoasisnamestcxacml10functionstring-less-than Murnoasisnamestcxacml10functionstring-less-than-or-equal Murnoasisnamestcxacml10functiontime-greater-than Murnoasisnamestcxacml10functiontime-greater-than-or-equal Murnoasisnamestcxacml10functiontime-less-than Murnoasisnamestcxacml10functiontime-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-greater-than Murnoasisnamestcxacml10functiondateTime-greater-than-or-equal Murnoasisnamestcxacml10functiondateTime-less-than Murnoasisnamestcxacml10functiondateTime-less-than-or-equal Murnoasisnamestcxacml10functiondate-greater-than Murnoasisnamestcxacml10functiondate-greater-than-or-equal Murnoasisnamestcxacml10functiondate-less-than Murnoasisnamestcxacml10functiondate-less-than-or-equal Murnoasisnamestcxacml10functionstring-one-and-only Murnoasisnamestcxacml10functionstring-bag-size Murnoasisnamestcxacml10functionstring-is-in Murnoasisnamestcxacml10functionstring-bag Murnoasisnamestcxacml10functionboolean-one-and-only Murnoasisnamestcxacml10functionboolean-bag-size Murnoasisnamestcxacml10functionboolean-is-in Murnoasisnamestcxacml10functionboolean-bag Murnoasisnamestcxacml10functioninteger-one-and-only Murnoasisnamestcxacml10functioninteger-bag-size Murnoasisnamestcxacml10functioninteger-is-in Murnoasisnamestcxacml10functioninteger-bag Murnoasisnamestcxacml10functiondouble-one-and-only Murnoasisnamestcxacml10functiondouble-bag-size Murnoasisnamestcxacml10functiondouble-is-in Murnoasisnamestcxacml10functiondouble-bag Murnoasisnamestcxacml10functiontime-one-and-only Murnoasisnamestcxacml10functiontime-bag-size Murnoasisnamestcxacml10functiontime-is-in Murnoasisnamestcxacml10functiontime-bag Murnoasisnamestcxacml10functiondate-one-and-only Murnoasisnamestcxacml10functiondate-bag-size Murnoasisnamestcxacml10functiondate-is-in Murnoasisnamestcxacml10functiondate-bag Murnoasisnamestcxacml10functiondateTime-one-and-only Murnoasisnamestcxacml10functiondateTime-bag-size Murnoasisnamestcxacml10functiondateTime-is-in Murnoasisnamestcxacml10functiondateTime-bag Murnoasisnamestcxacml10functionanyURI-one-and-only Murnoasisnamestcxacml10functionanyURI-bag-size Murnoasisnamestcxacml10functionanyURI-is-in Murnoasisnamestcxacml10functionanyURI-bag M
oasis--xacml-11pdf 89
178
179
urnoasisnamestcxacml10functionhexBinary-one-and-only Murnoasisnamestcxacml10functionhexBinary-bag-size Murnoasisnamestcxacml10functionhexBinary-is-in Murnoasisnamestcxacml10functionhexBinary-bag Murnoasisnamestcxacml10functionbase64Binary-one-and-only Murnoasisnamestcxacml10functionbase64Binary-bag-size Murnoasisnamestcxacml10functionbase64Binary-is-in Murnoasisnamestcxacml10functionbase64Binary-bag Murnoasisnamestcxacml10functiondayTimeDuration-one-and-only Murnoasisnamestcxacml10functiondayTimeDuration-bag-size Murnoasisnamestcxacml10functiondayTimeDuration-is-in Murnoasisnamestcxacml10functiondayTimeDuration-bag Murnoasisnamestcxacml10functionyearMonthDuration-one-and-only Murnoasisnamestcxacml10functionyearMonthDuration-bag-size Murnoasisnamestcxacml10functionyearMonthDuration-is-in Murnoasisnamestcxacml10functionyearMonthDuration-bag Murnoasisnamestcxacml10functionx500Name-one-and-only Murnoasisnamestcxacml10functionx500Name-bag-size Murnoasisnamestcxacml10functionx500Name-is-in Murnoasisnamestcxacml10functionx500Name-bag Murnoasisnamestcxacml10functionrfc822Name-one-and-only Murnoasisnamestcxacml10functionrfc822Name-bag-size Murnoasisnamestcxacml10functionrfc822Name-is-in Murnoasisnamestcxacml10functionrfc822Name-bag Murnoasisnamestcxacml10functionany-of Murnoasisnamestcxacml10functionall-of Murnoasisnamestcxacml10functionany-of-any Murnoasisnamestcxacml10functionall-of-any Murnoasisnamestcxacml10functionany-of-all Murnoasisnamestcxacml10functionall-of-all Murnoasisnamestcxacml10functionmap Murnoasisnamestcxacml10functionx500Name-match Murnoasisnamestcxacml10functionrfc822Name-match Murnoasisnamestcxacml10functionregexp-string-match Murnoasisnamestcxacml10functionxpath-node-count Ournoasisnamestcxacml10functionxpath-node-equal Ournoasisnamestcxacml10functionxpath-node-match Ournoasisnamestcxacml10functionstring-intersection Murnoasisnamestcxacml10functionstring-at-least-one-member-of Murnoasisnamestcxacml10functionstring-union Murnoasisnamestcxacml10functionstring-subset Murnoasisnamestcxacml10functionstring-set-equals Murnoasisnamestcxacml10functionboolean-intersection Murnoasisnamestcxacml10functionboolean-at-least-one-member-of Murnoasisnamestcxacml10functionboolean-union Murnoasisnamestcxacml10functionboolean-subset Murnoasisnamestcxacml10functionboolean-set-equals Murnoasisnamestcxacml10functioninteger-intersection Murnoasisnamestcxacml10functioninteger-at-least-one-member-of Murnoasisnamestcxacml10functioninteger-union Murnoasisnamestcxacml10functioninteger-subset Murnoasisnamestcxacml10functioninteger-set-equals Murnoasisnamestcxacml10functiondouble-intersection Murnoasisnamestcxacml10functiondouble-at-least-one-member-of Murnoasisnamestcxacml10functiondouble-union Murnoasisnamestcxacml10functiondouble-subset Murnoasisnamestcxacml10functiondouble-set-equals M
oasis--xacml-11pdf 90
180
181
urnoasisnamestcxacml10functiontime-intersection Murnoasisnamestcxacml10functiontime-at-least-one-member-of Murnoasisnamestcxacml10functiontime-union Murnoasisnamestcxacml10functiontime-subset Murnoasisnamestcxacml10functiontime-set-equals Murnoasisnamestcxacml10functiondate-intersection Murnoasisnamestcxacml10functiondate-at-least-one-member-of Murnoasisnamestcxacml10functiondate-union Murnoasisnamestcxacml10functiondate-subset Murnoasisnamestcxacml10functiondate-set-equals Murnoasisnamestcxacml10functiondateTime-intersection Murnoasisnamestcxacml10functiondateTime-at-least-one-member-of Murnoasisnamestcxacml10functiondateTime-union Murnoasisnamestcxacml10functiondateTime-subset Murnoasisnamestcxacml10functiondateTime-set-equals Murnoasisnamestcxacml10functionanyURI-intersection Murnoasisnamestcxacml10functionanyURI-at-least-one-member-of Murnoasisnamestcxacml10functionanyURI-union Murnoasisnamestcxacml10functionanyURI-subset Murnoasisnamestcxacml10functionanyURI-set-equals Murnoasisnamestcxacml10functionhexBinary-intersection Murnoasisnamestcxacml10functionhexBinary-at-least-one-member-of Murnoasisnamestcxacml10functionhexBinary-union Murnoasisnamestcxacml10functionhexBinary-subset Murnoasisnamestcxacml10functionhexBinary-set-equals Murnoasisnamestcxacml10functionbase64Binary-intersection Murnoasisnamestcxacml10functionbase64Binary-at-least-one-member-of
M
urnoasisnamestcxacml10functionbase64Binary-union Murnoasisnamestcxacml10functionbase64Binary-subset Murnoasisnamestcxacml10functionbase64Binary-set-equals Murnoasisnamestcxacml10functiondayTimeDuration-intersection Murnoasisnamestcxacml10functiondayTimeDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functiondayTimeDuration-union Murnoasisnamestcxacml10functiondayTimeDuration-subset Murnoasisnamestcxacml10functiondayTimeDuration-set-equals Murnoasisnamestcxacml10functionyearMonthDuration-intersection Murnoasisnamestcxacml10functionyearMonthDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functionyearMonthDuration-union Murnoasisnamestcxacml10functionyearMonthDuration-subset Murnoasisnamestcxacml10functionyearMonthDuration-set-equals Murnoasisnamestcxacml10functionx500Name-intersection Murnoasisnamestcxacml10functionx500Name-at-least-one-member-of Murnoasisnamestcxacml10functionx500Name-union Murnoasisnamestcxacml10functionx500Name-subset Murnoasisnamestcxacml10functionx500Name-set-equals Murnoasisnamestcxacml10functionrfc822Name-intersection Murnoasisnamestcxacml10functionrfc822Name-at-least-one-member-of
M
urnoasisnamestcxacml10functionrfc822Name-union Murnoasisnamestcxacml10functionrfc822Name-subset Murnoasisnamestcxacml10functionrfc822Name-set-equals M
oasis--xacml-11pdf 91
182
3366
183
11 References[DS] D Eastlake et al XML-Signature Syntax and Processing
httpwwww3orgTRxmldsig-core World Wide Web Consortium[Hancock] Hancock Polymorphic Type Checking in Simon L Peyton Jones
Implementation of Functional Programming Languages Section 8 Prentice-Hall International 1987
[Haskell] Haskell a purely functional language Available at httpwwwhaskellorg
[Hinton94] Hinton H M Lee E S The Compatibility of Policies Proceedings 2nd ACM Conference on Computer and Communications Security Nov 1994 Fairfax Virginia USA
[IEEE754] IEEE Standard for Binary Floating-Point Arithmetic 1985 ISBN 1-5593-7653-8 IEEE Product No SH10116-TBR
[Kudo00] Kudo M and Hada S XML document security based on provisional authorization Proceedings of the Seventh ACM Conference on Computer and Communications Security Nov 2000 Athens Greece pp 87-96
[LDAP-1] RFC2256 A summary of the X500(96) User Schema for use with LDAPv3 Section 5 M Wahl December 1997 httpwwwietforgrfcrfc2798txt
[LDAP-2] RFC2798 Definition of the inetOrgPerson M Smith April 2000 httpwwwietforgrfcrfc2798txt
[MathML] Mathematical Markup Language (MathML) Version 20 W3C Recommendation 21 February 2001 Available at httpwwww3orgTRMathML2
[Perritt93] Perritt H Knowbots Permissions Headers and Contract Law Conference on Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment April 1993 Available at httpwwwiflaorgdocumentsinfopolcopyrightperh2txt
[RBAC] Role-Based Access Controls David Ferraiolo and Richard Kuhn 15th National Computer Security Conference 1992 Available at httpcsrcnistgovrbac
[RegEx] XML Schema Part 0 Primer W3C Recommendation 2 May 2001 Appendix D Available at httpwwww3orgTRxmlschema-0
[RFC2119] S Bradner Key words for use in RFCs to Indicate Requirement Levels httpwwwietforgrfcrfc2119txt IETF RFC 2119 March 1997
[SAML] Security Assertion Markup Language available from httpwwwoasis-openorgcommitteessecuritydocuments
[Sloman94] Sloman M Policy Driven Management for Distributed Systems Journal of Network and Systems Management Volume 2 part 4 Plenum Press 1994
[XF] XQuery 10 and XPath 20 Functions and Operators W3C Working Draft 16 August 2002 Available at httpwwww3orgTR2002WD-xquery-operators-20020816
[XS] XML Schema parts 1 and 2 Available at httpwwww3orgTRxmlschema-1 and httpwwww3orgTRxmlschema-2
[XPath] XML Path Language (XPath) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxpath
oasis--xacml-11pdf 92
184
336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396
33973398
3399340034013402340334043405
340634073408
34093410341134123413
185
[XSLT] XSL Transformations (XSLT) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxslt
oasis--xacml-11pdf 93
186
341434153416
187
Appendix A Standard data-types functions and their semantics (normative)
A1 IntroductionThis section contains a specification of the data-types and functions used in XACML to create predicates for a rulersquos condition and target matches
This specification combines the various standards set forth by IEEE and ANSI for string representation of numeric values as well as the evaluation of arithmetic functions
This section describes the primitive data-types bags and construction of expressions using XACML constructs Finally each standard function is named and its operational semantics are described
A2 Primitive typesAlthough XML instances represent all data-types as strings an XACML PDP must reason about types of data that while they have string representations are not just strings Types such as boolean integer and double MUST be converted from their XML string representations to values that can be compared with values in their domain of discourse such as numbers The following primitive data-types are specified for use with XACML and have explicit data representations
httpwwww3org2001XMLSchemastring
httpwwww3org2001XMLSchemaboolean
httpwwww3org2001XMLSchemainteger
httpwwww3org2001XMLSchemadouble
httpwwww3org2001XMLSchematime
httpwwww3org2001XMLSchemadate
httpwwww3org2001XMLSchemadateTime
httpwwww3org2001XMLSchemaanyURI
httpwwww3org2001XMLSchemahexBinary
httpwwww3org2001XMLSchemabase64Binary
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
urnoasisnamestcxacml10data-typex500Name
urnoasisnamestcxacml10data-typerfc822Name
oasis--xacml-11pdf 94
188
3417
3418
3419
34203421
34223423
342434253426
3427
34283429343034313432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
189
A3 Structured typesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type for example ltdsKeyInfogt XACML 10 supports several ways for comparing such ltAttributeValuegt elements
1 In some cases such an ltAttributeValuegt element MAY be compared using one of the XACML string functions such as ldquoregexp-string-matchrdquo described below This requires that the structured data ltAttributeValuegt be given the DataType=httpwwww3org2001XMLSchemastring For example a structured data-type that is actually a dsKeyInfoKeyName would appear in the Context as
ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgtampltdsKeyNameampgtjhibbert-keyampltdsKeyNameampgt
ltAttributeValuegt
In general this method will not be adequate unless the structured data-type is quite simple
2 An ltAttributeSelectorgt element MAY be used to select the value of a leaf sub-element of the structured data-type by means of an XPath expression That value MAY then be compared using one of the supported XACML functions appropriate for its primitive data-type This method requires support by the PDP for the optional XPath expressions feature
3 An ltAttributeSelectorgt element MAY be used to select the value of any node in the structured data-type by means of an XPath expression This node MAY then be compared using one of the XPath-based functions described in Section A1413 This method requires support by the PDP for the optional XPath expressions and XPath functions features
A4 RepresentationsAn XACML PDP SHALL be capable of converting string representations into various primitive data-types For integers and doubles XACML SHALL use the conversions described in [IEEE754]
This document combines the various standards set forth by IEEE and ANSI for string representation of numeric values
XACML defines two additional data-types these are ldquournoasisnamestcxacml10data-typex500Namerdquo and ldquournoasisnamestcxacml10data-typerfc822Namerdquo These types represent identifiers for subjects and appear in several standard applications such as TLSSSL and electronic mail
The ldquournoasisnamestcxacml10data-typex500Namerdquo primitive type represents an X500 Distinguished Name The string representation of an X500 distinguished name is specified in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names1
The ldquournoasisnamestcxacml10data-typerfc822Namerdquo primitive type represents electronic mail addresses and its string representation is specified by RFC 822
1 An earlier RFC RFC 1779 A String Representation of Distinguished Names is less restrictive so urnoasisnamestcxacml10data-typex500Name uses the syntax in RFC 2253 for better interoperability
oasis--xacml-11pdf 95
190
3447
344834493450
34513452
345334543455345634573458
3459
34603461346234633464
3465346634673468
3469
34703471
34723473
3474347534763477
3478347934803481
34823483
191192193
194
An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive2
A5 BagsXACML defines implicit collections of its primitive types XACML refers to a collection of values that are of a single primitive type as a bag Bags of primitive types are needed because selections of nodes from an XML resource or XACML request context may return more than one value
The ltAttributeSelectorgt element uses an XPath expression to specify the selection of data from an XML resource The result of an XPath expression is termed a node-set which contains all the leaf nodes from the XML resource that match the predicate in the XPath expression Based on the various indexing functions provided in the XPath specification it SHALL be implied that a resultant node-set is the collection of the matching nodes XACML also defines the ltAttributeDesignatorgt element to have the same matching methodology for attributes in the XACML request context
The values in a bag are not ordered and some of the values may be duplicates There SHALL be no notion of a bag containing bags or a bag containing values of differing types Ie a bag in XACML SHALL contain only values that are of the same primitive type
A6 ExpressionsXACML specifies expressions in terms of the following elements of which the ltApplygt and ltConditiongt elements recursively compose greater expressions Valid expressions shall be type correct which means that the types of each of the elements contained within ltApplygt and ltConditiongt elements shall agree with the respective argument types of the function that is named by the FunctionId attribute The resultant type of the ltApplygt or ltConditiongt element shall be the resultant type of the function which may be narrowed to a primitive data-type or a bag of a primitive data-type by type-unification XACML defines an evaluation result of Indeterminate which is said to be the result of an invalid expression or an operational error occurring during the evaluation of the expression
XACML defines the following elements to be legal XACML expressions
ltAttributeValuegt
ltSubjectAttributeDesignatorgt
ltSubjectAttributeSelectorgt
ltResourceAttributeDesignatorgt
ltActionAttributeDesignatorgt
ltEnvironmentAttributeDesignatorgt
ltAttributeSelectorgt
ltApplygt
2 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part However many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This is considered an error by mail-system designers and is not encouraged
oasis--xacml-11pdf 96
195
348434853486
3487
348834893490
34913492349334943495
34963497
349834993500
3501
350235033504350535063507350835093510
3511
3512
3513
3514
3515
3516
3517
3518
3519
196197198
199
ltConditiongt
ltFunctiongt
A7 Element ltAttributeValuegt The ltAttributeValuegt element SHALL represent an explicit value of a primitive type For example
ltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltApplygt
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt
The ltAttributeDesignatorgt and ltAttributeSelectorgt elements SHALL evaluate to a bag of a specific primitive type The type SHALL be inferred from the function in which it appears Each element SHALL contain a URI or XPath expression respectively to identify the required attribute values If an operational error were to occur while finding the values the value of the element SHALL be set to Indeterminate If the required attribute cannot be located then the value of the element SHALL be set to an empty bag of the inferred primitive type
A9 Element ltApplygt XACML function calls are represented by the ltApplygt element The function to be applied is named in the FunctionId attribute of this element The value of the ltApplygt element SHALL be set to either a primitive data-type or a bag of a primitive type whose data-type SHALL be inferred from the FunctionId The arguments of a function SHALL be the values of the XACML expressions that are contained as ordered elements in an ltApplygt element The legal number of arguments within an ltApplygt element SHALL depend upon the functionId
A10Element ltConditiongt The ltConditiongt element MAY appear in the ltRulegt element as the premise for emitting the corresponding effect of the rule The ltConditiongt element has the same structure as the ltApplygt element with the restriction that its result SHALL be of data-type ldquohttpwwww3org2001XMLSchemabooleanrdquo The evaluation of the ltConditiongt element SHALL follow the same evaluation semantics as those of the ltApplygt element
oasis--xacml-11pdf 97
200
3520
3521
3522
35233524352535263527352835293530
3531
3532
353335343535353635373538
3539
354035413542
354335443545
3546
35473548354935503551
201
A11Element ltFunctiongt The ltFunctiongt element names a standard XACML function or an extension function in its FunctionId attribute The ltFunctiongt element MAY be used as an argument in functions that take a function as an argument
A12Matching elementsMatching elements appear in the ltTargetgt element of rules policies and policy sets They are the following
ltSubjectMatchgt
ltResourceMatchgt
ltActionMatchgt
These elements represent boolean expressions over attributes of the subject resource and action respectively A matching element contains a MatchId attribute that specifies the function to be used in performing the match evaluation an attribute value and an ltAttributeDesignatorgt or ltAttributeSelectorgt element that specifies the attribute in the context that is to be matched against the specified value
The MatchId attribute SHALL specify a function that compares two arguments returning a result type of httpwwww3org2001XMLSchemaboolean The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument An element of the bag returned by the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL be supplied to the MatchId function as its second argument The data-type of the attribute value SHALL match the data-type of the first argument expected by the MatchId function The data-type of the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL match the data-type of the second argument expected by the MatchId function
The XACML standard functions that meet the requirements for use as a MatchId attribute value are
urnoasisnamestcxacml10function-type-equal
urnoasisnamestcxacml10function-type-greater-than
urnoasisnamestcxacml10function-type-greater-than-or-equal
urnoasisnamestcxacml10function-type-less-than
urnoasisnamestcxacml10function-type-less-than-or-equal
urnoasisnamestcxacml10function-type-match
In addition functions that are strictly within an extension to XACML MAY appear as a value for the MatchId attribute and those functions MAY use data-types that are also extensions so long as the extension function returns a boolean result and takes an attribute value as its first argument and an ltAttributeDesignatorgt or ltAttributeSelectorgt as its second argument The function used as the value for the MatchId attribute SHOULD be easily indexable Use of non-indexable or complex functions may prevent efficient evaluation of decision requests
The evaluation semantics for a matching element is as follows If an operational error were to occur while evaluating the ltAttributeDesignatorgt or ltAttributeSelectorgt element then
oasis--xacml-11pdf 98
202
3552
355335543555
3556
35573558
3559
3560
3561
35623563356435653566
35673568
356935703571357235733574
35753576
3577
3578
3579
3580
3581
3582
358335843585
358635873588
35893590
203
the result of the entire expression SHALL be Indeterminate If the ltAttributeDesignatorgt or ltAttributeSelectorgt element were to evaluate to an empty bag then the result of the expression SHALL be False Otherwise the MatchId function SHALL be applied between the explicit attribute value and each element of the bag returned from the ltAttributeDesignatorgt or ltAttributeSelectorgt element If at least one of those function applications were to evaluate to True then the result of the entire expression SHALL be True Otherwise if at least one of the function applications results in Indeterminate then the result SHALL be Indeterminate Finally only if all function applications evaluate to False the result of the entire expression SHALL be False
It is possible to express the semantics of a target matching element in a condition For instance the target match expression that compares a ldquosubject-namerdquo starting with the name ldquoJohnrdquo can be expressed as follows
ltSubjectMatch MatchId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegtltSubjectMatchgt
Alternatively the same match semantics can be expressed as an ltApplygt element in a condition by using the ldquournoasisnamestcxacml10functionany-ofrdquo function as follows
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt ltFunctionFunctionId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtltApplygt
This expression of the semantics is NOT normative
A13Arithmetic evaluationIEEE 754 [IEEE 754] specifies how to evaluate arithmetic functions in a context which specifies defaults for precision rounding etc XACML SHALL use this specification for the evaluation of all integer and double functions relying on the Extended Default Context enhanced with double precision
flags - all set to 0
trap-enablers - all set to 0 (IEEE 854 sect7) with the exception of the ldquodivision-by-zerordquo trap enabler which SHALL be set to 1
precision - is set to the designated double precision
rounding - is set to round-half-even (IEEE 854 sect41)
oasis--xacml-11pdf 99
204
359135923593359435953596359735983599
36003601360236033604360536063607360836093610
36113612361336143615361636173618361936203621
3622
3623
3624
3625362636273628
3629
36303631
3632
3633
205
A14XACML standard functionsXACML specifies the following functions that are prefixed with the ldquournoasisnamestcxacml10functionrdquo relative name space identifier
A141Equality predicatesThe following functions are the equality functions for the various primitive types Each function for a particular data-type follows a specified standard convention for that data-type If an argument of one of these functions were to evaluate to Indeterminate then the function SHALL be set to Indeterminate
string-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if and only if the value of both of its arguments are of equal length and each string is determined to be equal byte-by-byte according to the function ldquointeger-equalrdquo
boolean-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemabooleanrdquo and SHALL return True if and only if both values are equal
integer-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on integers according to IEEE 754 [IEEE 754]
double-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on doubles according to IEEE 754 [IEEE 754]
date-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdate-equalrdquo function [XF Section 8311]
time-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquooptime-equalrdquo function [XF Section 8314]
dateTime-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdateTime-equalrdquo function [XF Section 838]
oasis--xacml-11pdf 100
206
3634
36353636
3637
3638363936403641
3642
3643364436453646
3647
364836493650
3651
3652365336543655
3656
3657365836593660
3661
3662366336643665
3666
3667366836693670
3671
3672367336743675
207
dayTimeDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opdayTimeDuration-equal function [XF Section 835] Note that the lexical representation of each argument MUST be converted to a value expressed in fractional seconds [XF Section 822]
yearMonthDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opyearMonthDuration-equal function [XF Section 832] Note that the lexical representation of each argument MUST be converted to a value expressed in integer months [XF Section 821]
anyURI-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaanyURIrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopanyURI-equalrdquo function [XF Section 1021]
x500Name-equal
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if each Relative Distinguished Name (RDN) in the two arguments matches Two RDNs shall be said to match if and only if the result of the following operations is ldquoTruerdquo3
1 Normalize the two arguments according to IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
2 If any RDN contains multiple attributeTypeAndValue pairs re-order the Attribute ValuePairs in that RDN in ascending order when compared as octet strings (described in ITU-T Rec X690 (1997 E) Section 116 Set-of components)
3 Compare RDNs using the rules in IETF RFC 3280 Internet X509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Section 4124 Issuer
rfc822Name-equal
This function SHALL take two arguments of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL determine whether two ldquournoasisnamestcxacml10data-typerfc822Namerdquo arguments are equal An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive Perform the following operations
1 Normalize the domain-part of each argument to lower case
2 Compare the expressions by applying the function ldquournoasisnamestcxacml10functionstring-equalrdquo to the normalized arguments
3 ITU-T Rec X520 contains rules for matching X500 names but these are very complex and require knowledge of the syntax of various AttributeTypes IETF RFC 3280 contains simplified matching rules that the XACML x500Name-equal function uses
oasis--xacml-11pdf 101
208
367636773678367936803681368236833684368536863687368836893690
3691369236933694
3695
36963697369836993700
37013702
370337043705
370637073708
3709
3710371137123713371437153716
3717
37183719
209210211
212
hexBinary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemahexBinaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8215]
base64Binary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemabase64Binaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8216]
A142Arithmetic functionsAll of the following functions SHALL take two arguments of the specified data-type integer or double and SHALL return an element of integer or double data-type respectively However the ldquoaddrdquo functions MAY take more than two arguments Each function evaluation SHALL proceed as specified by their logical counterparts in IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate In the case of the divide functions if the divisor is zero then the function SHALL evaluate to ldquoIndeterminaterdquo
integer-add
This function MAY have two or more arguments
double-add
This function MAY have two or more arguments
integer-subtract
double-subtract
integer-multiply
double-multiply
integer-divide
double-divide
integer-mod
The following functions SHALL take a single argument of the specified data-type The round and floor functions SHALL take a single argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and return data-type ldquohttpwwww3org2001XMLSchemadoublerdquo In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-abs
oasis--xacml-11pdf 102
213
3720
3721372237233724372537263727
3728
3729373037313732373337343735
3736
3737373837393740374137423743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
375537563757375837593760
3761
214
double-abs
round
floor
A143String conversion functionsThe following functions convert between values of the XACML ldquohttpwwww3org2001XMLSchemastringrdquo primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-normalize-space
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by stripping off all leading and trailing whitespace characters
string-normalize-to-lower-case
This function SHALL take one argument of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by converting each upper case character to its lower case equivalent
A144Numeric data-type conversion functionsThe following functions convert between the XACML ldquohttpwwww3org2001XMLSchemaintegerrdquo andrdquo httpwwww3org2001XMLSchemadoublerdquo primitive types In any expression in which the functions defined below are applied if any argument while being evaluated results in Indeterminate the expression SHALL return Indeterminate
double-to-integer
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL truncate its numeric value to a whole number and return an element of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo
integer-to-double
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL promote its value to an element of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo of the same numeric value
A145Logical functionsThis section contains the specification for logical functions that operate on arguments of the ldquohttpwwww3org2001XMLSchemabooleanrdquo data-type
or
This function SHALL return False if it has no arguments and SHALL return True if one of its arguments evaluates to True The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of True if any argument evaluates to True leaving the rest of the arguments unevaluated In an expression that contains any of these
oasis--xacml-11pdf 103
215
3762
3763
3764
3765
3766376737683769
3770
377137723773
3774
377537763777
3778
3779378037813782
3783
3784378537863787
3788
378937903791
3792
37933794
3795
3796
3797379837993800
216
functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
and
This function SHALL return True if it has no arguments and SHALL return False if one of its arguments evaluates to False The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of False if any argument evaluates to False leaving the rest of the arguments unevaluated In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
n-of
The first argument to this function SHALL be of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo specifying the number of the remaining arguments that MUST evaluate to True for the expression to be considered True If the first argument is 0 the result SHALL be True If the number of arguments after the first one is less than the value of the first argument then the expression SHALL result in Indeterminate The order of evaluation SHALL be first evaluate the integer value then evaluate each subsequent argument The evaluation SHALL stop and return True if the specified number of arguments evaluate to True The evaluation of arguments SHALL stop if it is determined that evaluating the remaining arguments will not satisfy the requirement In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
not
This function SHALL take one logical argument If the argument evaluates to True then the result of the expression SHALL be False If the argument evaluates to False then the result of the expression SHALL be True In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
Note For an expression that is an application of AND OR or N-OF it MAY NOT be necessary to attempt a full evaluation of each boolean argument to a truth value in order to determine whether the evaluation of the argument would result in Indeterminate Analysis of the argument regarding its necessary attributes or other analysis regarding errors such as divide-by-zero may render the argument error free Such arguments occurring in the expression in a position after the evaluation is stated to stop need not be processed
A146Arithmetic comparison functionsThese functions form a minimal set for comparing two numbers yielding a boolean result They SHALL comply with the rules governed by IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-greater-than
integer-greater-than-or-equal
integer-less-than
integer-less-than-or-equal
double-greater-than
oasis--xacml-11pdf 104
217
38013802
3803
380438053806380738083809
3810
381138123813381438153816381738183819382038213822
3823
38243825382638273828
382938303831383238333834
3835
3836383738383839
3840
3841
3842
3843
3844
218
double-greater-than-or-equal
double-less-than
double-less-than-or-equal
A147Date and time arithmetic functionsThese functions perform arithmetic operations with the date and time In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
dateTime-add-dayTimeDuration
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is of data-type ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-subtract-dayTimeDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-dayTimeDurationrdquo had been applied to the corresponding positive duration
dateTime-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
date-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It
oasis--xacml-11pdf 105
219
3845
3846
3847
3848
384938503851
3852
385338543855385638573858
3859
386038613862386338643865
3866
386738683869387038713872387338743875
3876
387738783879388038813882388338843885
3886
388738883889
220
return a result of ldquohttpwwww3org2001XMLSchemadaterdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date [XS Appendix E]
date-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadaterdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
A148Non-numeric comparison functionsThese functions perform comparison operations on two arguments of non-numerical types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments that are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is greater than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-equalrdquo
string-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated with the logical function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-greater-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
string-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is less than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-less-thanrdquo
string-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated
oasis--xacml-11pdf 106
221
389038913892
3893
389438953896389738983899390039013902
3903
390439053906
3907
39083909391039113912391339143915
3916
391739183919392039213922
3923
39243925392639273928392939303931
3932
393339343935
222
with the function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-less-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
time-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
dateTime-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
oasis--xacml-11pdf 107
223
393639373938
3939
39403941394239433944
3945
39463947394839493950
3951
39523953395439553956
3957
39583959396039613962
3963
39643965396639673968
3969
39703971397239733974
3975
39763977397839793980
224
dateTime-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchema dateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
date-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
A149Bag functionsThese functions operate on a bag of type values where data-type is one of the primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate Some additional conditions defined for each function below SHALL cause the expression to evaluate to Indeterminate
type-one-and-only
This function SHALL take an argument of a bag of type values and SHALL return a value of data-type It SHALL return the only value in the bag If the bag does not have one and only one value then the expression SHALL evaluate to Indeterminate
type-bag-size
This function SHALL take a bag of type values as an argument and SHALL return an ldquohttpwwww3org2001XMLSchemaintegerrdquo indicating the number of values in the bag
oasis--xacml-11pdf 108
225
3981
3982
39833984398539863987
3988
39893990399139923993
3994
39953996399739983999
4000
40014002400340044005
4006
40074008400940104011
4012
4013401440154016
4017
401840194020
4021
40224023
226
type-is-in
This function SHALL take an argument of data-type type as the first argument and a bag of type values as the second argument The expression SHALL evaluate to True if the first argument matches by the urnoasisnamestcxacml10functiontype-equal to any value in the bag
type-bag
This function SHALL take any number of arguments of a single data-type and return a bag of type values containing the values of the arguments An application of this function to zero arguments SHALL produce an empty bag of the specified data-type
A1410 Set functionsThese functions operate on bags mimicking sets by eliminating duplicate elements from a bag In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
type-intersection
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type values such that it contains only elements that are common between the two bags which is determined by urnoasisnamestcxacml10functiontype-equal No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-at-least-one-member-of
This function SHALL take two arguments that are both a bag of type values The expression SHALL evaluate to True if at least one element of the first argument is contained in the second argument as determined by urnoasisnamestcxacml10functiontype-is-in
type-union
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type such that it contains all elements of both bags No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-subset
This function SHALL take two arguments that are both a bag of type values It SHALL return True if the first argument is a subset of the second argument Each argument is considered to have its duplicates removed as determined by urnoasisnamestcxacml10functiontype-equal before subset calculation
type-set-equals
This function SHALL take two arguments that are both a bag of type values and SHALL return the result of applying urnoasisnamestcxacml10functionand to the application of urnoasisnamestcxacml10functiontype-subset to the first and second arguments and the application of urnoasisnamestcxacml10functiontype-subset to the second and first arguments
oasis--xacml-11pdf 109
227
4024
4025
4026
4027402840294030
4031
403240334034
4035
403640374038
4039
40404041404240434044
4045
4046404740484049
4050
4051405240534054
4055
4056405740584059
4060
40614062406340644065
228
A1411 Higher-order bag functionsThis section describes functions in XACML that perform operations on bags such that functions may be applied to the bags in general
In this section a general-purpose functional language called Haskell [Haskell] is used to formally specify the semantics of these functions Although the English description is adequate a formal specification of the semantics is helpful
For a quick summary in the following Haskell notation a function definition takes the form of clauses that are applied to patterns of structures namely lists The symbol ldquo[]rdquo denotes the empty list whereas the expression ldquo(xxs)rdquo matches against an argument of a non-empty list of which ldquoxrdquo represents the first element of the list and ldquoxsrdquo is the rest of the list which may be an empty list We use the Haskell notion of a list which is an ordered collection of elements to model the XACML bags of values
A simple Haskell definition of a familiar function ldquournoasisnamestcxacml10functionandrdquo that takes a list of booleans is defined as follows
and [Bool] -gt Bool
and [] = True
and (xxs) = x ampamp (and xs)
The first definition line denoted by a ldquordquo formally describes the data-type of the function which takes a list of booleans denoted by ldquo[Bool]rdquo and returns a boolean denoted by ldquoBoolrdquo The second definition line is a clause that states that the function ldquoandrdquo applied to the empty list is True The second definition line is a clause that states that for a non-empty list such that the first element is ldquoxrdquo which is a value of data-type Bool the function ldquoandrdquo applied to x SHALL be combined with using the logical conjunction function which is denoted by the infix symbol ldquoampamprdquo the result of recursively applying the function ldquoandrdquo to the rest of the list Of course an application of the ldquoandrdquo function is True if and only if the list to which it is applied is empty or every element of the list is True For example the evaluation of the following Haskell expressions
(and []) (and [True]) (and [TrueTrue]) (and [TrueTrueFalse])
evaluate to True True True and False respectively
In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
any-of
This function applies a boolean function between a specific primitive value and a bag of values and SHALL return True if and only if the predicate is True for at least one element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element is applied to the second argument and each element of the third argument (the bag) and the results are combined with ldquournoasisnamestcxacml10functionorrdquo
In Haskell the semantics of this operation are as follows
oasis--xacml-11pdf 110
229
4066
40674068
406940704071
407240734074407540764077
40784079
4080
4081
4082
408340844085408640874088408940904091
4092
4093
40944095
4096
409740984099
4100410141024103
410441054106
4107
230
any_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolany_of f a [] = Falseany_of f a (xxs) = (f a x) || (any_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL return TrueltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is equal to at least one of the elements of the bag
all-of
This function applies a boolean function between a specific primitive value and a bag of values and returns True if and only if the predicate is True for every element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to the second argument and each element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo
In Haskell the semantics of this operation are as follows
all_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolall_of f a [] = Falseall_of f a (xxs) = (f a x) ampamp (all_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 111
231
410841094110
41114112
4113411441154116411741184119412041214122412341244125412641274128
41294130
4131
41324133
4134413541364137
413841394140
4141
414241434144
41454146
4147
232
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-ofrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt9ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is greater than all of the elements of the bag
any-of-any
This function applies a boolean function between each element of a bag of values and each element of another bag of values and returns True if and only if the predicate is True for at least one comparison
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any comparison of elements from the two bags
In Haskell taking advantage of the ldquoany_ofrdquo function defined above the semantics of the ldquoany_of_anyrdquo function are as follows
any_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_any f [] ys = Falseany_of_any f (xxs) ys = (any_of f x ys) || (any_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 112
233
4148414941504151415241534154415541564157415841594160416141624163
41644165
4166
416741684169
4170417141724173
41744175417641774178
41794180
418141824183
41844185
4186
234
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtMaryltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one of the elements of the first bag namely ldquoRingordquo is equal to at least one of the string values of the second bag
all-of-any
This function applies a boolean function between the elements of two bags The expression is True if and only if the predicate is True between each and all of the elements of the first bag collectively against at least one element of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for each element of the first bag and any element of the second bag
In Haskell taking advantage of the ldquoany_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_anyrdquo function are as follows
all_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_any f [] ys = Falseall_of_any f (xxs) ys = (any_of f x ys) ampamp (all_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 113
235
4187418841894190419141924193419441954196419741984199420042014202420342044205
42064207
4208
420942104211
4212421342144215
42164217421842194220
42214222
422342244225
42264227
4228
236
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt20ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt21ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all of the elements of the first bag each ldquo10rdquo and ldquo20rdquo are greater than at least one of the integer values ldquo1rdquo rdquo3rdquo rdquo5rdquo rdquo21rdquo of the second bag
any-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between at least one of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any element of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoany_of_allrdquo function are as follows
any_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_all f [] ys = Falseany_of_all f (xxs) ys = (all_of f x ys) || ( any_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 114
237
42294230423142324233423442354236423742384239424042414242424342444245424642474248
42494250
4251
425242534254
4255425642574258
42594260426142624263
42644265
426642674268
42694270
4271
238
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one element of the first bag namely ldquo5rdquo is greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
all-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between each and all of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression is evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression is True if and only if the applied predicate is True for all elements of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_allrdquo function is as follows
all_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_all f [] ys = Falseall_of_all f (xxs) ys = (all_of f x ys) ampamp (all_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 115
239
42724273427442754276427742784279428042814282428342844285428642874288428942904291
42924293
4294
429542964297
4298429943004301
43024303430443054306
43074308
430943104311
43124313
4314
240
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt6ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all elements of the first bag ldquo5rdquo and ldquo6rdquo are each greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
map
This function converts a bag of values to another bag of values
This function SHALL take two arguments The first function SHALL be a ltFunctiongt element naming a function that takes a single argument of a primitive data-type and returns a value of a primitive data-type The second argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to each element in the bag resulting in a bag of the converted value The result SHALL be a bag of the primitive data-type that is the same data-type that is returned by the function named in the ltFunctiongt element
In Haskell this function is defined as follows
map (a -gt b) -gt [a] -gt [b]
map f [] = []
map f (xxs) = (f x) (map f xs)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expressionltApply FunctionId=rdquournoasisnamestcxacml10functionmaprdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-normalize-to-lower-caserdquogt
ltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtHelloltAttributeValuegtltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtWorld
ltAttributeValuegtltApplygt
ltApplygt
evaluates to a bag containing ldquohellordquo and ldquoworldrdquo
oasis--xacml-11pdf 116
241
43154316431743184319432043214322432343244325432643274328432943304331433243334334
43354336
4337
4338
433943404341
434243434344
4345
4346
4347
4348
4349
43504351
43524353435443554356435743584359436043614362
4363
242
A1412 Special match functionsThese functions operate on various types and evaluate to ldquohttpwwww3org2001XMLSchemabooleanrdquo based on the specified standard matching algorithm In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
regexp-string-match
This function decides a regular expression match It SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The first argument SHALL be a regular expression and the second argument SHALL be a general string The function specification SHALL be that of the ldquoxfmatchesrdquo function with the arguments reversed [XF Section 6315]
x500Name-match
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if the first argument matches some terminal sequence of RDNs from the second argument when compared using x500Name-equal
rfc822Name-match
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and the second is of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if the first argument matches the second argument according to the following specification
An RFC822 name consists of a local-part followed by followed by domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS name) is not case-sensitive4
The second argument contains a complete rfc822Name The first argument is a complete or partial rfc822Name used to select appropriate values in the second argument as follows
In order to match a particular mailbox in the second argument the first argument must specify the complete mail address to be matched For example if the first argument is ldquoAndersonsuncomrdquo this matches a value in the second argument of ldquoAndersonsuncomrdquo and ldquoAndersonSUNCOMrdquo but not ldquoAnneAndersonsuncomrdquo ldquoandersonsuncomrdquo or ldquoAndersoneastsuncomrdquo
In order to match any mail address at a particular domain in the second argument the first argument must specify only a domain name (usually a DNS name) For example if the first argument is ldquosuncomrdquo this matches a value in the first argument of ldquoAndersonsuncomrdquo or ldquoBaxterSUNCOMrdquo but not ldquoAndersoneastsuncomrdquo
In order to match any mail address in a particular domain in the second argument the first argument must specify the desired domain-part with a leading For example if the first argument is ldquoeastsuncomrdquo this matches a value in the second argument of Andersoneastsuncom and anneandersonISRGEASTSUNCOM but not Andersonsuncom
4 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part Many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This anomaly is considered an error by mail-system designers and is not encouraged For this reason rfc822Name-match treats local-part as case sensitive
oasis--xacml-11pdf 117
243
4364
4365436643674368
4369
437043714372437343744375
4376
4377437843794380
4381
43824383438443854386
438743884389
43904391
43924393439443954396
4397439843994400
44014402440344044405
244245246247
248
A1413 XPath-based functionsThis section specifies functions that take XPath expressions for arguments An XPath expression evaluates to a node-set which is a set of XML nodes that match the expression A node or node-set is not in the formal data-type system of XACML All comparison or other operations on node-sets are performed in the isolation of the particular function specified The XPath expressions in these functions are restricted to the XACML request context The ltxacml-contextRequestgt element is a context node for every XPath expression The following functions are defined
xpath-node-count
This function SHALL take an ldquohttpwwww3org2001XMLSchemastringrdquo as an argument which SHALL be interpreted as an XPath expression and evaluates to an ldquohttpwwww3org2001XMLSchemaintegerrdquo The value returned from the function SHALL be the count of the nodes within the node-set that matches the given XPath expression
xpath-node-equal
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if any XML node from the node-set matched by the first argument equals according to the ldquoopnode-equalrdquo function [XF Section 1316] any XML node from the node-set matched by the second argument
xpath-node-match
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if either of the following two conditions is satisfied (1) Any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument (2) Any attribute and element node below any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument
NOTE The first condition is equivalent to xpath-node-equal and guarantees that xpath-node-equal is a special case of xpath-node-match
A1414 Extension functions and primitive typesFunctions and primitive types are specified by string identifiers allowing for the introduction of functions in addition to those specified by XACML This approach allows one to extend the XACML module with special functions and special primitive data-types
In order to preserve some integrity to the XACML evaluation strategy the result of all function applications SHALL depend only on the values of its arguments Global and hidden parameters SHALL NOT affect the evaluation of an expression Functions SHALL NOT have side effects as evaluation order cannot be guaranteed in a standard way
oasis--xacml-11pdf 118
249
4406
4407440844094410
44114412
4413
44144415441644174418
4419
442044214422442344244425
4426
442744284429443044314432443344344435
44364437
4438
443944404441
4442444344444445
250
Appendix B XACML identifiers (normative)This section defines standard identifiers for commonly used entities All XACML-defined identifiers have the common base
urnoasisnamestcxacml10
B1 XACML namespacesThere are currently two defined XACML namespaces
Policies are defined using this identifierurnoasisnamestcxacml10policy
Request and response contexts are defined using this identifierurnoasisnamestcxacml10context
B2 Access subject categoriesThis identifier indicates the system entity that initiated the access request That is the initial entity in a request chain If subject category is not specified this is the default value
urnoasisnamestcxacml10subject-categoryaccess-subject
This identifier indicates the system entity that will receive the results of the request Used when it is distinct from the access-subject
urnoasisnamestcxacml10subject-categoryrecipient-subject
This identifier indicates a system entity through which the access request was passed There may be more than one No means is provided to specify the order in which they passed the message
urnoasisnamestcxacml10subject-categoryintermediary-subject
This identifier indicates a system entity associated with a local or remote codebase that generated the request Corresponding subject attributes might include the URL from which it was loaded andor the identity of the code-signer There may be more than one No means is provided to specify the order they processed the request
urnoasisnamestcxacml10subject-categorycodebase
This identifier indicates a system entity associated with the computer that initiated the access request An example would be an IPsec identity
urnoasisnamestcxacml10subject-categoryrequesting-machine
B3 XACML functionsThis identifier is the base for all the identifiers in the table of functions See Section A1
urnoasisnamestcxacml10function
B4 Data-typesThe following identifiers indicate useful data-types
X500 distinguished name
oasis--xacml-11pdf 119
251
4446
44474448
4449
4450
4451
44524453
44544455
4456
44574458
4459
44604461
4462
44634464
4465
4466446744684469
4470
44714472
4473
4474
44754476
4477
4478
4479
252
urnoasisnamestcxacml10data-typex500Name
An x500Name contains an ITU-T Rec X520 Distinguished Name The valid syntax for such a name is described in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
RFC822 Nameurnoasisnamestcxacml10data-typerfc822Name
An rfc822Name contains an e-mail name The valid syntax for such a name is described in IETF RFC 2821 Section 412 Command Argument Syntax under the term Mailbox
The following data-type identifiers are defined by XML Schemahttpwwww3org2001XMLSchemastringhttpwwww3org2001XMLSchemabooleanhttpwwww3org2001XMLSchemaintegerhttpwwww3org2001XMLSchemadoublehttpwwww3org2001XMLSchematimehttpwwww3org2001XMLSchemadatehttpwwww3org2001XMLSchemadateTimehttpwwww3org2001XMLSchemaanyURIhttpwwww3org2001XMLSchemahexBinaryhttpwwww3org2001XMLSchemabase64Binary
The following data-type identifiers correspond to the dayTimeDuration and yearMonthDuration data-types defined in [XF Sections 822 and 821 respectively]
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationhttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
B5 Subject attributesThese identifiers indicate attributes of a subject When used they SHALL appear within a ltSubjectgt element of the request context They SHALL be accessed via a ltSubjectAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into a ltSubjectgt element of the request context
At most one of each of these attributes is associated with each subject Each attribute associated with authentication included within a single ltSubjectgt element relates to the same authentication event
This identifier indicates the name of the subject The default format is httpwwww3org2001XMLSchemastring To indicate other formats use DataType attributes listed in B4
urnoasisnamestcxacml10subjectsubject-id
This identifier indicates the subject category ldquoaccess-subjectrdquo is the defaulturnoasisnamestcxacml10subject-category
This identifier indicates the security domain of the subject It identifies the administrator and policy that manages the name-space in which the subject id is administered
urnoasisnamestcxacml10subjectsubject-id-qualifier
This identifier indicates a public key used to confirm the subjectrsquos identityurnoasisnamestcxacml10subjectkey-info
This identifier indicates the time at which the subject was authenticatedurnoasisnamestcxacml10subjectauthentication-time
This identifier indicates the method used to authenticate the subjecturnoasisnamestcxacml10subjectauthentication-method
oasis--xacml-11pdf 120
253
4480
448144824483
44844485
44864487
44884489449044914492449344944495449644974498
44994500
45014502
4503
4504450545064507
450845094510
451145124513
4514
45154516
45174518
4519
45204521
45224523
45244525
254
This identifier indicates the time at which the subject initiated the access request according to the PEP
urnoasisnamestcxacml10subjectrequest-time
This identifier indicates the time at which the subjectrsquos current session began according to the PEP
urnoasisnamestcxacml10subjectsession-start-time
The following identifiers indicate the location where authentication credentials were activated They are intended to support the corresponding entities from the SAML authentication statement
This identifier indicates that the location is expressed as an IP addressurnoasisnamestcxacml10subjectauthn-localityip-address
This identifier indicates that the location is expressed as a DNS nameurnoasisnamestcxacml10subjectauthn-localitydns-name
Where a suitable attribute is already defined in LDAP [LDAP-1 LDAP-2] the XACML identifier SHALL be formed by adding the attribute name to the URI of the LDAP specification For example the attribute name for the userPassword defined in the rfc2256 SHALL be
httpwwwietforgrfcrfc2256txtuserPassword
B6 Resource attributesThese identifiers indicate attributes of the resource When used they SHALL appear within the ltResourcegt element of the request context They SHALL be accessed via a ltResourceAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltResourcegt element of the request context
This identifier indicates the entire URI of the resourceurnoasisnamestcxacml10resourceresource-id
A resource attribute used to indicate values extracted from the resourceurnoasisnamestcxacml10resourceresource-content
This identifier indicates the last (rightmost) component of the file name For example if the URI is ldquofilehomemystatuspointerrdquo the simple-file-name is status
urnoasisnamestcxacml10resourcesimple-file-name
This identifier indicates that the resource is specified by an XPath expressionurnoasisnamestcxacml10resourcexpath
This identifier indicates a UNIX file-system pathurnoasisnamestcxacml10resourceufs-path
This identifier indicates the scope of the resource as described in Section 78urnoasisnamestcxacml10resourcescope
The allowed value for this attribute is of data-type httpwwww3org2001XMLSchemastring and is either Immediate Children or Descendants
B7 Action attributesThese identifiers indicate attributes of the action being requested When used they SHALL appear within the ltActiongt element of the request context They SHALL be accessed via an ltActionAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltActiongt element of the request context
oasis--xacml-11pdf 121
255
45264527
4528
45294530
4531
45324533
45344535
45364537
453845394540
4541
4542
4543454445454546
45474548
45494550
45514552
4553
45544555
45564557
45584559
45604561
4562
4563456445654566
256
urnoasisnamestcxacml10actionaction-id
Action namespaceurnoasisnamestcxacml10actionaction-namespace
Implied action This is the value for action-id attribute when action is impliedurnoasisnamestcxacml10actionimplied-action
B8 Environment attributesThese identifiers indicate attributes of the environment within which the decision request is to be evaluated When used in the decision request they SHALL appear in the ltEnvironmentgt element of the request context They SHALL be accessed via an ltEnvironmentAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltEnvironmentgt element of the request context
This identifier indicates the current time at the PDP In practice it is the time at which the request context was created
urnoasisnamestcxacml10environmentcurrent-timeurnoasisnamestcxacml10environmentcurrent-dateurnoasisnamestcxacml10environmentcurrent-dateTime
B9 Status codesThe following status code identifiers are defined
This identifier indicates successurnoasisnamestcxacml10statusok
This identifier indicates that attributes necessary to make a policy decision were not availableurnoasisnamestcxacml10statusmissing-attribute
This identifier indicates that some attribute value contained a syntax error such as a letter in a numeric field
urnoasisnamestcxacml10statussyntax-error
This identifier indicates that an error occurred during policy evaluation An example would be division by zero
urnoasisnamestcxacml10statusprocessing-error
B10Combining algorithmsThe deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId
urnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
The deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
The permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
The permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
oasis--xacml-11pdf 122
257
4567
45684569
45704571
4572
457345744575
45764577
45784579
458045814582
4583
4584
45854586
45874588
45894590
4591
45924593
4594
4595
45964597
45984599
4600
46014602
46034604
4605
258
The first-applicable rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
The first-applicable policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
The only-one-applicable-policy policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
The ordered-deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overrides
The ordered-deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-deny-overrides
The ordered-permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-permit-overrides
The ordered-permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
oasis--xacml-11pdf 123
259
46064607
46084609
4610
46114612
4613
46144615461646174618
4619462046214622
4623462446254626
46274628
260
Appendix C Combining algorithms (normative)This section contains a description of the rule-combining and policy-combining algorithms specified by XACML
C1 Deny-overridesThe following specification defines the ldquoDeny-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Deny then the result of the rule combination SHALL be Deny If any rule evaluates to Permit and all other rules evaluate to NotApplicable then the result of the rule combination SHALL be Permit In other words Deny takes precedence regardless of the result of evaluating any of the other rules in the combination If all rules are found to be NotApplicable to the decision request then the rule combination SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect value of Deny then the evaluation SHALL continue to evaluate subsequent rules looking for a result of Deny If no other rule evaluates to Deny then the combination SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Permit all other rules that do not have evaluation errors evaluate to Permit or NotApplicable and all rules that do have evaluation errors contain effects of Permit then the result of the combination SHALL be Permit
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision denyOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialDeny = falseBoolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(rules) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Deny)
potentialDeny = truecontinue
oasis--xacml-11pdf 124
261
4629
46304631
4632
4633
463446354636463746384639
4640464146424643
464446454646
4647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677
262
if (potentialDeny)
return Indeterminateif (atLeastOnePermit)
return Permitif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoDeny-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Deny then the result of the policy combination SHALL be Deny In other words Deny takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision denyOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
return Deny
if (atLeastOnePermit)
return Permitreturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
oasis--xacml-11pdf 125
263
4678467946804681468246834684468546864687468846894690469146924693
46944695
46964697469846994700
470147024703
4704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734
4735
264
C2 Ordered-deny-overrides (non-normative)The following specification defines the Ordered-deny-overridesrdquo rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Deny-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-deny-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Deny-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C3 Permit-overridesThe following specification defines the ldquoPermit-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Permit then the result of the rule combination SHALL be Permit If any rule evaluates to Deny and all other rules evaluate to NotApplicable then the policy SHALL evaluate to Deny In other words Permit takes precedence regardless of the result of evaluating any of the other rules in the policy If all rules are found to be NotApplicable to the decision request then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect of Permit then the evaluation SHALL continue looking for a result of Permit If no other rule evaluates to Permit then the policy SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Deny all other rules that do not have evaluation errors evaluate to Deny or NotApplicable and all rules that do have evaluation errors contain an effect value of Deny then the policy SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision permitOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialPermit = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(rule) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 126
265
4736
47374738
473947404741
47424743
474447454746
4747
4748
474947504751475247534754
4755475647574758
475947604761
476247634764476547664767476847694770477147724773477447754776477747784779478047814782
266
if (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Permit)
potentialPermit = truecontinue
if (potentialPermit)
return Indeterminateif (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoPermit-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Permit then the result of the policy combination SHALL be Permit In other words Permit takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status provided no other policies evaluate to Permit or Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision permitOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOneError = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 127
267
47834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808
48094810
48114812481348144815
4816481748184819
482048214822482348244825482648274828482948304831483248334834483548364837483848394840
268
if (decision == Indeterminate)
atLeastOneError = truecontinue
if (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
C4 Ordered-permit-overrides (non-normative)The following specification defines the Ordered-permit-overrides rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Permit-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-permit-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Permit-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C5 First-applicable The following specification defines the First-Applicable rule-combining algorithm of a policy
Each rule SHALL be evaluated in the order in which it is listed in the policy For a particular rule if the target matches and the condition evaluates to True then the evaluation of the policy SHALL halt and the corresponding effect of the rule SHALL be the result of the evaluation of the policy (ie Permit or Deny) For a particular rule selected in the evaluation if the target evaluates to False or the condition evaluates to False then the next rule in the order SHALL be evaluated If no further rule in the order exists then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule then the evaluation SHALL halt and the policy shall evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision firstApplicableEffectRuleCombiningAlgorithm(Rule rule[])
for( i = 0 i lt lengthOf(rule) i++ )
oasis--xacml-11pdf 128
269
4841484248434844484548464847484848494850485148524853485448554856
4857
4858
48594860
486148624863
48644865
486648674868
4869
4870
4871487248734874487548764877
487848794880
48814882488348844885
270
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
return Permitif (decision == NotApplicable)
continueif (decision == Indeterminate)
return Indeterminate
return NotApplicable
The following specification defines the ldquoFirst-applicablerdquo policy-combining algorithm of a policy set
Each policy is evaluated in the order that it appears in the policy set For a particular policy if the target evaluates to True and the policy evaluates to a determinate value of Permit or Deny then the evaluation SHALL halt and the policy set SHALL evaluate to the effect value of that policy For a particular policy if the target evaluate to False or the policy evaluates to NotApplicable then the next policy in the order SHALL be evaluated If no further policy exists in the order then the policy set SHALL evaluate to NotApplicable
If an error were to occur when evaluating the target or when evaluating a specific policy the reference to the policy is considered invalid or the policy itself evaluates to Indeterminate then the evaluation of the policy-combining algorithm shall halt and the policy set shall evaluate to Indeterminate with an appropriate error status
The following pseudo-code represents the evaluation strategy of this policy-combination algorithm
Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policy[]) for( i = 0 i lt lengthOf(policy) i++ ) Decision decision = evaluate(policy[i]) if(decision == Deny) return Deny if(decision == Permit) return Permit if (decision == NotApplicable) continue if (decision == Indeterminate) return Indeterminate return NotApplicable
oasis--xacml-11pdf 129
271
48864887488848894890489148924893489448954896489748984899490049014902490349044905
49064907
4908490949104911491249134914
4915491649174918
4919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943
272
Obligations of the individual policies shall be combined as described in Section 711
C6 Only-one-applicableThe following specification defines the ldquoOnly-one-applicable policy-combining algorithm of a policy set
In the entire set of policies in the policy set if no policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be NotApplicable If more than one policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be Indeterminate
If only one policy is considered applicable by evaluation of the policy targets then the result of the policy-combining algorithm SHALL be the result of evaluating the policy
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this policy combining algorithmDecision onlyOneApplicablePolicyPolicyCombiningAlogrithm(Policy policy[]) Boolean atLeastOne = false Policy selectedPolicy = null ApplicableResult appResult
for ( i = 0 i lt lengthOf(policy) i++ ) appResult = isApplicable(policy[I])
if ( appResult == Indeterminate ) return Indeterminate if( appResult == Applicable ) if ( atLeastOne ) return Indeterminate else atLeastOne = true selectedPolicy = policy[i] if ( appResult == NotApplicable ) continue if ( atLeastOne ) return evaluate(selectedPolicy) else return NotApplicable
oasis--xacml-11pdf 130
273
4944
4945
4946
49474948
4949495049514952
49534954
495549564957
495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996
274
oasis--xacml-11pdf 131
275
49974998
4999
276
Appendix D AcknowledgmentsThe following individuals contributed to the development of the specification
Anne AndersonBill ParducciCarlisle AdamsDaniel EngovatovDon FlinnErnesto DamianiGerald BroseHal LockhartJames MacLeanJohn MerrellsKen YagenKonstantin BeznosovMichiharu KudoPierangela SamaratiPirasenna Velandai ThiyagarajanPolar HumennSatoshi HadaSekhar VajjhalaSeth ProctorSimon GodikSteve AndersonSteve CrockerSuresh DamodaranTim Moses
oasis--xacml-11pdf 132
277
5000
5001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025
5026
278
Appendix E Revision historyRev Date By whom What
OS V10 18 Feb 2003 XACML Technical Committee
OASIS Standard
oasis--xacml-11pdf 133
279
5027
5028
280
Appendix F NoticesOASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available neither does it represent that it has made any effort to identify any such rights Information on OASISs procedures with respect to rights in OASIS specifications can be found at the OASIS website Copies of claims of rights made available for publication and any assurances of licenses to be made available or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the OASIS Executive Director
OASIS has been notified of intellectual property rights claimed in regard to some or all of the contents of this specification For more information consult the online list of claimed rights
OASIS invites any interested party to bring to its attention any copyrights patents or patent applications or other proprietary rights which may cover technology that may be required to implement this specification Please address the information to the OASIS Executive Director
Copyright (C) OASIS Open 2003 All Rights Reserved
This document and translations of it may be copied and furnished to others and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared copied published and distributed in whole or in part without restriction of any kind provided that the above copyright notice and this paragraph are included on all such copies and derivative works However this document itself may not be modified in any way such as by removing the copyright notice or references to OASIS except as needed for the purpose of developing OASIS specifications in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed or as required to translate it into languages other than English
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns
This document and the information contained herein is provided on an ldquoAS ISrdquo basis and OASIS DISCLAIMS ALL WARRANTIES EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
oasis--xacml-11pdf 134
281
5029
503050315032503350345035503650375038
50395040
504150425043
5044
50455046504750485049505050515052
50535054
50555056505750585059
282
91 Threat model 79
911 Unauthorized disclosure80
912 Message replay80
913 Message insertion80
914 Message deletion80
915 Message modification80
916 NotApplicable results81
917 Negative rules81
92 Safeguards82
921 Authentication82
922 Policy administration82
923 Confidentiality82
924 Policy integrity83
925 Policy identifiers83
926 Trust model84
927 Privacy 84
10 Conformance (normative)84
101 Introduction84
102 Conformance tables84
1021 Schema elements85
1022 Identifier Prefixes86
1023 Algorithms86
1024 Status Codes86
1025 Attributes87
1026 Identifiers87
1027 Data-types87
1028 Functions88
11 References 92
Appendix A Standard data-types functions and their semantics (normative)94
A1 Introduction 94
A2 Primitive types 94
A3 Structured types 95
A4 Representations 95
A5 Bags 96
A6 Expressions 96
A7 Element ltAttributeValuegt97
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt97
oasis--xacml-11pdf 6
12
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
13
A9 Element ltApplygt97
A10 Element ltConditiongt97
A11 Element ltFunctiongt98
A12 Matching elements98
A13 Arithmetic evaluation99
A14 XACML standard functions100
A141 Equality predicates100
A142 Arithmetic functions102
A143 String conversion functions103
A144 Numeric data-type conversion functions103
A145 Logical functions103
A146 Arithmetic comparison functions104
A147 Date and time arithmetic functions105
A148 Non-numeric comparison functions106
A149 Bag functions108
A1410 Set functions109
A1411 Higher-order bag functions110
A1412 Special match functions117
A1413 XPath-based functions118
A1414 Extension functions and primitive types118
Appendix B XACML identifiers (normative)119
B1 XACML namespaces119
B2 Access subject categories119
B3 XACML functions119
B4 Data-types 119
B5 Subject attributes120
B6 Resource attributes121
B7 Action attributes 121
B8 Environment attributes122
B9 Status codes 122
B10 Combining algorithms122
Appendix C Combining algorithms (normative)124
C1 Deny-overrides124
C2 Ordered-deny-overrides (non-normative)126
C3 Permit-overrides126
C4 Ordered-permit-overrides (non-normative)128
C5 First-applicable128
oasis--xacml-11pdf 7
14
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
15
C6 Only-one-applicable130
Appendix D Acknowledgments132
Appendix E Revision history133
Appendix F Notices134
oasis--xacml-11pdf 8
16
221
222
223
224225
226
17
Errata
Errata can be found at the following location
httpwwwoasis-openorgcommitteesxacmlrepositoryerrata-001pdf
oasis--xacml-11pdf 9
18
227
228
229
19
1 Introduction (non-normative)
11 Glossary
111 Preferred terms
Access - Performing an action
Access control - Controlling access in accordance with a policy
Action - An operation on a resource
Applicable policy - The set of policies and policy sets that governs access for a specific decision request
Attribute - Characteristic of a subject resource action or environment that may be referenced in a predicate or target
Authorization decision - The result of evaluating applicable policy returned by the PDP to the PEP A function that evaluates to Permitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicable and (optionally) a set of obligations
Bag ndash An unordered collection of values in which there may be duplicate values
Condition - An expression of predicates A function that evaluates to True False or ldquoIndeterminaterdquo
Conjunctive sequence - a sequence of boolean elements combined using the logical lsquoANDrsquo operation
Context - The canonical representation of a decision request and an authorization decision
Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format
Decision ndash The result of evaluating a rule policy or policy set
Decision request - The request by a PEP to a PDP to render an authorization decision
Disjunctive sequence - a sequence of boolean elements combined using the logical lsquoORrsquo operation
Effect - The intended consequence of a satisfied rule (either Permit or Deny)
Environment - The set of attributes that are relevant to an authorization decision and are independent of a particular subject resource or action
oasis--xacml-11pdf 10
20
230
231
232
233
234
235
236
237238
239240
241242243
244
245246
247248
249
250251252
253
254
255256
257
258259
21
Obligation - An operation specified in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision
Policy - A set of rules an identifier for the rule-combining algorithm and (optionally) a set of obligations May be a component of a policy set
Policy administration point (PAP) - The system entity that creates a policy or policy set
Policy-combining algorithm - The procedure for combining the decision and obligations from multiple policies
Policy decision point (PDP) - The system entity that evaluates applicable policy and renders an authorization decision
Policy enforcement point (PEP) - The system entity that performs access control by making decision requests and enforcing authorization decisions
Policy information point (PIP) - The system entity that acts as a source of attribute values
Policy set - A set of policies other policy sets a policy-combining algorithm and (optionally) a set of obligations May be a component of another policy set
Predicate - A statement about attributes whose truth can be evaluated
Resource - Data service or system component
Rule - A target an effect and a condition A component of a policy
Rule-combining algorithm - The procedure for combining decisions from multiple rules
Subject - An actor whose attributes may be referenced by a predicate
Target - The set of decision requests identified by definitions for resource subject and action that a rule policy or policy set is intended to evaluate
Type Unification - The method by which two type expressions are unified The type expressions are matched along their structure Where a type variable appears in one expression it is then unified to represent the corresponding structure element of the other expression be it another variable or subexpression All variable assignments must remain consistent in both structures Unification fails if the two expressions cannot be aligned either by having dissimilar structure or by having instance conflicts such as a variable needs to represent both xsstring and xsinteger For a full explanation of type unification please see [Hancock]
112 Related termsIn the field of access control and authorization there are several closely related terms in common use For purposes of precision and clarity certain of these terms are not used in this specification
For instance the term attribute is used in place of the terms group and role
In place of the terms privilege permission authorization entitlement and right we use the term rule
The term object is also in common use but we use the term resource in this specification
Requestors and initiators are covered by the term subject
oasis--xacml-11pdf 11
22
260261
262263
264
265266
267268
269270
271
272273
274
275
276
277
278
279280
281282283284285286287
288
289290
291
292293
294
295
23
12 NotationThis specification contains schema conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded policy statements
The key words MUST MUST NOT REQUIRED SHALL SHALL NOT SHOULD SHOULD NOT RECOMMENDED MAY and OPTIONAL in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119]
they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (eg limiting retransmissions)
These keywords are thus capitalized when used to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations When these words are not capitalized they are meant in their natural-language sense
Listings of XACML schemas appear like this
Example code listings appear like this
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows whether or not a namespace declaration is present in the example
The prefix xacml stands for the XACML policy namespace
The prefix xacml-context stands for the XACML context namespace
The prefix ds stands for the W3C XML Signature namespace [DS]
The prefix xs stands for the W3C XML Schema namespace [XS]
The prefix xf stands for the XQuery 10 and XPath 20 Function and Operators specification namespace [XF]
This specification uses the following typographical conventions in text ltXACMLElementgt ltnsForeignElementgt Attribute Datatype OtherCode Terms in italic bold-face are intended to have the meaning defined in the Glossary
13 Schema organization and namespacesThe XACML policy syntax is defined in a schema associated with the following XML namespace
urnoasisnamestcxacml10policy
The XACML context syntax is defined in a schema associated with the following XML namespaceurnoasisnamestcxacml10context
The XML Signature [DS] is imported into the XACML schema and is associated with the following XML namespace
httpwwww3org200009xmldsig
2 Background (non-normative)The economics of scale have driven computing platform vendors to develop products with very generalized functionality so that they can be used in the widest possible range of situations Out
oasis--xacml-11pdf 12
24
296
297298
299300301
302303
304305306307308309310
311312313
314
315
316
317
318319
320321322
323
324325
326327
328329330
331
332333
25
of the box these products have the maximum possible privilege for accessing data and executing software so that they can be used in as many application environments as possible including those with the most permissive security policies In the more common case of a relatively restrictive security policy the platforms inherent privileges must be constrained by configuration
The security policy of a large enterprise has many elements and many points of enforcement Elements of policy may be managed by the Information Systems department by Human Resources by the Legal department and by the Finance department And the policy may be enforced by the extranet mail WAN and remote-access systems platforms which inherently implement a permissive security policy The current practice is to manage the configuration of each point of enforcement independently in order to implement the security policy as accurately as possible Consequently it is an expensive and unreliable proposition to modify the security policy And it is virtually impossible to obtain a consolidated view of the safeguards in effect throughout the enterprise to enforce the policy At the same time there is increasing pressure on corporate and government executives from consumers shareholders and regulators to demonstrate best practice in the protection of the information assets of the enterprise and its customers
For these reasons there is a pressing need for a common language for expressing security policy If implemented throughout an enterprise a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems Managing security policy may include some or all of the following steps writing reviewing testing approving issuing combining analyzing modifying withdrawing retrieving and enforcing policy
XML is a natural choice as the basis for the common security-policy language due to the ease with which its syntax and semantics can be extended to accommodate the unique requirements of this application and the widespread support that it enjoys from all the main platform and tool vendors
21 RequirementsThe basic requirements of a policy language for expressing information system security policy are
To provide a method for combining individual rules and policies into a single policy set that applies to a particular decision request
To provide a method for flexible definition of the procedure by which rules and policies are combined
To provide a method for dealing with multiple subjects acting in different capacities
To provide a method for basing an authorization decision on attributes of the subject and resource
To provide a method for dealing with multi-valued attributes
To provide a method for basing an authorization decision on the contents of an information resource
To provide a set of logical and mathematical operators on attributes of the subject resource and environment
To provide a method for handling a distributed set of policy components while abstracting the method for locating retrieving and authenticating the policy components
To provide a method for rapidly identifying the policy that applies to a given action based upon the values of attributes of the subjects resource and action
oasis--xacml-11pdf 13
26
334335336337
338339340341342343344345346347348
349350351352353354
355356357
358
359
360361
362363
364
365366
367
368369
370371
372373
374375
27
To provide an abstraction-layer that insulates the policy-writer from the details of the application environment
To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement
The motivation behind XACML is to express these well-established ideas in the field of access-control policy using an extension language of XML The XACML solutions for each of these requirements are discussed in the following sections
22 Rule and policy combiningThe complete policy applicable to a particular decision request may be composed of a number of individual rules or policies For instance in a personal privacy application the owner of the personal information may define certain aspects of disclosure policy whereas the enterprise that is the custodian of the information may define certain other aspects In order to render an authorization decision it must be possible to combine the two separate policies to form the single policy applicable to the request
XACML defines three top-level policy elements ltRulegt ltPolicygt and ltPolicySetgt The ltRulegt element contains a boolean expression that can be evaluated in isolation but that is not intended to be accessed in isolation by a PDP So it is not intended to form the basis of an authorization decision by itself It is intended to exist in isolation only within an XACML PAP where it may form the basic unit of management and be re-used in multiple policies
The ltPolicygt element contains a set of ltRulegt elements and a specified procedure for combining the results of their evaluation It is the basic unit of policy used by the PDP and so it is intended to form the basis of an authorization decision
The ltPolicySetgt element contains a set of ltPolicygt or other ltPolicySetgt elements and a specified procedure for combining the results of their evaluation It is the standard means for combining separate policies into a single combined policy
Hinton et al [Hinton94] discuss the question of the compatibility of separate policies applicable to the same decision request
23 Combining algorithmsXACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the ltPolicygt or ltPolicySetgt elements respectively The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules Similarly the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies Standard combining algorithms are defined for
Deny-overrides (Ordered and Unordered)
Permit-overrides (Ordered and Unordered)
First applicable and
Only-one-applicable
oasis--xacml-11pdf 14
28
376377
378379
380381382
383
384385386387388389
390391392393394
395396397
398399400
401402
403
404405406407408409410
411
412
413
414
29
In the first case if a single ltRulegt or ltPolicygt element is encountered that evaluates to Deny then regardless of the evaluation result of the other ltRulegt or ltPolicygt elements in the applicable policy the combined result is Deny Likewise in the second case if a single Permit result is encountered then the combined result is Permit In the case of the ldquoFirst-applicablerdquo combining algorithm the combined result is the same as the result of evaluating the first ltRulegt ltPolicygt or ltPolicySetgt element in the list of rules whose target is applicable to the decision request The Only-one-applicable policy-combining algorithm only applies to policies The result of this combining algorithm ensures that one and only one policy or policy set is applicable by virtue of their targets If no policy or policy set applies then the result is NotApplicable but if more than one policy or policy set is applicable then the result is Indeterminate When exactly one policy or policy set is applicable the result of the combining algorithm is the result of evaluating the single applicable policy or policy set
Users of this specification may if necessary define their own combining algorithms
24 Multiple subjectsAccess-control policies often place requirements on the actions of more than one subject For instance the policy governing the execution of a high-value financial transaction may require the approval of more than one individual acting in different capacities Therefore XACML recognizes that there may be more than one subject relevant to a decision request An attribute called ldquosubject-categoryrdquo is used to differentiate between subjects acting in different capacities Some standard values for this attribute are specified and users may define additional ones
25 Policies based on subject and resource attributesAnother common requirement is to base an authorization decision on some characteristic of the subject other than its identity Perhaps the most common application of this idea is the subjects role [RBAC] XACML provides facilities to support this approach Attributes of subjects may be identified by the ltSubjectAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular subject attribute value by its location in the context (see Section 211 for an explanation of context) XACML provides a standard way to reference the attributes defined in the LDAP series of specifications [LDAP-1 LDAP-2] This is intended to encourage implementers to use standard attribute identifiers for some common subject attributes
Another common requirement is to base an authorization decision on some characteristic of the resource other than its identity XACML provides facilities to support this approach Attributes of resource may be identified by the ltResourceAttributeDesignatorgt element This element contains a URN that identifies the attribute Alternatively the ltAttributeSelectorgt element may contain an XPath expression over the request context to identify a particular resource attribute value by its location in the context
26 Multi-valued attributesThe most common techniques for communicating attributes (LDAP XPath SAML etc) support multiple values per attribute Therefore when an XACML PDP retrieves the value of a named attribute the result may contain multiple values A collection of such values is called a bag A bag differs from a set in that it may contain duplicate values whereas a set may not Sometimes this situation represents an error Sometimes the XACML rule is satisfied if any one of the attribute values meets the criteria expressed in the rule
oasis--xacml-11pdf 15
30
415416417418
419420421422423424425426
427
428
429430431432433434
435
436437438
439440441442443444445
446447
448449450451
452
453454455456457458
31
XACML provides a set of functions that allow a policy writer to be absolutely clear about how the PDP should handle the case of multiple attribute values These are the ldquohigher-orderrdquo functions
27 Policies based on resource contentsIn many applications it is required to base an authorization decision on data contained in the information resource to which access is requested For instance a common component of privacy policy is that a person should be allowed to read records for which he or she is the subject The corresponding policy must contain a reference to the subject identified in the information resource itself
XACML provides facilities for doing this when the information resource can be represented as an XML document The ltAttributeSelectorgt element may contain an XPath expression over the request context to identify data in the information resource to be used in the policy evaluation
In cases where the information resource is not an XML document specified attributes of the resource can be referenced as described in Section 24
28 OperatorsInformation security policies operate upon attributes of subjects the resource and the action to be performed on the resource in order to arrive at an authorization decision In the process of arriving at the authorization decision attributes of many different types may have to be compared or computed For instance in a financial application a persons available credit may have to be calculated by adding their credit limit to their account balance The result may then have to be compared with the transaction value This sort of situation gives rise to the need for arithmetic operations on attributes of the subject (account balance and credit limit) and the resource (transaction value)
Even more commonly a policy may identify the set of roles that are permitted to perform a particular action The corresponding operation involves checking whether there is a non-empty intersection between the set of roles occupied by the subject and the set of roles identified in the policy Hence the need for set operations
XACML includes a number of built-in functions and a method of adding non-standard functions These functions may be nested to build arbitrarily complex expressions This is achieved with the ltApplygt element The ltApplygt element has an XML attribute called FunctionId that identifies the function to be applied to the contents of the element Each standard function is defined for specific argument data-type combinations and its return data-type is also specified Therefore data-type consistency of the policy can be checked at the time the policy is written or parsed And the types of the data values presented in the request context can be checked against the values expected by the policy to ensure a predictable outcome
In addition to operators on numerical and set arguments operators are defined for date time and duration arguments
Relationship operators (equality and comparison) are also defined for a number of data-types including the RFC822 and X500 name-forms strings URIs etc
Also noteworthy are the operators over boolean data-types which permit the logical combination of predicates in a rule For example a rule may contain the statement that access may be permitted during business hours AND from a terminal on business premises
The XACML method of representing functions borrows from MathML [MathML] and from the XQuery 10 and XPath 20 Functions and Operators specification [XF]
oasis--xacml-11pdf 16
32
459460
461
462463464465466
467468469
470471
472
473474475476477478479480
481482483484
485486
487488489490491492
493494
495496
497498499
500501
33
29 Policy distributionIn a distributed system individual policy statements may be written by several policy writers and enforced at several enforcement points In addition to facilitating the collection and combination of independent policy components this approach allows policies to be updated as required XACML policy statements may be distributed in any one of a number of ways But XACML does not describe any normative way to do this Regardless of the means of distribution PDPs are expected to confirm by examining the policys ltTargetgt element that the policy is applicable to the decision request that it is processing
ltPolicygt elements may be attached to the information resources to which they apply as described by Perritt [Perritt93] Alternatively ltPolicygt elements may be maintained in one or more locations from which they are retrieved for evaluation In such cases the applicable policy may be referenced by an identifier or locator closely associated with the information resource
210 Policy indexingFor efficiency of evaluation and ease of management the overall security policy in force across an enterprise may be expressed as multiple independent policy components In this case it is necessary to identify and retrieve the applicable policy statement and verify that it is the correct one for the requested action before evaluating it This is the purpose of the ltTargetgt element in XACML
Two approaches are supported
1 Policy statements may be stored in a database whose data-model is congruent with that of the ltTargetgt element The PDP should use the contents of the decision request that it is processing to form the database read command by which applicable policy statements are retrieved Nevertheless the PDP should still evaluate the ltTargetgt element of the retrieved policy or policy set statements as defined by the XACML specification
2 Alternatively the PDP may evaluate the ltTargetgt element from each of the policies or policy sets that it has available to it in the context of a particular decision request in order to identify the policies and policy sets that are applicable to that request
The use of constraints limiting the applicability of a policy were described by Sloman [Sloman94]
211 Abstraction layerPEPs come in many forms For instance a PEP may be part of a remote-access gateway part of a Web server or part of an email user-agent etc It is unrealistic to expect that all PEPs in an enterprise do currently or will in the future issue decision requests to a PDP in a common format Nevertheless a particular policy may have to be enforced by multiple PEPs It would be inefficient to force a policy writer to write the same policy several different ways in order to accommodate the format requirements of each PEP Similarly attributes may be contained in various envelope types (eg X509 attribute certificates SAML attribute assertions etc) Therefore there is a need for a canonical form of the request and response handled by an XACML PDP This canonical form is called the XACML Context Its syntax is defined in XML schema
Naturally XACML-conformant PEPs may issue requests and receive responses in the form of an XACML context But where this situation does not exist an intermediate step is required to convert between the requestresponse format understood by the PEP and the XACML context format understood by the PDP
oasis--xacml-11pdf 17
34
502
503504505506507
508509
510511512513
514
515516517
518519
520
521522523
524525
526527528
529
530
531532533534535536537538539
540541542543
35
The benefit of this approach is that policies may be written and analyzed independent of the specific environment in which they are to be enforced
In the case where the native requestresponse format is specified in XML Schema (eg a SAML-conformant PEP) the transformation between the native format and the XACML context may be specified in the form of an Extensible Stylesheet Language Transformation [XSLT]
Similarly in the case where the resource to which access is requested is an XML document the resource itself may be included in or referenced by the request context Then through the use of XPath expressions [XPath] in the policy values in the resource may be included in the policy evaluation
212 Actions performed in conjunction with enforcementIn many applications policies specify actions that MUST be performed either instead of or in addition to actions that MAY be performed This idea was described by Sloman [Sloman94] XACML provides facilities to specify actions that MUST be performed in conjunction with policy evaluation in the ltObligationsgt element This idea was described as a provisional action by Kudo [Kudo00] There are no standard definitions for these actions in version 10 of XACML Therefore bilateral agreement between a PAP and the PEP that will enforce its policies is required for correct interpretation PEPs that conform with v10 of XACML are required to deny access unless they understand all the ltObligationsgt elements associated with the applicable policy ltObligationsgt elements are returned to the PEP for enforcement
3 Models (non-normative)The data-flow model and language model of XACML are described in the following sub-sections
31 Data-flow modelThe major actors in the XACML domain are shown in the data-flow diagram of Figure 1
oasis--xacml-11pdf 18
36
544545
546547548
549550551552
553
554555556
557558559560
561562
563
564
565
566
37
Figure 1 - Data-flow diagram
Note some of the data-flows shown in the diagram may be facilitated by a repository For instance the communications between the context handler and the PIP or the communications between the PDP and the PAP may be facilitated by a repository The XACML specification is not intended to place restrictions on the location of any such repository or indeed to prescribe a particular communication protocol for any of the data-flows
The model operates by the following steps
1 PAPs write policies and policy sets and make them available to the PDP These policies or policy sets represent the complete policy for a specified target
2 The access requester sends a request for access to the PEP
3 The PEP sends the request for access to the context handler in its native request format optionally including attributes of the subjects resource and action The context handler constructs an XACML request context in accordance with steps 456 and 7
4 Subject resource and environment attributes may be requested from a PIP
5 The PIP obtains the requested attributes
6 The PIP returns the requested attributes to the context handler
oasis--xacml-11pdf 19
38
567
568
569570571572573
574
575576
577
578579580
581
582
583
39
7 Optionally the context handler includes the resource in the context
8 The context handler sends a decision request including the target to the PDP The PDP identifies the applicable policy and retrieves the required attributes and (optionally) the resource from the context handler The PDP evaluates the policy
9 The PDP returns the response context (including the authorization decision) to the context handler
10 The context handler translates the response context to the native response format of the PEP The context handler returns the response to the PEP
11 The PEP fulfills the obligations
12 (Not shown) If access is permitted then the PEP permits access to the resource otherwise it denies access
32 XACML contextXACML is intended to be suitable for a variety of application environments The core language is insulated from the application environment by the XACML context as shown in Figure 2 in which the scope of the XACML specification is indicated by the shaded area The XACML context is defined in XML schema describing a canonical representation for the inputs and outputs of the PDP Attributes referenced by an instance of XACML policy may be in the form of XPath expressions on the context or attribute designators that identify the attribute by subject resource action or environment and its identifier Implementations must convert between the attribute representations in the application environment (eg SAML J2SE CORBA and so on) and the attribute representations in the XACML context How this is achieved is outside the scope of the XACML specification In some cases such as SAML this conversion may be accomplished in an automated way through the use of an XSLT transformation
domain-specificinputs
domain-specificoutputs
xacml ContextRequestxml
xacml ContextResponsexmlPDP
xacmlPolicyxml
Figure 2 - XACML context
Note The PDP may be implemented such that it uses a processed form of the XML files
See Section 79 for a more detailed discussion of the request context
33 Policy language modelThe policy language model is shown in Figure 3 The main components of the model are
Rule
Policy and
oasis--xacml-11pdf 20
40
584
585586587
588589
590591
592
593594
595
596597598599600601602603604605606
607
608
609
610
611
612
613
614
41
Policy set
These are described in the following sub-sections
1
1
1
1
1
1
Condition
Target
Rule
1
01
Policy
1
1
Obligations
1
1
1
0
1 01
ActionResourceSubject
PolicySet
1
0
1
1
PolicyCombiningAlogorithm
1
0
RuleCombiningAlgorithm
1
0
1
01
101
Effect
1 1
Figure 3 - Policy language model
331 RuleA rule is the most elementary unit of policy It may exist in isolation only within one of the major actors of the XACML domain In order to exchange rules between major actors they must be encapsulated in a policy A rule can be evaluated on the basis of its contents The main components of a rule are
oasis--xacml-11pdf 21
42
615
616
617
618
619
620621622623
43
a target
an effect and
a condition
These are discussed in the following sub-sections
3311 Rule target
The target defines the set of
resources
subjects and
actions
to which the rule is intended to apply The ltConditiongt element may further refine the applicability established by the target If the rule is intended to apply to all entities of a particular data-type then an empty element named ltAnySubjectgt ltAnyResourcegt or ltAnyActiongt is used An XACML PDP verifies that the subjects resource and action identified in the request context are all present in the target of the rules that it uses to evaluate the decision request Target definitions are discrete in order that applicable rules may be efficiently identified by the PDP
The ltTargetgt element may be absent from a ltRulegt In this case the target of the ltRulegt is the same as that of the parent ltPolicygt element
Certain subject name-forms resource name-forms and certain types of resource are internally structured For instance the X500 directory name-form and RFC 822 name-form are structured subject name-forms whereas an account number commonly has no discernible structure UNIX file-system path-names and URIs are examples of structured resource name-forms And an XML document is an example of a structured resource
Generally the name of a node (other than a leaf node) in a structured name-form is also a legal instance of the name-form So for instance the RFC822 name medicocom is a legal RFC822 name identifying the set of mail addresses hosted by the medicocom mail server And the XPathXPointer value ctxResourceContentmdrecordmdpatient is a legal XPathXPointer value identifying a node-set in an XML document
The question arises how should a name that identifies a set of subjects or resources be interpreted by the PDP whether it appears in a policy or a request context Are they intended to represent just the node explicitly identified by the name or are they intended to represent the entire sub-tree subordinate to that node
In the case of subjects there is no real entity that corresponds to such a node So names of this type always refer to the set of subjects subordinate in the name structure to the identified node Consequently non-leaf subject names should not be used in equality functions only in match functions such as ldquournoasisnamestcxacml10functionrfc822Name-matchrdquo not ldquournoasisnamestcxacml10functionrfc822Name-equalrdquo (see Appendix A)
On the other hand in the case of resource names and resources themselves three options exist The name could refer to
1 the contents of the identified node only
2 the contents of the identified node and the contents of its immediate child nodes or
3 the contents of the identified node and all its descendant nodes
oasis--xacml-11pdf 22
44
624
625
626
627
628
629
630
631
632
633634
635636637638639
640641
642643644645646
647648649
650651
652653654655
656657658659660
661662
663
664
665
45
All three options are supported in XACML
3312 Effect
The effect of the rule indicates the rule-writers intended consequence of a True evaluation for the rule Two values are allowed Permit and Deny
3313 Condition
Condition represents a boolean expression that refines the applicability of the rule beyond the predicates implied by its target Therefore it may be absent
332 Policy From the data-flow model one can see that rules are not exchanged amongst system entities Therefore a PAP combines rules in a policy A policy comprises four main components
a target
a rule-combining algorithm-identifier
a set of rules and
obligations
Rules are described above The remaining components are described in the following sub-sections
3321 Policy target
An XACML ltPolicySetgt ltPolicygt or ltRulegt element contains a ltTargetgt element that specifies the set of subjects resources and actions to which it applies The ltTargetgt of a ltPolicySetgt or ltPolicygt may be declared by the writer of the ltPolicySetgt or ltPolicygt or it may be calculated from the ltTargetgt elements of the ltPolicySetgt ltPolicygt and ltRulegt elements that it contains
A system entity that calculates a ltTargetgt in this way is not defined by XACML but there are two logical methods that might be used In one method the ltTargetgt element of the outer ltPolicySetgt or ltPolicygt (the outer component) is calculated as the union of all the ltTargetgt elements of the referenced ltPolicySetgt ltPolicygt or ltRulegt elements (the inner components) In another method the ltTargetgt element of the outer component is calculated as the intersection of all the ltTargetgt elements of the inner components The results of evaluation in each case will be very different in the first case the ltTargetgt element of the outer component makes it applicable to any decision request that matches the ltTargetgt element of at least one inner component in the second case the ltTargetgt element of the outer component makes it applicable only to decision requests that match the ltTargetgt elements of every inner component Note that computing the intersection of a set of ltTargetgt elements is likely only practical if the target data-model is relatively simple
In cases where the ltTargetgt of a ltPolicygt is declared by the policy writer any component ltRulegt elements in the ltPolicygt that have the same ltTargetgt element as the ltPolicygt element may omit the ltTargetgt element Such ltRulegt elements inherit the ltTargetgt of the ltPolicygt in which they are contained
oasis--xacml-11pdf 23
46
666
667
668669
670
671672
673
674675
676
677
678
679
680681
682
683684685686687
688689690691692693694695696697698699
700701702703
47
3322 Rule-combining algorithm
The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined when evaluating the policy ie the Decision value placed in the response context by the PDP is the value of the policy as defined by the rule-combining algorithm
See Appendix C for definitions of the normative rule-combining algorithms
3323 Obligations
The XACML ltRulegt syntax does not contain an element suitable for carrying obligations therefore if required in a policy obligations must be added by the writer of the policy
When a PDP evaluates a policy containing obligations it returns certain of those obligations to the PEP in the response context Section 711 explains which obligations are to be returned
333 Policy set A policy set comprises four main components
a target
a policy-combining algorithm-identifier
a set of policies and
obligations
The target and policy components are described above The other components are described in the following sub-sections
3331 Policy-combining algorithm
The policy-combining algorithm specifies the procedure by which the results of evaluating the component policies are combined when evaluating the policy set iethe Decision value placed in the response context by the PDP is the result of evaluating the policy set as defined by the policy-combining algorithm
See Appendix C for definitions of the normative policy-combining algorithms
3332 Obligations
The writer of a policy set may add obligations to the policy set in addition to those contained in the component policies and policy sets
When a PDP evaluates a policy set containing obligations it returns certain of those obligations to the PEP in its response context Section 711 explains which obligations are to be returned
oasis--xacml-11pdf 24
48
704
705706707708
709
710
711712
713714
715
716
717
718
719
720
721722
723
724725726727
728
729
730731
732733
734
49
4 Examples (non-normative)This section contains two examples of the use of XACML for illustrative purposes The first example is a relatively simple one to illustrate the use of target context matching functions and subject attributes The second example additionally illustrates the use of the rule-combining algorithm conditions and obligations
41 Example one
411 Example policyAssume that a corporation named Medi Corp (medicocom) has an access control policy that states in English
Any user with an e-mail name in the medicocom namespace is allowed to perform any action on any resource
An XACML policy consists of header information an optional text description of the policy a target one or more rules and an optional set of obligations
The header for this policy is[p01] ltxml version=10 encoding=UTF-8gt[p02] ltPolicy xmlns=urnoasisnamestcxacml10policy[p03] xmlnsxsi=httpwwww3org2001XMLSchema-instance[p04] xsischemaLocation=urnoasisnamestcxacml10policy[p05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-policy-01xsd[p06] PolicyId=identifierexampleSimplePolicy1[p07] RuleCombiningAlgId=identifierrule-combining-algorithmdeny-overridesgt
[p01] is a standard XML document tag indicating which version of XML is being used and what the character encoding is
[p02] introduces the XACML Policy itself
[p03-p05] are XML namespace declarations
[p05] gives a URL to the schema for XACML policies
[p06] assigns a name to this policy instance The name of a policy should be unique for a given PDP so that there is no ambiguity if one policy is referenced from another policy
[p07] specifies the algorithm that will be used to resolve the results of the various rules that may be in the policy The deny-overrides rule-combining algorithm specified here says that if any rule evaluates to ldquoDenyrdquo then that policy must return ldquoDenyrdquo If all rules evaluate to ldquoPermitrdquo then the policy must return ldquoPermitrdquo The rule-combining algorithm which is fully described in Appendix C also says what to do if an error were to occur when evaluating any rule and what to do with rules that do not apply to a particular decision request[p08] ltDescriptiongt[p09] Medi Corp access control policy[p10] ltDescriptiongt
[p08-p10] provide a text description of the policy This description is optional[p11] ltTargetgt[p12] ltSubjectsgt[p13] ltAnySubjectgt[p14] ltSubjectsgt[p15] ltResourcesgt
oasis--xacml-11pdf 25
50
735
736737738739
740
741
742743
744745
746747
748
749750
751
752
753
754755
756757758759760761
762
51
[p16] ltAnyResourcegt[p17] ltResourcesgt[p18] ltActionsgt[p19] ltAnyActiongt[p20] ltActionsgt[p21] ltTargetgt
[p11-p21] describe the decision requests to which this policy applies If the subject resource and action in a decision request do not match the values specified in the target then the remainder of the policy does not need to be evaluated This target section is very useful for creating an index to a set of policies In this simple example the target section says the policy is applicable to any decision request[p22] ltRule[p23] RuleId= urnoasisnamestcxacml10exampleSimpleRule1[p24] Effect=Permitgt
[p22] introduces the one and only rule in this simple policy Just as for a policy each rule must have a unique identifier (at least unique for any PDP that will be using the policy)
[p23] specifies the identifier for this rule
[p24] says what effect this rule has if the rule evaluates to ldquoTruerdquo Rules can have an effect of either ldquoPermitrdquo or ldquoDenyrdquo In this case the rule will evaluate to ldquoPermitrdquo meaning that as far as this one rule is concerned the requested access should be permitted If a rule evaluates to ldquoFalserdquo then it returns a result of ldquoNotApplicablerdquo If an error occurs when evaluating the rule the rule returns a result of ldquoIndeterminaterdquo As mentioned above the rule-combining algorithm for the policy tells how various rule values are combined into a single policy value[p25] ltDescriptiongt[p26] Any subject with an e-mail name in the medicocom domain[p27] can perform any action on any resource[p28] ltDescriptiongt
[p25-p28] provide a text description of this rule This description is optional[p29] ltTargetgt
[p29] introduces the target of the rule As described above for the target of a policy the target of a rule describes the decision requests to which this rule applies If the subject resource and action in a decision request do not match the values specified in the rule target then the remainder of the rule does not need to be evaluated and a value of ldquoNotApplicablerdquo is returned to the policy evaluation[p30] ltSubjectsgt[p31] ltSubjectgt[p32] ltSubjectMatch MatchId=
urnoasisnamestcxacml10functionrfc822Name-matchgt[p33] ltSubjectAttributeDesignator[p34]
AttributeId=urnoasisnamestcxacml10subjectsubject-id[p35] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[p36] ltAttributeValue[p37] DataType=urnoasisnamestcxacml10data-
typerfc822Namegtmedicocom[p38] ltAttributeValuegt[p39] ltSubjectMatchgt[p40] ltSubjectgt[p41] ltSubjectsgt[p42] ltResourcesgt[p43] ltAnyResourcegt[p44] ltResourcesgt[p45] ltActionsgt[p46] ltAnyActiongt[p47] ltActionsgt[p48] ltTargetgt
oasis--xacml-11pdf 26
52
763764765766767
768769
770
771772773774775776
777
778779780781782
53
The rule target is similar to the target of the policy itself but with one important difference [p32-p41] do not say ltAnySubjectgt but instead spell out a specific value that the subject in the decision request must match The ltSubjectMatchgt element specifies a matching function in the MatchId attribute a pointer to a specific subject attribute in the request context by means of the ltSubjectAttributeDesignatorgt element and a literal value of ldquomedicocomrdquo The matching function will be used to compare the value of the subject attribute with the literal value Only if the match returns ldquoTruerdquo will this rule apply to a particular decision request If the match returns ldquoFalserdquo then this rule will return a value of ldquoNotApplicablerdquo[p49] ltRulegt[p50] lt Policygt
[p49] closes the rule we have been examining In this rule all the work is done in the ltTargetgt element In more complex rules the ltTargetgt may have been followed by a ltConditiongt (which could also be a set of conditions to be ANDed or ORed together)
[p50] closes the policy we have been examining As mentioned above this policy has only one rule but more complex policies may have any number of rules
412 Example request contextLets examine a hypothetical decision request that might be submitted to a PDP using the policy above In English the access request that generates the decision request may be stated as follows
Bart Simpson with e-mail name bssimpsonscom wants to read his medical record at Medi Corp
In XACML the information in the decision request is formatted into a request context statement that looks as follows[c01] ltxml version=10 encoding=UTF-8gt[c02] ltRequest xmlns=urnoasisnamestcxacml10context[c03] Xmlnsxsi=httpwwww3org2001XMLSchema-instance[c04] xsischemaLocation=urnoasisnamestcxacml10context[c05] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-01xsdgt
[c01-c05] are the header for the request context and are used the same way as the header for the policy explained above[c06] ltSubjectgt[c07] ltAttribute AttributeId=urnoasisnamestcxacml10subjectsubject-
id[c08] DataType=urnoasisnamestcxacml10data-typerfc822Namegt[c09] ltAttributeValuegtbssimpsonscomltAttributeValuegt[c10] ltAttributegt[c11] ltSubjectgt
The ltSubjectgt element contains one or more attributes of the entity making the access request There can be multiple subjects and each subject can have multiple attributes In this case in [c06-c11] there is only one subject and the subject has only one attribute the subjects identity expressed as an e-mail name is ldquobssimpsonscomrdquo[c12] ltResourcegt[c13] ltAttribute AttributeId=urnoasisnamestcxacml10resourceufs-
path[c14] DataType=httpwwww3org2001XMLSchemaanyURIgt[c15] ltAttributeValuegtmedicorecordpatientBartSimpsonltAttributeValuegt[c16] ltAttributegt[c17] ltResourcegtThe ltResourcegt element contains one or more attributes of the resource to which the subject (or subjects) has requested access There can be only one ltResourcegt
oasis--xacml-11pdf 27
54
783784785786787788789790
791792793
794795
796
797798799
800801
802803
804805
806807808809
810811
55
per decision request Lines [c13-c16] contain the one attribute of the resource to which Bart Simpson has requested access the resource unix file-system path-name which is ldquomedicorecordpatientBartSimpsonrdquo[c18] ltActiongt[c19] ltAttribute AttributeId=urnoasisnamestcxacml10actionaction-id[c20] DataType=httpwwww3org2001XMLSchemastringgt[c21] ltAttributeValuegtreadltAttributeValuegt[c22] ltAttributegt[c23] ltActiongt
The ltActiongt element contains one or more attributes of the action that the subject (or subjects) wishes to take on the resource There can be only one action per decision request [c18-c23] describe the identity of the action Bart Simpson wishes to take which is ldquoreadrdquo[c24] ltRequestgt
[c24] closes the request context A more complex request context may have contained some attributes not associated with the subject the resource or the action These would have been placed in an optional ltEnvironmentgt element following the ltActiongt element
The PDP processing this request context locates the policy in its policy repository It compares the subject resource and action in the request context with the subjects resources and actions in the policy target Since the policy target matches the ltAnySubjectgt ltAnyResourcegt and ltAnyActiongt elements the policy matches this context
The PDP now compares the subject resource and action in the request context with the target of the one rule in this policy The requested resource matches the ltAnyResourcegt element and the requested action matches the ltAnyActiongt element but the requesting subject-id attribute does not match medicocom
413 Example response contextAs a result there is no rule in this policy that returns a Permit result for this request The rule-combining algorithm for the policy specifies that in this case a result of NotApplicable should be returned The response context looks as follows[r01] ltxml version=10 encoding=UTF-8gt[r02] ltResponse xmlns=urnoasisnamestcxacml10context[r03] xsischemaLocation=urnoasisnamestcxacml10context[r04] httpwwwoasis-openorgtcxacml10cs-xacml-schema-context-
01xsdgt
[r01-r04] contain the same sort of header information for the response as was described above for a policy[r05] ltResultgt[r06] ltDecisiongtNotApplicableltDecisiongt[r07] ltResultgt
The ltResultgt element in lines [r05-r07] contains the result of evaluating the decision request against the policy In this case the result is ldquoNotApplicablerdquo A policy can return ldquoPermitrdquo ldquoDenyrdquo ldquoNotApplicablerdquo or ldquoIndeterminaterdquo[r08] ltResponsegt
[r08] closes the response context
42 Example twoThis section contains an example XML document an example request context and example XACML rules The XML document is a medical record Four separate rules are defined These illustrate a rule-combining algorithm conditions and obligations
oasis--xacml-11pdf 28
56
812813
814
815816817
818819
820
821822
823824
825826827828
829
830831832
833834
835836837
838
839
840841842
57
421 Example medical record instanceThe following is an instance of a medical record to which the example XACML rules can be applied The ltrecordgt schema is defined in the registered namespace administered by medicocom
ltxml version=10 encoding=UTF-8gtltrecord xmlns=httpwwwmedicocomschemasrecordxsd xmlnsxsi=httpwwww3org2001XMLSchema-instancerdquogt
ltpatientgtltpatientNamegt
ltfirstgtBartholomewltfirstgtltlastgtSimpsonltlastgt
ltpatientNamegtltpatientContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgt
ltpatientContactgtltpatientDoBgt1992-03-21ltpatientDoBgtltpatientGendergtmaleltpatientGendergtltpatient-numbergt555555ltpatient-numbergt
ltpatientgtltparentGuardiangt
ltparentGuardianIdgtHS001ltparentGuardianIdgtltparentGuardianNamegt
ltfirstgtHomerltfirstgtltlastgtSimpsonltlastgt
ltparentGuardianNamegtltparentGuardianContactgt
ltstreetgt27 Shelbyville RoadltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551234567ltphonegtltfaxgtltemailgthomersaolcomltemailgt
ltparentGuardianContactgtltparentGuardiangtltprimaryCarePhysiciangt
ltphysicianNamegtltfirstgtJuliusltfirstgtltlastgtHibbertltlastgt
ltphysicianNamegtltphysicianContactgt
ltstreetgt1 First StltstreetgtltcitygtSpringfieldltcitygtltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551239012ltphonegtltfaxgt5551239013ltfaxgtltemailgt
ltphysicianContactgtltregistrationIDgtABC123ltregistrationIDgt
ltprimaryCarePhysiciangtltinsurergt
ltnamegtBlue Crossltnamegtltstreetgt1234 Main StltstreetgtltcitygtSpringfieldltcitygt
oasis--xacml-11pdf 29
58
843
844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903
59
ltstategtMAltstategtltzipgt12345ltzipgtltphonegt5551235678ltphonegtltfaxgt5551235679ltfaxgtltemailgt
ltinsurergtltmedicalgt
lttreatmentgtltdruggt
ltnamegtmethylphenidate hydrochlorideltnamegtltdailyDosagegt30mgsltdailyDosagegtltstartDategt1999-01-12ltstartDategt
ltdruggtltcommentgtpatient exhibits side-effects of skin coloration and carpal
degenerationltcommentgtlttreatmentgtltresultgt
lttestgtblood pressurelttestgtltvaluegt12080ltvaluegtltdategt2001-06-09ltdategtltperformedBygtNurse BettyltperformedBygt
ltresultgtltmedicalgt
ltrecordgt
422 Example request contextThe following example illustrates a request context to which the example rules may be applicable It represents a request by the physician Julius Hibbert to read the patient date of birth in the record of Bartholomew Simpson
[01] ltxml version=10 encoding=UTF-8gt[02] ltRequest xmlns=urnoasisnamestcxacml10context[03] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo [04] ltSubject SubjectCategory=urnoasisnamestcxacml10subject-categoryaccess-subjectgt[05] ltAttribute AttributeId=[06] urnoasisnamestcxacml10subjectsubject-id[07] DataType=[08] rdquournoasisnamestcxacml10data-typex500namerdquo[09] Issuer=wwwmedicocom [10] IssueInstant=2001-12-17T093047-0500gt[11] ltAttributeValuegtCN=Julius HibbertltAttributeValuegt[12] ltAttributegt[13] ltAttribute AttributeId=[14] urnoasisnamestcxacml10exampleattributerole[15] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[16] Issuer=wwwmedicocom [17] IssueInstant=2001-12-17T093047-0500gt[18] ltAttributeValuegtphysicianltAttributeValuegt[19] ltAttributegt[20] ltAttribute AttributeId=[21] urnoasisnamestcxacml10exampleattributephysician-id[22] DataType=rdquohttpwwww3org2001XMLSchemastringrdquo[23] Issuer=wwwmedicocom [24] IssueInstant=2001-12-17T093047-0500gt[25] ltAttributeValuegtjh1234ltAttributeValuegt[26] ltAttributegt[27] ltSubjectgt[28] ltResourcegt[29] ltResourceContentgt[30] ltmdrecord[31] xmlnsmd=httpwwwmedicocomschemasrecordxsdgt
oasis--xacml-11pdf 30
60
904905906907908909910911912913914915916917918919920921922923924925926927
928
929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963
61
[32] ltmdpatientgt[33] ltmdpatientDoBgt1992-03-21ltmdpatientDoBgt[34] ltmdpatientgt[35] lt-- other fields --gt[36] ltmdrecordgt[37] ltResourceContentgt[38] ltAttribute AttributeId=[39] urnoasisnamestcxacml10resourceresource-id[40] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[41] ltAttributeValuegt[42] medicocomrecordsbart-simpsonxml[43] xmlns(md=httpwwwmedicocomschemasrecordxsd)[44] xpointer(mdrecordmdpatientmdpatientDoB)[45] ltAttributeValuegt[46] ltAttributegt[47] ltAttribute AttributeId=[48] urnoasisnamestcxacml10resourcexpath[49] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[50] ltAttributeValuegt[51] xmlns(md=httpwwwmedicocomschemasrecordxsd)[52] xpointer(mdrecordmdpatientmdpatientDoB)[53] ltAttributeValuegt[54] ltAttributegt[55] ltAttribute AttributeId=[56] rdquournoasisnamestcxacml10resourcetarget-namespacerdquo[57] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[58] ltAttributeValuegt[59] httpwwwmedicocomschemasrecordxsd[60] ltAttributeValuegt[61] ltAttributegt[62] ltResourcegt[63] ltActiongt[64] ltAttribute AttributeId=[65] urnoasisnamestcxacml10actionaction-id[66] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[67] ltAttributeValuegtreadltAttributeValuegt[68] ltAttributegt[69] ltActiongt[70] ltRequestgt
[02]-[03] Standard namespace declarations
[04]-[27] Subject attributes are placed in the Subject section of the Request Each attribute consists of the attribute meta-data and the attribute value
[04] Each Subject element has SubjectCategory xml attribute The value of this attribute describes the role that the subject plays in making the decision request The value of ldquoaccess-subjectrdquo denotes the identity for which the request was issued
[05]-[12] Subject subject-id attribute
[13]-[19] Subject role attribute
[20]-[26] Subject physician-id attribute
[28]-[62] Resource attributes are placed in the Resource section of the Request Each attribute consists of attribute meta-data and an attribute value
[29]-[36] Resource content The XML document that is being requested is placed here
[38]-[46] Resource identifier
oasis--xacml-11pdf 31
62
964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999
100010011002
1003
10041005
100610071008
1009
1010
1011
10121013
1014
1015
63
[47]-[61] The Resource is identified with an Xpointer expression that names the URI of the file that is accessed the target namespace of the document and the XPath location path to the specific element
[47]-[54] The XPath location path in the ldquoresource-idrdquo attribute is extracted and placed in the xpath attribute
[55]-[61] Resource target-namespace attribute
[63]-[69] Action attributes are placed in the Action section of the Request
[64]-[68] Action identifier
423 Example plain-language rulesThe following plain-language rules are to be enforced
Rule 1 A person identified by his or her patient number may read any record for which he or she is the designated patient
Rule 2 A person may read any record for which he or she is the designated parent or guardian and for which the patient is under 16 years of age
Rule 3 A physician may write to any medical element for which he or she is the designated primary care physician provided an email is sent to the patient
Rule 4 An administrator shall not be permitted to read or write to medical elements of a patient record
These rules may be written by different PAPs operating independently or by a single PAP
424 Example XACML rule instances
4241 Rule 1
Rule 1 illustrates a simple rule with a single ltConditiongt element The following XACML ltRulegt instance expresses Rule 1
[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid1[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomschemasrecordxsd namespace[12] for which he or she is a designated patient[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt
oasis--xacml-11pdf 32
64
101610171018
10191020
1021
1022
1023
1024
1025
10261027
10281029
10301031
10321033
1034
1035
1036
10371038
10391040104110421043104410451046104710481049105010511052105310541055105610571058
65
[22] ltResourceMatch MatchId=urnoasisnamestcxacml10functionstring-equalgt
[23] ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] ltActionMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[40] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[41] ltActionAttributeDesignator AttributeId=[42] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[43] ltActionMatchgt[44] ltActiongt[45] ltActionsgt[46] ltTargetgt[47] lt-- compare policy number in the document with [48] policy-number attribute --gt[49] ltCondition FunctionId=urnoasisnamestcxacml10functionstring-
equalgt[50] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[51] lt-- policy-number attribute --gt[52] ltSubjectAttributeDesignator AttributeId=[53] urnoasisnamestcxacml10examplesattributepolicy-number
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[54] ltApplygt[55] ltApply FunctionId=urnoasisnamestcxacml10functionstring-one-
and-onlygt[56] lt-- policy number in the document --gt[57] ltAttributeSelector RequestContextPath=[58] mdrecordmdpatientmdpatient-numbertext()
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[59] ltAttributeSelectorgt[60] ltApplygt[61] ltConditiongt[62] ltRulegt
[02]-[06] XML namespace declarations
[07] Rule identifier
[08] When a rule evaluates to lsquoTruersquo it emits the value of the Effect attribute This value is combined with the Effect values of other rules according to the rule-combining algorithm
oasis--xacml-11pdf 33
66
10591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114
1115
1116
11171118
67
[09]-[13] Free form description of the rule
[14]-[46] A rule target defines a set of decision requests that are applicable to the rule A decision request such that the value of the ldquournoasisnamestcxacml10resourcetarget-namespacerdquo resource attribute is equal to ldquohttpwwwmedicocomschemarecordsxsdrdquo and the value of the ldquournoasisnamestcxacml10resourcexpathrdquo resource attribute matches the XPath expression ldquomdrecordldquo and the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute is equal to ldquoreadrdquo matches the target of this rule
[15]-[17] The Subjects element may contain either a disjunctive sequence of Subject elements or AnySubject element
[16] The AnySubject element is a special element that matches any subject in the request context
[18]-[36] The Resources element may contain either a disjunctive sequence of Resource elements or AnyResource element
[20]-[35] The Resource element encloses the conjunctive sequence of ResourceMatch elements
[22]-[28] The ResourceMatch element compares its first and second child elements according to the matching function A match is positive if the value of the first argument matches any of the values selected by the second argument This match compares the target namespace of the requested document with the value of ldquohttpwwwmedicocomschemarecordsxsdrdquo
[22] The MatchId attribute names the matching function
[23]-[25] Literal attribute value to match
[26]-[27] The ResourceAttributeDesignator element selects the resource attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values
[30]-[34] The ResourceMatch This match compares the results of two XPath expressions The first XPath expression is mdrecord and the second XPath expression is the location path to the requested xml element The ldquoxpath-node-matchrdquo function evaluates to ldquoTruerdquo if the requested XML element is below the mdrecord element
[30] MatchId attribute names the matching function
[31] The literal XPath expression to match The md prefix is resolved using a standard namespace declaration
[32]-[33] The ResourceAttributeDesignator selects the bag of values for the ldquournoasisnamestcxacml10xpathrdquo resource attribute Here there is just one element in the bag which is the location path for the requested XML element
[37]-[45] The Actions element may contain either a disjunctive sequence of Action elements or an AnyAction element
[38]-[44] The Action element contains a conjunctive sequence of ActionMatch elements
[39]-[43] The ActionMatch element compares its first and second child elements according to the matching function Match is positive if the value of the first argument matches any of the values selected by the second argument In this case the value of the action-id action attribute in the request context is compared with the value ldquoreadrdquo
oasis--xacml-11pdf 34
68
1119
11201121
11221123
1124112511261127
11281129
11301131
11321133
11341135
1136113711381139
1140
1141
114211431144
114511461147
1148
1149
11501151
115211531154
11551156
1157
11581159
11601161
69
[39] The MatchId attribute names the matching function
[40] The Attribute value to match This is an action name
[41]-[42] The ActionAttributeDesignator selects action attribute values from the request context The attribute name is specified by the AttributeId The selection result is a bag of values ldquournoasisnamestcxacml10actionaction-idrdquo is the predefined name for the action identifier
[49]-[61] The ltConditiongt element A condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the patient-number subject attribute is equal to the patient-number in the XML document
[49] The FunctionId attribute of the ltConditiongt element names the function to be used for comparison In this case comparison is done with urnoasisnamestcxacml10functionstring-equal this function takes two arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[50] The first argument to the urnoasisnamestcxacml10functionstring-equal in the Condition Functions can take other functions as arguments The Apply element encodes the function call with the FunctionId attribute naming the function Since urnoasisnamestcxacml10functionstring-equal takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and SubjectAttributeDesignator selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[52]-[53] The SubjectAttributeDesignator selects a bag of values for the policy-number subject attribute in the request context
[55] The second argument to the ldquournoasisnamestcxacml10functionstring-equalrdquo in the Condition Functions can take other functions as arguments The Apply element encodes function call with the FunctionId attribute naming the function Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type and the AttributeSelector selects a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used This function guarantees that its argument evaluates to a bag containing one and only one ldquohttpwwww3org2001XMLSchemastringrdquo element
[57] The AttributeSelector element selects a bag of values from the request context The AttributeSelector is a free-form XPath pointing device into the request context The RequestContextPath attribute specifies an XPath expression over the content of the requested XML document selecting the policy number Note that the namespace prefixes in the XPath expression are resolved with the standard XML namespace declarations
4242 Rule 2
Rule 2 illustrates the use of a mathematical function ie the ltApplygt element with functionId urnoasisnamestcxacml10functiondate-add-yearMonthDuration to calculate date It also illustrates the use of predicate expressions with the functionId urnoasisnamestcxacml10functionand
[01] ltxml version=10 encoding=UTF-8gt
oasis--xacml-11pdf 35
70
1162
1163
1164116511661167
116811691170
11711172
11731174
117511761177117811791180118111821183
1184
11851186
11871188118911901191119211931194
1195
11961197119811991200
1201
12021203
120412051206
71
[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexamplesruleid2[08] Effect=Permitgt[09] ltDescriptiongt[10] A person may read any medical record in the[11] httpwwwmedicocomrecordsxsd namespace[12] for which he or she is the designated parent or guardian [13] and for which the patient is under 16 years of age[14] ltDescriptiongt[15] ltTargetgt[16] ltSubjectsgt[17] ltAnySubjectgt[18] ltSubjectsgt[19] ltResourcesgt[20] ltResourcegt[21] lt-- match document target namespace --gt[22] ltResourceMatch
MatchId=urnoasisnamestcxacml10functionstring-equalgt[23] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[24] httpwwwmedicocomschemasrecordxsd[25] ltAttributeValuegt[26] ltResourceAttributeDesignator AttributeId=[27] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[28] ltResourceMatchgt[29] lt-- match requested xml element --gt[30] ltResourceMatch
MatchId=rdquournoasisnamestcxacml10functionxpath-node-matchgt[31] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtmdrecordltAttributeValuegt
[32] ltResourceAttributeDesignator AttributeId=[33] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[34] ltResourceMatchgt[35] ltResourcegt[36] ltResourcesgt[37] ltActionsgt[38] ltActiongt[39] lt-- match read action --gt[40] ltActionMatch
MatchId=rdquournoasisnamestcxacml10functionstring-equalgt[41] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtreadltAttributeValuegt[42] ltActionAttributeDesignator AttributeId=[43] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[44] ltActionMatchgt[45] ltActiongt[46] ltActionsgt[47] ltTargetgt[48] ltCondition FunctionId=ldquournoasisnamestcxacml10functionandgt[49] lt-- compare parent-guardian-id subject attribute with [50] the value in the document --gt[51] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-equalgt[52] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[53] lt-- parent-guardian-id subject attribute --gt
oasis--xacml-11pdf 36
72
120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269
73
[54] ltSubjectAttributeDesignator AttributeId=[55] urnoasisnamestcxacml10examplesattribute[56] parent-guardian-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[57] ltApplygt[58] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[59] lt-- parent-guardian-id element in the document --gt[60] ltAttributeSelector RequestContextPath=[61] mdrecordmdparentGuardianmdparentGuardianIdtext()[62] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[63] ltAttributeSelectorgt[64] ltApplygt[65] ltApplygt[66] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-less-or-
equalrdquogt[67] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-one-
and-onlyrdquogt[68] ltEnvironmentAttributeDesignator AttributeId=[69] rdquournoasisnamestcxacml10environmentcurrent-daterdquo
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[70] ltApplygt[71] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-add-
yearMonthDurationrdquogt[73] ltApply FunctionId=ldquournoasisnamestcxacml10functiondate-
one-and-onlyrdquogt[74] lt-- patient dob recorded in the document --gt[75] ltAttributeSelector RequestContextPath=[76] mdrecordmdpatientmdpatientDoBtext()
DataType=rdquohttpwwww3org2001XMLSchemadaterdquogt[77] ltAttributeSelectorgt[78] ltApplygt[79] ltAttributeValue DataType=rdquohttpwwww3orgTR2002WD-xquery-
operators-20020816yearMonthDurationrdquogt[80] P16Y[81] ltAttributeValuegt[82] ltApplygt[83] ltApplygt[84] ltConditiongt[85] ltRulegt
[02]-[47] Rule declaration and rule target See Rule 1 in Section 4241 for the detailed explanation of these elements
[48]-[82] The Condition element Condition must evaluate to ldquoTruerdquo for the rule to be applicable This condition evaluates the truth of the statement the requestor is the designated parent or guardian and the patient is under 16 years of age
[48] The Condition is using the ldquournoasisnamestcxacml10functionandrdquo function This is a boolean function that takes one or more boolean arguments (2 in this case) and performs the logical ldquoANDrdquo operation to compute the truth value of the expression
[51]-[65] The truth of the first part of the condition is evaluated The requestor is the designated parent or guardian The Apply element contains a function invocation The function name is contained in the FunctionId attribute The comparison is done with ldquournoasisnamestcxacml10functionstring-equalrdquo that takes 2 arguments of ldquohttpwwww3org2001XMLSchemastringrdquo data-type
[52] Since ldquournoasisnamestcxacml10functionstring-equalrdquo takes arguments of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo in
oasis--xacml-11pdf 37
74
1270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309
13101311
131213131314
131513161317
13181319132013211322
1323132413251326
75
the request context contains one and only one value ldquournoasisnamestcxacml10functionstring-equalrdquo takes an argument expression that evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[54] Value of the subject attribute ldquournoasisnamestcxacml10examplesattributeparent-guardian-idrdquo is selected from the request context with the ltSubjectAttributeDesignatorgt element This expression evaluates to a bag of ldquohttpwwww3org2001XMLSchemastringrdquo values
[58] ldquournoasisnamestcxacml10functionstring-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[60] The value of the mdparentGuardianId element is selected from the resource content with the AttributeSelector element AttributeSelector is a free-form XPath expression pointing into the request context The RequestContextPath XML attribute contains an XPath expression over the request context Note that all namespace prefixes in the XPath expression are resolved with standard namespace declarations The AttributeSelector evaluates to the bag of values of data-type ldquohttpwwww3org2001XMLSchemastringrdquo
[66]-[83] The expression ldquothe patient is under 16 years of agerdquo is evaluated The patient is under 16 years of age if the current date is less than the date computed by adding 16 to the patientrsquos date of birth
[66] ldquournoasisnamestcxacml10functiondate-less-or-equalrdquo is used to compute the difference of two dates
[67] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by its argument contains one and only one value of data-type ldquohttpwwww3org2001XMLSchemadaterdquo
[68]-[69] Current date is evaluated by selecting the ldquournoasisnamestcxacml10environmentcurrent-daterdquo environment attribute
[71] ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo is used to compute the date by adding 16 to the patientrsquos date of birth The first argument is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second argument is an ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo
[73] ldquournoasisnamestcxacml10functiondate-one-and-onlyrdquo is used to ensure that the bag of values selected by itrsquos argument contains one and only one value of data-type rdquohttpwwww3org2001XMLSchemadaterdquo
[75]-[76] The ltAttributeSelectorgt element selects the patientrsquos date of birth by taking the XPath expression over the document content
[79]-[81] Year Month Duration of 16 years
4243 Rule 3
Rule 3 illustrates the use of an obligation The XACML ltRulegt element syntax does not include an element suitable for carrying an obligation therefore Rule 3 has to be formatted as a ltPolicygt element
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicy
oasis--xacml-11pdf 38
76
1327132813291330
1331133213331334
13351336
1337
1338133913401341
13421343
134413451346
13471348
13491350
1351
13521353
13541355
135613571358
13591360
1361
13621363
1364
1365
13661367
136813691370
77
[03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] PolicyId=urnoasisnamestcxacmlexamplespolicyid3[08] RuleCombiningAlgId=urnoasisnamestcxacml10[09] rule-combining-algorithmdeny-overridesgt[10] ltDescriptiongt[11] Policy for any medical record in the[12] httpwwwmedicocomschemasrecordxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltAnySubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- match document target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomschemasrecordxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltAnyActiongt[32] ltActionsgt[33] ltTargetgt[34] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid3[35] Effect=Permitgt[36] ltDescriptiongt[37] A physician may write any medical element in a record[38] for which he or she is the designated primary care[39] physician provided an email is sent to the patient[40] ltDescriptiongt[41] ltTargetgt[42] ltSubjectsgt[43] ltSubjectgt[44] lt-- match subject group attribute --gt[45] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[46] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtphysicianltAttributeValuegt
[47] ltSubjectAttributeDesignator AttributeId=[48] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[49] ltSubjectMatchgt[50] ltSubjectgt[51] ltSubjectsgt[52] ltResourcesgt[53] ltResourcegt[54] lt-- match requested xml element --gt[55] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[56] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
oasis--xacml-11pdf 39
78
137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433
79
[57] mdrecordmdmedical[58] ltAttributeValuegt[59] ltResourceAttributeDesignator AttributeId=[60] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[61] ltResourceMatchgt[62] ltResourcegt[63] ltResourcesgt[64] ltActionsgt[65] ltActiongt[66] lt-- match action --gt[67] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[68] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwriteltAttributeValuegt[069] ltActionAttributeDesignator AttributeId=[070] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[071] ltActionMatchgt[072] ltActiongt[073] ltActionsgt[074] ltTargetgt[075] ltCondition FunctionId=ldquournoasisnamestcxacml10functionstring-
equalgt[076] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[077] lt-- physician-id subject attribute --gt[078] ltSubjectAttributeDesignator AttributeId=[079] urnoasisnamestcxacml10example[080] attributephysician-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[081] ltApplygt[082] ltApply FunctionId=ldquournoasisnamestcxacml10functionstring-one-
and-onlygt[083] ltAttributeSelector RequestContextPath=[084] mdrecordmdprimaryCarePhysicianmdregistrationIDtext()[085] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[086] ltApplygt[087] ltConditiongt[089] ltRulegt[090] ltObligationsgt[091] lt-- send e-mail message to the document owner --gt[092] ltObligation ObligationId=[093] urnoasisnamestcxacmlexampleobligationemail[094] FulfillOn=Permitgt[095] ltAttributeAssignment AttributeId=[096] urnoasisnamestcxacml10exampleattributemailto[097] DataType=httpwwww3org2001XMLSchemastringgt[098] ltAttributeSelector RequestContextPath=[099] mdrecordmdpatientmdpatientContactmdemail[100] DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[101] ltAttributeAssignmentgt[102] ltAttributeAssignment AttributeId=[103] urnoasisnamestcxacml10exampleattributetext[104] DataType=httpwwww3org2001XMLSchemastringgt[105] ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgt[106] Your medical record has been accessed by[107] ltAttributeValuegt[108] ltAttributeAssignmentgt[109] ltAttributeAssignment AttributeId=[110] urnoasisnamestcxacmlexampleattributetext[111] DataType=httpwwww3org2001XMLSchemastringgt
oasis--xacml-11pdf 40
80
143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496
81
[112] ltSubjectAttributeDesignator AttributeId=[113] urnosasisnamestcxacml10subjectsubject-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[114] ltAttributeAssignmentgt[115] ltObligationgt[116] ltObligationsgt[117] ltPolicygt
[01]-[09] The Policy element includes standard namespace declarations as well as policy specific parameters such as PolicyId and RuleCombiningAlgId
[07] Policy identifier This parameter is used for the inclusion of the Policy in the PolicySet element
[08]-[09] Rule combining algorithm identifier This parameter is used to compute the combined outcome of rule effects for rules that are applicable to the decision request
[10-13] Free-form description of the policy
[14]-[33] Policy target The policy target defines a set of applicable decision requests The structure of the Target element in the Policy is identical to the structure of the Target element in the Rule In this case the policy target is a set of all XML documents conforming to the ldquohttpwwwmedicocomschemasrecordxsdrdquo target namespace For the detailed description of the Target element see Rule 1 Section 4241
[34]-[89] The only Rule element included in this Policy Two parameters are specified in the rule header RuleId and Effect For the detailed description of the Rule structure see Rule 1 Section 4241
[41]-[74] A rule target narrows down a policy target Decision requests with the value of ldquournoasisnamestcxacml10exampeattributerolerdquo subject attribute equal to ldquophysicianrdquo [42]-[51] and that access elements of the medical record that ldquoxpath-node-matchrdquo the ldquomdrecordmdmedicalrdquo XPath expression [52]-[63] and that have the value of the ldquournoasisnamestcxacml10actionaction-idrdquo action attribute equal to ldquoreadrdquo
[65]-[73] match the target of this rule For a detailed description of the rule target see example 1 Section 4241
[75]-[87] The Condition element For the rule to be applicable to the authorization request condition must evaluate to True This rule condition compares the value of the ldquournoasisnamestcxacml10examplesattributephysician-idrdquo subject attribute with the value of the physician id element in the medical record that is being accessed For a detailed explanation of rule condition see Rule 1 Section 4241
[90]-[116] The Obligations element Obligations are a set of operations that must be performed by the PEP in conjunction with an authorization decision An obligation may be associated with a positive or negative authorization decision
[92]-[115] The Obligation element consists of the ObligationId the authorization decision value for which it must fulfill and a set of attribute assignments
[92]-[93] ObligationId identifies an obligation Obligation names are not interpreted by the PDP
[94] FulfillOn attribute defines an authorization decision value for which this obligation must be fulfilled
[95]-[101] Obligation may have one or more parameters The obligation parameter ldquournoasisnamestcxacml10examplesattributemailtordquo is assigned the value from the content of the xml document
oasis--xacml-11pdf 41
82
1497149814991500150115021503
15041505
15061507
15081509
1510
1511151215131514
1515
151615171518
15191520152115221523
15241525
15261527
152815291530
153115321533
15341535
15361537
15381539
154015411542
83
[95-96] AttributeId declares ldquournoasisnamestcxacml10examplesattributemailtordquo obligation parameter
[97] The obligation parameter data-type is defined
[98]-[100] The obligation parameter value is selected from the content of the XML document that is being accessed with the XPath expression over request context
[102]-[108] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of data-type ldquohttpwwww3org2001XMLSchemastringrdquo is assigned the literal value ldquoYour medical record has been accessed byrdquo
[109]-[114] The obligation parameter ldquournoasisnamestcxacml10examplesattributetextrdquo of the ldquohttpwwww3org2001XMLSchemastringrdquo data-type is assigned the value of the ldquournoasisnamestcxacml10subjectsubject-idrdquo subject attribute
4244 Rule 4
Rule 4 illustrates the use of the Deny Effect value and a Rule with no Condition element[01] ltxml version=10 encoding=UTF-8gt[02] ltRule [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] xmlnsctx=urnoasisnamestcxacml10context[06] xmlnsmd=httpwwwmedicocomschemasrecordxsd[07] RuleId=urnoasisnamestcxacmlexampleruleid4 [08] Effect=Denygt[09] ltDescriptiongt[10] An Administrator shall not be permitted to read or write [11] medical elements of a patient record in the[12] httpwwwmedicocomrecordsxsd namespace[13] ltDescriptiongt[14] ltTargetgt[15] ltSubjectsgt[16] ltSubjectgt[17] lt-- match role subject attribute --gt[18] ltSubjectMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[19] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtadministratorltAttributeValuegt
[20] ltSubjectAttributeDesignator AttributeId=[21] urnoasisnamestcxacml10exampleattributerole
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[22] ltSubjectMatchgt[23] ltSubjectgt[24] ltSubjectsgt[25] ltResourcesgt[26] ltResourcegt[27] lt-- match document target namespace --gt[28] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[29] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[30] httpwwwmedicocomschemasrecordxsd[31] ltAttributeValuegt[32] ltResourceAttributeDesignator AttributeId=
oasis--xacml-11pdf 42
84
15431544
1545
15461547
1548154915501551
155215531554
1555
1556
155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595
85
[33] urnoasisnamestcxacml10resourcetarget-namespace DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt
[34] ltResourceMatchgt[35] lt-- match requested xml element --gt[36] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionxpath-node-matchgt[37] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[38] mdrecordmdmedical[39] ltAttributeValuegt[40] ltResourceAttributeDesignator AttributeId=[41] urnoasisnamestcxacml10resourcexpath
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[42] ltResourceMatchgt[43] ltResourcegt[44] ltResourcesgt[45] ltActionsgt[46] ltActiongt[47] lt-- match read action --gt[48] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[49] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtread
ltAttributeValuegt[50] ltActionAttributeDesignator AttributeId=[51] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[52] ltActionMatchgt[53] ltActiongt[54] ltActiongt[55] lt-- match write action --gt[56] ltActionMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[57] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtwrite
ltAttributeValuegt[58] ltActionAttributeDesignator AttributeId=[59] urnoasisnamestcxacml10actionaction-id
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[60] ltActionMatchgt[61] ltActiongt[62] ltActionsgt[63] ltTargetgt[64] ltRulegt
[01]-[08] The Rule element declaration The most important parameter here is Effect See Rule 1 Section 4241 for a detailed explanation of the Rule structure
[08] Rule Effect Every rule that evaluates to ldquoTruerdquo emits rule effect as its value that will be combined later on with other rule effects according to the rule combining algorithm This rule Effect is ldquoDenyrdquo meaning that according to this rule access must be denied
[09]-[13] Free form description of the rule
[14]-[63] Rule target The Rule target defines a set of decision requests that are applicable to the rule This rule is matched by
a decision request with subject attribute ldquournoasisnamestcxacml10examplesattributerolerdquo equal to ldquoadministratorrdquo
oasis--xacml-11pdf 43
86
1596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641
16421643
16441645
1646
1647
16481649
165016511652
87
the value of resource attribute ldquournoasisnamestcxacml10resourcetarget-namespacerdquo is equal to ldquohttpwwwmedicocomschemasrecordxsdrdquo
the value of the requested XML element matches the XPath expression ldquomdrecordmdmedicalrdquo
the value of action attribute ldquournoasisnamestcxacml10actionaction-idrdquo is equal to ldquoreadrdquo
See Rule 1 Section 4241 for the detailed explanation of the Target element
This rule does not have a Condition element
4245 Example PolicySet
This section uses the examples of the previous sections to illustrate the process of combining policies The policy governing read access to medical elements of a record is formed from each of the four rules described in Section 423 In plain language the combined rule is
Either the requestor is the patient or
the requestor is the parent or guardian and the patient is under 16 or
the requestor is the primary care physician and a notification is sent to the patient and
the requestor is not an administrator
The following XACML ltPolicySetgt illustrates the combined policies Policy 3 is included by reference and policy 2 is explicitly included
[01] ltxml version=10 encoding=UTF-8gt[02] ltPolicySet [03] xmlns=urnoasisnamestcxacml10policy[04] xmlnsxsi=rdquohttpwwww3org2001XMLSchema-instancerdquo[05] PolicySetId=[06] urnoasisnamestcxacml10examplespolicysetid1[07] PolicyCombiningAlgId=rdquournoasisnamestcxacml10[071] policy-combining-algorithmdeny-overridesrdquogt[08] ltDescriptiongt[09] Example policy set[10] ltDescriptiongt[11] ltTargetgt[12] ltSubjectsgt[13] ltSubjectgt[14] lt-- any subject --gt[15] ltAnySubjectgt[16] ltSubjectgt[17] ltSubjectsgt[18] ltResourcesgt[19] ltResourcegt[20] lt-- any resource in the target namespace --gt[21] ltResourceMatch
MatchId=ldquournoasisnamestcxacml10functionstring-equalgt[22] ltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[23] httpwwwmedicocomrecordsxsd[24] ltAttributeValuegt[25] ltResourceAttributeDesignator AttributeId=[26] urnoasisnamestcxacml10resourcetarget-namespace
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt[27] ltResourceMatchgt
oasis--xacml-11pdf 44
88
165316541655
16561657
16581659
1660
1661
1662
166316641665
1666
1667
1668
1669
167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702
89
[28] ltResourcegt[29] ltResourcesgt[30] ltActionsgt[31] ltActiongt[32] lt-- any action --gt[33] ltAnyActiongt[34] ltActiongt[35] ltActionsgt[36] ltTargetgt[37] lt-- include policy from the example 3 by reference --gt[38] ltPolicyIdReferencegt[39] urnoasisnamestcxacml10examplespolicyid3[40] ltPolicyIdReferencegt[41] lt-- policy 2 combines rules from the examples 1 2 [42] and 4 is included by value --gt[43] ltPolicy [44] PolicyId=urnoasisnamestcxacmlexamplespolicyid2[45] RuleCombiningAlgId=[46] urnoasisnamestcxacml10rule-combining-algorithmdeny-overridesgt[47] ltDescriptiongt[48] Policy for any medical record in the[49] httpwwwmedicocomschemasrecordxsd namespace[50] ltDescriptiongt[51] ltTargetgt ltTargetgt[52] ltRule [53] RuleId=urnoasisnamestcxacmlexamplesruleid1[54] Effect=Permitgt ltRulegt[55] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid2 [56] Effect=Permitgt ltRulegt[57] ltRule RuleId=urnoasisnamestcxacmlexamplesruleid4[58] Effect=Denygt ltRulegt[59] ltObligationsgt ltObligationsgt[60] ltPolicygt[61] ltPolicySetgt
[02]-[07] PolicySet declaration Standard XML namespace declarations are included as well as PolicySetId and policy combining algorithm identifier
[05]-[06] PolicySetId is used for identifying this policy set and for possible inclusion of this policy set into another policy set
[07] Policy combining algorithm identifier Policies in the policy set are combined according to the specified policy combining algorithm identifier when the authorization decision is computed
[08]-[10] Free form description of the policy set
[11]-[36] PolicySet Target element defines a set of decision requests that are applicable to this PolicySet
[38]-[40] PolicyIdReference includes policy by id
[43]-[60] Policy 2 is explicitly included in this policy set
oasis--xacml-11pdf 45
90
17031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737
17381739
17401741
174217431744
1745
17461747
1748
1749
91
5 Policy syntax (normative with the exception of the schema fragments)
51 Element ltPolicySetgtThe ltPolicySetgt element is a top-level element in the XACML policy schema ltPolicySetgt is an aggregation of other policy sets and policies Policy sets MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicySetgt element or indirectly using the ltPolicySetIdReferencegt element Policies MAY be included in an enclosing ltPolicySetgt element either directly using the ltPolicygt element or indirectly using the ltPolicyIdReferencegt element
If a ltPolicySetgt element contains references to other policy sets or policies in the form of URLs then these references MAY be resolvable
Policies included in the ltPolicySetgt element MUST be combined using the algorithm specified by the PolicyCombiningAlgId attribute ltPolicySetgt is treated exactly like a ltPolicygt in all the policy combining algorithms
The ltTargetgt element defines the applicability of the ltPolicySetgt to a set of decision requests If the ltTargetgt element within ltPolicySetgt matches the request context then the ltPolicySetgt element MAY be used by the PDP in making its authorization decision
The ltObligationsgt element contains a set of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision If the PEP does not understand any of the obligations then it MUST act as if the PDP had returned a ldquoDenyrdquo authorization decision value
ltxselement name=PolicySet type=xacmlPolicySetTypegtltxscomplexType name=PolicySetTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicySetDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxschoice minOccurs=0 maxOccurs=unboundedgt
ltxselement ref=xacmlPolicySetgtltxselement ref=xacmlPolicygtltxselement ref=xacmlPolicySetIdReferencegtltxselement ref=xacmlPolicyIdReferencegt
ltxschoicegtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicySetId type=xsanyURI use=requiredgtltxsattribute name=PolicyCombiningAlgId type=rdquoxsanyURI
use=requiredgtltxscomplexTypegt
The ltPolicySetgt element is of PolicySetType complex type
The ltPolicySetgt element contains the following attributes and elements
PolicySetId [Required]
Policy set identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy set identifier is in the form of a URL then it MAY be resolvable
oasis--xacml-11pdf 46
92
1750
1751
1752
17531754
1755175617571758
17591760
176117621763
176417651766
176717681769177017711772177317741775177617771778177917801781178217831784178517861787
1788
1789
1790
1791179217931794
1795
93
PolicyCombiningAlgId [Required]
The identifier of the policy-combining algorithm by which the ltPolicySetgt components MUST be combined Standard policy-combining algorithms are listed in Appendix C Standard policy-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the ltPolicySetgt
ltPolicySetDefaultsgt [Optional]
A set of default values applicable to the ltPolicySetgt The scope of the ltPolicySetDefaultsgt element SHALL be the enclosing policy set
ltTargetgt [Required]
The ltTargetgt element defines the applicability of a ltPolicySetgt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicySetgt or it MAY be computed from the ltTargetgt elements of the referenced ltPolicygt elements either as an intersection or as a union
ltPolicySetgt [Any Number]
A policy set component that is included in this policy set
ltPolicygt [Any Number]
A policy component that is included in this policy set
ltPolicySetIdReferencegt [Any Number]
A reference to a ltPolicySetgt component that MUST be included in this policy set If ltPolicySetIdReferencegt is a URL then it MAY be resolvable
ltPolicyIdReferencegt [Any Number]
A reference to a ltPolicygt component that MUST be included in this policy set If the ltPolicyIdReferencegt is a URL then it MAY be resolvable
ltObligationsgt [Optional]
Contains the set of ltObligationgt elements See Section 711 for a description of how the set of obligations to be returned by the PDP shall be determined
52 Element ltDescriptiongtThe ltDescriptiongt element is used for a free-form description of the ltPolicySetgt element ltPolicygt element and ltRulegt element The ltDescriptiongt element is of xsstring simple type
ltxselement name=Description type=xsstringgt
53 Element ltPolicySetDefaultsgtThe ltPolicySetDefaultsgt element SHALL specify default values that apply to the ltPolicySetgt element
oasis--xacml-11pdf 47
94
1796
179717981799
1800
1801
1802
18031804
1805
18061807
180818091810
1811
1812
1813
1814
1815
18161817
1818
18191820
1821
18221823
1824
1825182618271828
1829
18301831
95
ltxselement name=PolicySetDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicySetDefaultsgt element is of DefaultsType complex type
The ltPolicySetDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
54 Element ltXPathVersiongtThe ltXPathVersiongt element SHALL specify the version of the XPath specification to be used by ltAttributeSelectorgt elements
ltxselement name=XPathVersion type=xsanyURIgt
The URI for the XPath 10 specification is ldquohttpwwww3orgTR1999Rec-xpath-19991116rdquo The ltXPathVersiongt element is REQUIRED if the XACML enclosing policy set or policy contains ltAttributeSelectorgt elements or XPath-based functions
55 Element ltTargetgtThe ltTargetgt element identifies the set of decision requests that the parent element is intended to evaluate The ltTargetgt element SHALL appear as a child of ltPolicySetgt ltPolicygt and ltRulegt elements It contains definitions for subjects resources and actions
The ltTargetgt element SHALL contain a conjunctive sequence of ltSubjectsgt ltResourcesgt and ltActionsgt elements For the parent of the ltTargetgt element to be applicable to the decision request there MUST be at least one positive match between each section of the ltTargetgt element and the corresponding section of the ltxacml-contextRequestgt element
ltxselement name=Target type=xacmlTargetTypegtltxscomplexType name=TargetTypegt
ltxssequencegtltxselement ref=xacmlSubjectsgtltxselement ref=xacmlResourcesgtltxselement ref=xacmlActionsgt
ltxssequencegtltxscomplexTypegt
The ltTargetgt element is of TargetType complex type
The ltTargetgt element contains the following elements
ltSubjectsgt [Required]
Matching specification for the subject attributes in the context
ltResourcesgt [Required]
Matching specification for the resource attributes in the context
oasis--xacml-11pdf 48
96
18321833183418351836183718381839
1840
1841
1842
1843
1844
18451846
1847
184818491850
1851
185218531854
185518561857
185818591860186118621863186418651866
1867
1868
1869
1870
1871
1872
1873
97
ltActionsgt [Required]
Matching specification for the action attributes in the context
56 Element ltSubjectsgtThe ltSubjectsgt element SHALL contains a disjunctive sequence of ltSubjectgt elements
ltxselement name=Subjects type=xacmlSubjectsTypegtltxscomplexType name=SubjectsTypegt
ltxschoicegtltxselement ref=xacmlSubject maxOccurs=unboundedgtltxselement ref=xacmlAnySubjectgt
ltxschoicegtltxscomplexTypegt
The ltSubjectsgt element is of SubjectsType complex type
The ltSubjectsgt element contains the following elements
ltSubjectgt [One To Many Required Choice]
See Section 57
ltAnySubjectgt [Required Choice]
See Section 58
57 Element ltSubjectgtThe ltSubjectgt element SHALL contain a conjunctive sequence of ltSubjectMatchgt elements
ltxselement name=Subject type=xacmlSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacmlSubjectMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
ltSubjectMatchgt [One to Many]
A conjunctive sequence of individual matches of the subject attributes in the context and the embedded attribute values
58 Element ltAnySubjectgtThe ltAnySubjectgt element SHALL match any subject attribute in the context
ltxselement name=AnySubjectgt
59 Element ltSubjectMatchgtThe ltSubjectMatchgt element SHALL identify a set of subject-related entities by matching attribute values in a ltxacml-contextSubjectgt element of the context with the embedded attribute value
oasis--xacml-11pdf 49
98
1874
1875
1876
18771878187918801881188218831884
1885
1886
1887
1888
1889
1890
1891
18921893189418951896189718981899
1900
1901
1902
19031904
1905
19061907
1908
190919101911
99
ltxselement name=SubjectMatch type=xacmlSubjectMatchTypegtltxscomplexType name=SubjectMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltSubjectMatchgt element is of SubjectMatchType complex type
The ltSubjectMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltSubjectAttributeDesignatorgt [Required choice]
Identifies one or more attribute values in a ltSubjectgt element of the context
ltAttributeSelectorgt [Required choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in a ltSubjectgt element of the context
510 Element ltResourcesgtThe ltResourcesgt element SHALL contain a disjunctive sequence of ltResourcegt elements
ltxselement name=Resources type=xacmlResourcesTypegtltxscomplexType name=ResourcesTypegt
ltxschoicegtltxselement ref=xacmlResource maxOccurs=unboundedgtltxselement ref=xacmlAnyResourcegt
ltxschoicegtltxscomplexTypegt
The ltResourcesgt element is of ResourcesType complex type
The ltResourcesgt element contains the following elements
ltResourcegt [One To Many Required Choice]
See Section 511
ltAnyResourcegt [Required Choice]
See Section 512
511 Element ltResourcegtThe ltResourcegt element SHALL contain a conjunctive sequence of ltResourceMatchgt elements
oasis--xacml-11pdf 50
100
19121913191419151916191719181919192019211922
1923
1924
1925
19261927
1928
1929
1930
1931
1932
19331934
1935
19361937193819391940194119421943
1944
1945
1946
1947
1948
1949
1950
19511952
101
ltxselement name=Resource type=xacmlResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacmlResourceMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceMatchgt [One to Many]
A conjunctive sequence of individual matches of the resource attributes in the context and the embedded attribute values
512 Element ltAnyResourcegtThe ltAnyResourcegt element SHALL match any resource attribute in the context
ltxselement name=AnyResourcegt
513 Element ltResourceMatchgtThe ltResourceMatchgt element SHALL identify a set of resource-related entities by matching attribute values in the ltxacml-contextResourcegt element of the context with the embedded attribute value
ltxselement name=ResourceMatch type=xacmlResourceMatchTypegtltxscomplexType name=ResourceMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegtltxschoicegt
ltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyMatch use=requiredgt
ltxscomplexTypegt
The ltResourceMatchgt element is of ResourceMatchType complex type
The ltResourceMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function Values of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltResourceAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltResourcegt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltResourcegt element of the context
oasis--xacml-11pdf 51
102
195319541955195619571958
1959
1960
1961
19621963
1964
19651966
1967
19681969197019711972197319741975197619771978197919801981
1982
1983
1984
19851986
1987
1988
1989
1990
1991
19921993
103
514 Element ltActionsgtThe ltActionsgt element SHALL contain a disjunctive sequence of ltActiongt elements
ltxselement name=Actions type=xacmlActionsTypegtltxscomplexType name=ActionsTypegt
ltxschoicegtltxselement ref=xacmlAction maxOccurs=unboundedgtltxselement ref=xacmlAnyActiongt
ltxschoicegtltxscomplexTypegt
The ltActionsgt element is of ActionsType complex type
The ltActionsgt element contains the following elements
ltActiongt [One To Many Required Choice]
See Section 515
ltAnyActiongt [Required Choice]
See Section 516
515 Element ltActiongtThe ltActiongt element SHALL contain a conjunctive sequence of ltActionMatchgt elements
ltxselement name=Action type=xacmlActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacmlActionMatch maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltActionMatchgt [One to Many]
A conjunctive sequence of individual matches of the action attributes in the context and the embedded attribute values
516 Element ltAnyActiongtThe ltAnyActiongt element SHALL match any action attribute in the context
ltxselement name=AnyActiongt
517 Element ltActionMatchgtThe ltActionMatchgt element SHALL identify a set of action-related entities by matching attribute values in the ltxacml-contextActiongt element of the context with the embedded attribute value
ltxselement name=ActionMatch type=xacmlActionMatchTypegtltxscomplexType name=ActionMatchTypegt
ltxssequencegtltxselement ref=xacmlAttributeValuegt
oasis--xacml-11pdf 52
104
1994
19951996199719981999200020012002
2003
2004
2005
2006
2007
2008
2009
2010201120122013201420152016
2017
2018
2019
20202021
2022
20232024
2025
2026
2027202820292030203120322033
105
ltxschoicegtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxssequencegtltxsattribute name=MatchId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltActionMatchgt element is of ActionMatchType complex type
The ltActionMatchgt element contains the following attributes and elements
MatchId [Required]
Specifies a matching function The value of this attribute MUST be of type xsanyURI with legal values documented in Section A12
ltAttributeValuegt [Required]
Embedded attribute value
ltActionAttributeDesignatorgt [Required Choice]
Identifies one or more attribute values in the ltActiongt element of the context
ltAttributeSelectorgt [Required Choice]
MAY be used to identify one or more attribute values in the request context The XPath expression SHOULD resolve to an attribute in the ltActiongt element of the context
518 Element ltPolicySetIdReferencegtThe ltPolicySetIdReferencegt element SHALL be used to reference a ltPolicySetgt element by id If ltPolicySetIdReferencegt is a URL then it MAY be resolvable to the ltPolicySetgt The mechanism for resolving a policy set reference to the corresponding policy set is outside the scope of this specification
ltxselement name=PolicySetIdReference type=xsanyURIgt
Element ltPolicySetIdReferencegt is of xsanyURI simple type
519 Element ltPolicyIdReferencegtThe ltxacmlPolicyIdReferencegt element SHALL be used to reference a ltPolicygt element by id If ltPolicyIdReferencegt is a URL then it MAY be resolvable to the ltPolicygt The mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification
ltxselement name=PolicyIdReference type=xsanyURIgt
Element ltPolicyIdReferencegt is of xsanyURI simple type
520 Element ltPolicygtThe ltPolicygt element is the smallest entity that SHALL be presented to the PDP for evaluation
The main components of this element are the ltTargetgt ltRulegt and ltObligationsgt elements and the RuleCombiningAlgId attribute
oasis--xacml-11pdf 53
106
2034203520362037203820392040
2041
2042
2043
20442045
2046
2047
2048
2049
2050
20512052
2053
20542055205620572058
2059
2060
20612062206320642065
2066
2067
2068
20692070
107
The ltTargetgt element SHALL define the applicability of the ltPolicygt to a set of decision requests
Rules included in the ltPolicygt element MUST be combined by the algorithm specified by the RuleCombiningAlgId attribute
The ltObligationsgt element SHALL contain a set of obligations that MUST be fulfilled by the PDP in conjunction with the authorization decision
ltxselement name=Policy type=xacmlPolicyTypegtltxscomplexType name=PolicyTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlPolicyDefaults minOccurs=0gtltxselement ref=xacmlTargetgtltxselement ref=xacmlRule minOccurs=0 maxOccurs=unboundedgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=PolicyId type=xsanyURI use=requiredgtltxsattribute name=RuleCombiningAlgId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltPolicygt element is of PolicyType complex type
The ltPolicygt element contains the following attributes and elements
PolicyId [Required]
Policy identifier It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier This MAY be achieved by following a predefined URN or URI scheme If the policy identifier is in the form of a URL then it MAY be resolvable
RuleCombiningAlgId [Required]
The identifier of the rule-combining algorithm by which the ltPolicygt components MUST be combined Standard rule-combining algorithms are listed in Appendix C Standard rule-combining algorithm identifiers are listed in Section B10
ltDescriptiongt [Optional]
A free-form description of the policy See Section 52 Element ltDescriptiongt
ltPolicyDefaultsgt [Optional]
Defines a set of default values applicable to the policy The scope of the ltPolicyDefaultsgt element SHALL be the enclosing policy
ltTargetgt [Required]
The ltTargetgt element SHALL define the applicability of a ltPolicygt to a set of decision requests
The ltTargetgt element MAY be declared by the creator of the ltPolicygt element or it MAY be computed from the ltTargetgt elements of the referenced ltRulegt elements either as an intersection or as a union
ltRulegt [Any Number]
A sequence of authorizations that MUST be combined according to the RuleCombiningAlgId attribute Rules whose ltTargetgt elements match the decision request MUST be considered Rules whose ltTargetgt elements do not match the decision request SHALL be ignored
oasis--xacml-11pdf 54
108
20712072
20732074
20752076207720782079208020812082208320842085208620872088
2089
2090
2091
209220932094
2095
209620972098
2099
2100
2101
21022103
2104
21052106
210721082109
2110
2111211221132114
109
ltObligationsgt [Optional]
A conjunctive sequence of obligations that MUST be fulfilled by the PEP in conjunction with the authorization decision See Section 711 for a description of how the set of obligations to be returned by the PDP SHALL be determined
521 Element ltPolicyDefaultsgtThe ltPolicyDefaultsgt element SHALL specify default values that apply to the ltPolicygt element
ltxselement name=PolicyDefaults type=xacmlDefaultsTypegtltxscomplexType name=rdquoDefaultsTyperdquogt
ltxssequencegtltxschoicegt
ltxselement ref=rdquoxacmlXPathVersionrdquo minOccurs=rdquo0rdquogtltxschoicegt
ltxssequencegtltxscomplexTypegt
ltPolicyDefaultsgt element is of DefaultsType complex type
The ltPolicyDefaultsgt element contains the following elements
ltXPathVersiongt [Optional]
Default XPath version
522 Element ltRulegtThe ltRulegt element SHALL define the individual rules in the policy The main components of this element are the ltTargetgt and ltConditiongt elements and the Effect attribute
ltxselement name=Rule type=xacmlRuleTypegtltxscomplexType name=RuleTypegt
ltxssequencegtltxselement ref=xacmlDescription minOccurs=0gtltxselement ref=xacmlTarget minOccurs=0gtltxselement ref=xacmlCondition minOccurs=0gt
ltxssequencegtltxsattribute name=RuleId type=xsanyURI use=requiredgtltxsattribute name=Effect type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltRulegt element is of RuleType complex type
The ltRulegt element contains the following attributes and elements
RuleId [Required]
A URN identifying this rule
Effect [Required]
Rule effect Values of this attribute are either ldquoPermitrdquo or ldquoDenyrdquo
ltDescriptiongt [Optional]
A free-form description of the rule
oasis--xacml-11pdf 55
110
2115
211621172118
2119
2120212121222123212421252126212721282129
2130
2131
2132
2133
2134
21352136
2137213821392140214121422143214421452146
2147
2148
2149
2150
2151
2152
2153
2154
2155
111
ltTargetgt [Optional]
Identifies the set of decision requests that the ltRulegt element is intended to evaluate If this element is omitted then the target for the ltRulegt SHALL be defined by the ltTargetgt element of the enclosing ltPolicygt element See Section 55 for details
ltConditiongt [Optional]
A predicate that MUST be satisfied for the rule to be assigned its Effect value A condition is a boolean function over a combination of subject resource action and environment attributes or other functions
523 Simple type EffectTypeThe EffectType simple type defines the values allowed for the Effect attribute of the ltRulegt element and for the FulfillOn attribute of the ltObligationgt element
ltxssimpleType name=EffectTypegtltxsrestriction base=xsstringgt
ltxsenumeration value=Permitgtltxsenumeration value=Denygt
ltxsrestrictiongtltxssimpleTypegt
524 Element ltConditiongtThe ltConditiongt element is a boolean function over subject resource action and environment attributes or functions of attributes If the ltConditiongt element evaluates to True then the enclosing ltRulegt element is assigned its Effect value
ltxselement name=Condition type=xacmlApplyTypegt
The ltConditiongt element is of ApplyType complex type
525 Element ltApplygtThe ltApplygt element denotes application of a function to its arguments thus encoding a function call The ltApplygt element can be applied to any combination of ltApplygt ltAttributeValuegt ltSubjectAttributeDesignatorgt ltResourceAttributeDesignatorgt ltActionAttributeDesignatorgt ltEnvironmentAttributeDesignatorgt and ltAttributeSelectorgt arguments
ltxselement name=Apply type=xacmlApplyTypegtltxscomplexType name=ApplyTypegt
ltxschoice minOccurs=0 maxOccurs=unboundedgtltxselement ref=rdquoxacmlFunctionrdquogt ltxselement ref=xacmlApplygtltxselement ref=xacmlAttributeValuegtltxselement ref=xacmlSubjectAttributeDesignatorgtltxselement ref=xacmlResourceAttributeDesignatorgtltxselement ref=xacmlActionAttributeDesignatorgtltxselement ref=xacmlEnvironmentAttributeDesignatorgtltxselement ref=xacmlAttributeSelectorgt
ltxschoicegtltxsattribute name=FunctionId type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltApplygt element is of ApplyType complex type
The ltApplygt element contains the following attributes and elements
oasis--xacml-11pdf 56
112
2156
215721582159
2160
216121622163
2164
21652166
216721682169217021712172
2173
217421752176
2177
2178
2179
2180218121822183
218421852186218721882189219021912192219321942195219621972198
2199
2200
113
FunctionId [Required]
The URN of a function XACML-defined functions are described in Appendix A
ltFunctiongt [Optional]
The name of a function that is applied to the elements of a bag See Section A1411
ltApplygt [Optional]
A nested function-call argument
ltAttributeValuegt [Optional]
A literal value argument
ltSubjectAttributeDesignatorgt [Optional]
A subject attribute argument
ltResourceAttributeDesignatorgt [Optional]
A resource attribute argument
ltActionAttributeDesignatorgt [Optional]
An action attribute argument
ltEnvironmentAttributeDesignatorgt [Optional]
An environment attribute argument
ltAttributeSelectorgt [Optional]
An attribute selector argument
526 Element ltFunctiongtThe Function element SHALL be used to name a function that is applied by the higher-order bag functions to every element of a bag The higher-order bag functions are described in Section A1411
ltxselement name=rdquoFunctionrdquo type=rdquoxacmlFunctionTyperdquogtltxscomplexType name=rdquoFunctionTyperdquogt
ltxsattribute name=rdquoFunctionIdrdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxscomplexTypegt
The Function element is of FunctionType complex type
The Function element contains the following attributes
FunctionId [Required]
The identifier for the function that is applied to the elements of a bag by the higher-order bag functions
527 Complex type AttributeDesignatorTypeThe AttributeDesignatorType complex type is the type for elements and extensions that identify attributes An element of this type contains properties by which it MAY be matched to attributes in the request context
oasis--xacml-11pdf 57
114
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220222122222223222422252226
2227
2228
2229
22302231
2232
223322342235
115
In addition elements of this type MAY control behaviour in the event that no matching attribute is present in the context
Elements of this type SHALL NOT alter the match semantics of named attributes but MAY narrow the search space
ltxscomplexType name=AttributeDesignatorTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsattribute name=Issuer type=xsstring use=optionalgtltxsattribute name=MustBePresent type=xsboolean use=optional
default=falsegtltxscomplexTypegt
A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and Issuer attributes match The attribute designatorrsquos AttributeId MUST match by URI equality the AttributeId of the attribute The attribute designatorrsquos DataType MUST match by URI equality the DataType of the same attribute
If the Issuer attribute is present in the attribute designator then it MUST match by string equality the Issuer of the same attribute If the Issuer is not present in the attribute designator then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone
The ltAttributeDesignatorTypegt contains the following attributes
AttributeId [Required]
This attribute SHALL specify the AttributeId with which to match the attribute
DataType [Required]
This attribute SHALL specify the data-type with which to match the attribute
Issuer [Optional]
This attribute if supplied SHALL specify the Issuer with which to match the attribute
MustBePresent [Optional]
This attribute governs whether the element returns ldquoIndeterminaterdquo in the case where the named attribute is absent If the named attribute is absent and MustBePresent is ldquoTruerdquo then this element SHALL result in ldquoIndeterminaterdquo The default value SHALL be ldquoFalserdquo
528 Element ltSubjectAttributeDesignatorgtThe ltSubjectAttributeDesignatorgt element is of the SubjectAttributeDesignatorType The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType complex type It is the base type for elements and extensions that refer to named categorized subject attributes A named categorized subject attribute is defined as follows
A subject is represented by a ltSubjectgt element in the ltxacml-contextRequestgt element Each ltSubjectgt element SHALL contain the XML attribute SubjectCategory This attribute is called the subject category attribute
A categorized subject is a subject that is identified by a particular subject category attribute
A subject attribute is an attribute of a particular subject ie contained within a ltSubjectgt element
oasis--xacml-11pdf 58
116
22362237
223822392240224122422243224422452246
2247224822492250
225122522253
2254
2255
2256
2257
2258
2259
2260
2261
2262
226322642265
2266
2267226822692270
227122722273
2274
22752276
117
A named subject attribute is a named attribute for a subject
A named categorized subject attribute is a named subject attribute for a particular categorized subject
The SubjectAttributeDesignatorType complex type extends the AttributeDesignatorType with a SubjectCategory attribute The SubjectAttributeDesignatorType extends the match semantics of the AttributeDesignatorType such that it narrows the attribute search space to the specific categorized subject such that the value of this elementrsquos SubjectCategory attribute matches by URI equality the value of the ltRequestgt elementrsquos subject category attribute
If there are multiple subjects with the same SubjectCategory xml attribute then they SHALL be treated as if they were one categorized subject
Elements and extensions of the SubjectAttributeDesignatorType complex type determine the presence of select attribute values associated with named categorized subject attributes Elements and extensions of the SubjectAttributeDesignatorType SHALL NOT alter the match semantics of named categorized subject attributes but MAY narrow the search space
ltxscomplexType name=SubjectAttributeDesignatorTypegtltxscomplexContentgt
ltxsextension base=xacmlAttributeDesignatorTypegt ltxsattribute name=SubjectCategory type=xsanyURI use=optional default= urnoasisnamestcxacml10subject-categoryaccess-subjectgt ltxsextensiongt ltxscomplexContentgtltxscomplexTypegt
The ltSubjectAttributeDesignatorTypegt complex type contains the following attribute in addition to the attributes of the AttributeDesignatorType complex type
SubjectCategory [Optional]
This attribute SHALL specify the categorized subject from which to match named subject attributes If SubjectCategory is not present then its default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used
529 Element ltResourceAttributeDesignatorgtThe ltResourceAttributeDesignatorgt element retrieves a bag of values for a named resource attribute A resource attribute is an attribute contained within the ltResourcegt element of the ltxacml-contextRequestgt element A named resource attribute is a named attribute that matches a resource attribute A named resource attribute SHALL be considered present if there is at least one resource attribute that matches the criteria set out below A resource attribute value is an attribute value that is contained within a resource attribute
The ltResourceAttributeDesignatorgt element SHALL return a bag containing all the resource attribute values that are matched by the named resource attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named resource attribute is absent If the named resource attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named resource attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named
oasis--xacml-11pdf 59
118
2277
22782279
228022812282
22832284
22852286
2287228822892290229122922293229422952296229722982299230023012302
23032304
2305
2306230723082309
2310
231123122313231423152316
23172318
23192320
23212322
23232324
119
resource attribute is present or not in the request context or the value of the named resource attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named resource attribute SHALL match a resource attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltResourceAttributeDesignatorgt MAY appear in the ltResourceMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ResourceAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltResourceAttributeDesignatorgt element is of the AttributeDesignatorType complex type
530 Element ltActionAttributeDesignatorgtThe ltActionAttributeDesignatorgt element retrieves a bag of values for a named action attribute An action attribute is an attribute contained within the ltActiongt element of the ltxacml-contextRequestgt element A named action attribute has specific criteria (described below) with which to match an action attribute A named action attribute SHALL be considered present if there is at least one action attribute that matches the criteria An action attribute value is an attribute value that is contained within an action attribute
The ltActionAttributeDesignatorgt element SHALL return a bag of all the action attribute values that are matched by the named action attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named action attribute is absent If the named action attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named action attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named action attribute is present or not present in the request context or the value of the named action attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named action attribute SHALL match an action attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltActionAttributeDesignatorgt MAY appear in the ltActionMatchgt element and MAY be passed to the ltApplygt element as an argument
ltxselement name=ActionAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltActionAttributeDesignatorgt element is of the AttributeDesignatorType complex type
531 Element ltEnvironmentAttributeDesignatorgtThe ltEnvironmentAttributeDesignatorgt element retrieves a bag of values for a named environment attribute An environment attribute is an attribute contained within the ltEnvironmentgt element of the ltxacml-contextRequestgt element A named environment attribute has specific criteria (described below) with which to match an environment attribute A named environment attribute SHALL be considered present if there is at least one environment attribute that matches the criteria An environment attribute value is an attribute value that is contained within an environment attribute
oasis--xacml-11pdf 60
120
23252326
23272328
23292330
23312332
23332334
2335
233623372338233923402341
234223432344
23452346
23472348234923502351
23522353
23542355
23562357
23582359
2360
23612362
23632364236523662367
121
The ltEnvironmentAttributeDesignatorgt element SHALL evaluate to a bag of all the environment attribute values that are matched by the named environment attribute The MustBePresent attribute governs whether this element returns an empty bag or ldquoIndeterminaterdquo in the case that the named environment attribute is absent If the named environment attribute is not present and the MustBePresent attribute is ldquoFalserdquo (its default value) then this element SHALL evaluate to an empty bag If the named environment attribute is not present and the MustBePresent attribute is ldquoTruerdquo then this element SHALL evaluate to ldquoIndeterminaterdquo Regardless of the MustBePresent attribute if it cannot be determined whether the named environment attribute is present or not present in the request context or the value of the named environment attribute is unavailable then the expression SHALL evaluate to ldquoIndeterminaterdquo
A named environment attribute SHALL match an environment attribute as per the match semantics specified in the AttributeDesignatorType complex type [Section 527]
The ltEnvironmentAttributeDesignatorgt MAY be passed to the ltApplygt element as an argument
ltxselement name=EnvironmentAttributeDesignator type=xacmlAttributeDesignatorTypegt
The ltEnvironmentAttributeDesignatorgt element is of the AttributeDesignatorType complex type
532 Element ltAttributeSelectorgtThe AttributeSelector elements RequestContextPath XML attribute SHALL contain a legal XPath expression whose context node is the ltxacml-contextRequestgt element The AttributeSelector element SHALL evaluate to a bag of values whose data-type is specified by the elementrsquos DataType attribute If the DataType specified in the AttributeSelector is a primitive data type defined in [XF] or [XS] then the value returned by the XPath expression SHALL be converted to the DataType specified in the AttributeSelector using the constructor function below [XF Section 4] that corresponds to the DataType If an error results from using the constructor function then the value of the AttributeSelector SHALL be Indeterminate
xsstring() xsboolean() xsinteger() xsdouble() xsdateTime() xsdate() xstime() xshexBinary() xsbase64Binary() xsanyURI() xfyearMonthDuration() xfdayTimeDuration()
If the DataType specified in the AttributeSelector is not one of the preceding primitive DataTypes then the AttributeSelector SHALL return a bag of instances of the specified DataType If there are errors encountered in converting the values returned by the XPath expression to the specified DataType then the result of the AttributeSelector SHALL be Indeterminate
Each selected node by the specified XPath expression MUST be either a text node an attribute node a processing instruction node or a comment node The string representation of the value of each selected node MUST be converted to an attribute value of the specified data type and the
oasis--xacml-11pdf 61
122
23682369
23702371
23722373
2374237523762377
23782379
2380238123822383
23842385
238623872388238923902391
23922393239423952396239723982399240024012402240324042405240624072408
240924102411241224132414241524162417
123
result of the AttributeSelector is the bag of the attribute values generated from all the selected nodes
If the selected node is different from the node types listed above (a text node an attribute node a processing instruction node or a comment node) then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
Support for the ltAttributeSelectorgt element is OPTIONAL
ltxselement name=AttributeSelector type=xacmlAttributeSelectorTypegtltxscomplexType name=AttributeSelectorTypegt
ltxsattribute name=RequestContextPath type=xsstring use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=rdquoMustBePresentrdquo type=rdquoxsbooleanrdquo use=rdquooptionalrdquo
default=rdquofalserdquolt xscomplexTypegt
The ltAttributeSelectorgt element is of AttributeSelectorType complex type
The ltAttributeSelectorgt element has the following attributes
RequestContextPath [Required]
An XPath expression whose context node is the ltxacml-contextRequestgt element There SHALL be no restriction on the XPath syntax
DataType [Required]
The bag of values returned by the AttributeSelector SHALL be of this data type
MustBePresent [Optional]
Whether or not the designated attribute must be present in the context If the XPath expression selects no node and the MustBePresent attribute is TRUE then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusmissing-attribute If the XPath expression selects no node and the MustBePresent attribute is missing or FALSE then the result SHALL be an empty bag If the XPath expression selects at least one node and the selected node(s) could be successfully converted to a bag of values of the specified data-type then the result SHALL be the bag regardless of the value of the MustBePresent attribute If the XPath expression selects at least one node but there is an error in converting one or more of the nodes to values of the specified data-type then the result SHALL be Indeterminate and the status code SHALL be urnoasisnamestcxacml10statusprocessing-error regardless of the value of the MustBePresent attribute
533 Element ltAttributeValuegtThe ltAttributeValuegt element SHALL contain a literal attribute value
ltxselement name=AttributeValue type=xacmlAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=DataType type=xsanyURI use=requiredgtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
oasis--xacml-11pdf 62
124
24182419242024212422
242324242425
24262427242824292430243124322433
2434
2435
2436
24372438
2439
2440
2441
244224432444
2445244624472448
244924502451
24522453
2454
2455245624572458245924602461246224632464
125
The ltAttributeValuegt element is of AttributeValueType complex type
The ltAttributeValuegt element has the following attributes
DataType [Required]
The data-type of the attribute value
534 Element ltObligationsgtThe ltObligationsgt element SHALL contain a set of ltObligationgt elements
Support for the ltObligationsgt element is OPTIONALltxselement name=Obligations type=xacmlObligationsTypegtltxscomplexType name=ObligationsTypegt
ltxssequencegtltxselement ref=xacmlObligation maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltObligationsgt element is of ObligationsType complexType
The ltObligationsgt element contains the following element
ltObligationgt [One to Many]
A sequence of obligations
535 Element ltObligationgtThe ltObligationgt element SHALL contain an identifier for the obligation and a set of attributes that form arguments of the action defined by the obligation The FulfillOn attribute SHALL indicate the effect for which this obligation applies
ltxselement name=Obligation type=xacmlObligationTypegtltxscomplexType name=ObligationTypegt
ltxssequencegtltxselement ref=xacmlAttributeAssignment maxOccurs=unboundedgt
ltxssequencegtltxsattribute name=ObligationId type=xsanyURI use=requiredgtltxsattribute name=FulfillOn type=xacmlEffectType use=requiredgt
ltxscomplexTypegt
The ltObligationgt element is of ObligationType complexType See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
The ltObligationgt element contains the following elements and attributes
ObligationId [Required]
Obligation identifier The value of the obligation identifier SHALL be interpreted by the PEP
FulfillOn [Required]
The effect for which this obligation applies
ltAttributeAssignmentgt [One To Many]
Obligation arguments assignment The values of the obligation arguments SHALL be interpreted by the PEP
oasis--xacml-11pdf 63
126
2465
2466
2467
2468
2469
2470
2471247224732474247524762477
2478
2479
2480
2481
2482
24832484248524862487248824892490249124922493
24942495
2496
2497
24982499
2500
2501
2502
25032504
127
536 Element ltAttributeAssignmentgtThe ltAttributeAssignmentgt element SHALL contain an AttributeId and the corresponding attribute value The AttributeId is part of attribute meta-data and is used when the attribute cannot be referenced by its location in the ltxacml-contextRequestgt This situation may arise in an ltObligationgt element if the obligation includes parameters The ltAttributeAssignmentgt element MAY be used in any way consistent with the schema syntax which is a sequence of ldquoanyrdquo The value specified SHALL be understood by the PEP but it is not further specified by XACML See section 711 ldquoObligationsrdquo
ltxselement name=AttributeAssignment type=xacmlAttributeAssignmentTypegt
ltxscomplexType name=AttributeAssignmentType mixed=truegtltxscomplexContentgt
ltxsextension base=xacmlAttributeValueTypegtltxsattribute name=AttributeId type=xsanyURI use=requiredgt
ltxsextensiongtltxscomplexContentgt
ltxscomplexTypegt
The ltAttributeAssignmentgt element is of AttributeAssignmentType complex type
The ltAttributeAssignmentgt element contains the following attributes
AttributeId [Required]
The attribute Identifier
6 Context syntax (normative with the exception of the schema fragments)
61 Element ltRequestgtThe ltRequestgt element is a top-level element in the XACML context schema The ltRequestgt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform its decision request into the form of an XACML context ltRequestgt
The ltRequestgt element contains ltSubjectgt ltResourcegt ltActiongt and ltEnvironmentgt elements There may be multiple ltSubjectgt elements Each child element contains a sequence of ltxacml-contextAttributegt elements associated with the subject resource action and environment respectively
ltxselement name=Request type=xacml-contextRequestTypegtltxscomplexType name=RequestTypegt
ltxssequencegtltxselement ref=xacml-contextSubject maxOccurs=unboundedgtltxselement ref=xacml-contextResourcegtltxselement ref=xacml-contextActiongtltxselement ref=xacml-contextEnvironment minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltRequestgt element is of RequestType complex type
The ltRequestgt element contains the following elements
oasis--xacml-11pdf 64
128
2505
2506250725082509251025112512251325142515251625172518251925202521
2522
2523
2524
2525
2526
2527
2528
252925302531
2532
2533253425352536253725382539254025412542254325442545
2546
2547
129
ltSubjectgt [One to Many]
Specifies information about a subject of the request context by listing a sequence of ltAttributegt elements associated with the subject One or more ltSubjectgt elements are allowed A subject is an entity associated with the access request One subject might represent the human user that initiated the application from which the request was issued Another subject might represent the applicationrsquos executable code that created the request Another subject might represent the machine on which the application was executing Another subject might represent the entity that is to be the recipient of the resource Attributes of each of these entities MUST be enclosed in a separate ltSubjectgt element
ltResourcegt [Required]
Specifies information about the resource for which access is being requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include a ltResourceContentgt element
ltActiongt [Required]
Specifies the requested action to be performed on the resource by listing a set of ltAttributegt elements associated with the action
ltEnvironmentgt [Optional]
Contains a set of ltAttributegt elements of the environment These ltAttributegt elements MAY form a part of policy evaluation
62 Element ltSubjectgtThe ltSubjectgt element specifies a subject by listing a sequence of ltAttributegt elements associated with the subject
ltxselement name=Subject type=xacml-contextSubjectTypegtltxscomplexType name=SubjectTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsattribute name=SubjectCategory type=xsanyURI use=optional
default=urnoasisnamestcxacml10subject-categoryaccess-subjectgtltxscomplexTypegt
The ltSubjectgt element is of SubjectType complex type
The ltSubjectgt element contains the following elements
SubjectCategory [Optional]
This attribute indicates the role that the parent ltSubjectgt played in the formation of the access request If this attribute is not present in a given ltSubjectgt element then the default value of ldquournoasisnamestcxacml10subject-categoryaccess-subjectrdquo SHALL be used indicating that the parent ltSubjectgt element represents the entity ultimately responsible for initiating the access request
If more than one ltSubjectgt element contains a urnoasisnamestcxacml10subject-category attribute with the same value then the PDP SHALL treat the contents of those elements as if they were contained in the same ltSubjectgt element
ltAttributegt [Any Number]
oasis--xacml-11pdf 65
130
2548
25492550255125522553255425552556
2557
2558
255925602561
2562
25632564
2565
25662567
2568
25692570257125722573257425752576257725782579
2580
2581
2582
258325842585
25862587
25882589
2590
2591
131
A sequence of attributes that apply to the subject
Typically a ltSubjectgt element will contain an ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10subjectsubject-idrdquo containing the identity of the subject
A ltSubjectgt element MAY contain additional ltAttributegt elements
63 Element ltResourcegtThe ltResourcegt element specifies information about the resource to which access is requested by listing a sequence of ltAttributegt elements associated with the resource It MAY include the resource content
ltxselement name=Resource type=xacml-contextResourceTypegtltxscomplexType name=ResourceTypegt
ltxssequencegtltxselement ref=xacml-contextResourceContent minOccurs=0gtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltResourcegt element is of ResourceType complex type
The ltResourcegt element contains the following elements
ltResourceContentgt [Optional]
The resource content
ltAttributegt [Any Number]
A sequence of resource attributes The ltResourcegt element MUST contain one and only one ltAttributegt with an AttributeId of ldquournoasisnamestcxacml10resourceresource-idrdquo This attribute specifies the identity of the resource to which access is requested
A ltResourcegt element MAY contain additional ltAttributegt elements
64 Element ltResourceContentgtThe ltResourceContentgt element is a notional placeholder for the resource content If an XACML policy references the contents of the resource then the ltResourceContentgt element SHALL be used as the reference point
ltxscomplexType name=ResourceContentType mixed=rdquotruerdquogtltxssequencegt
ltxsany namespace=any processContents=lax minOccurs=0 maxOccurs=unboundedgt
ltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltResourceContentgt element is of ResourceContentType complex type
The ltResourceContentgt element allows arbitrary elements and attributes
oasis--xacml-11pdf 66
132
2592
25932594
2595
2596
25972598259926002601260226032604260526062607
2608
2609
2610
2611
2612
2613261426152616
2617
2618
2619262026212622262326242625262626272628
2629
2630
133
65 Element ltActiongtThe ltActiongt element specifies the requested action on the resource by listing a set of ltAttributegt elements associated with the action
ltxselement name=Action type=xacml-contextActionTypegtltxscomplexType name=ActionTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltActiongt element is of ActionType complex type
The ltActiongt element contains the following elements
ltAttributegt [Any Number]
List of attributes of the action to be performed on the resource
66 Element ltEnvironmentgtThe ltEnvironmentgt element contains a set of attributes of the environment These attributes MAY form part of the policy evaluation
ltxselement name=Environment type=xacml-contextEnvironmentTypegtltxscomplexType name=EnvironmentTypegt
ltxssequencegtltxselement ref=xacml-contextAttribute minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltEnvironmentgt element is of EnvironmentType complex type
The ltEnvironmentgt element contains the following elements
ltAttributegt [Any Number]
A list of environment attributes Environment attributes are attributes that are not associated with either the resource the action or any of the subjects of the access request
67 Element ltAttributegtThe ltAttributegt element is the central abstraction of the request context It contains an attribute value and attribute meta-data The attribute meta-data comprises the attribute identifier the attribute issuer and the attribute issue instant Attribute designators and attribute selectors in the policy MAY refer to attributes by means of this meta-data
ltxselement name=Attribute type=xacml-contextAttributeTypegtltxscomplexType name=AttributeTypegt
ltxssequencegtltxselement ref=xacml-contextAttributeValuegt
ltxssequencegtltxsattribute name=AttributeId type=xsanyURI use=requiredgtltxsattribute name=rdquoDataTyperdquo type=rdquoxsanyURIrdquo use=rdquorequiredrdquogtltxsattribute name=Issuer type=xsstring use=optionalgt
oasis--xacml-11pdf 67
134
2631
26322633
2634263526362637263826392640
2641
2642
2643
2644
2645
26462647
26482649265026512652265326542655
2656
2657
2658
265926602661
2662
266326642665266626672668266926702671267226732674
135
ltxsattribute name=IssueInstant type=xsdateTime use=optionalgtltxscomplexTypegt
The ltAttributegt element is of AttributeType complex type
The ltAttributegt element contains the following attributes and elements
AttributeId [Required]
Attribute identifier A number of identifiers are reserved by XACML to denote commonly used attributes
DataType [Required]
The data-type of the contents of the ltAttributeValuegt element This SHALL be either a primitive type defined by the XACML 10 specification or a type defined in a namespace declared in the ltxacml-contextgt element
Issuer [Optional]
Attribute issuer This attribute value MAY be an x500Name that binds to a public key or it may be some other identifier exchanged out-of-band by issuing and relying parties
IssueInstant [Optional]
The date and time at which the attribute was issued
ltAttributeValuegt [Required]
Exactly one attribute value The mandatory attribute value MAY have contents that are empty occur once or occur multiple times
68 Element ltAttributeValuegtThe ltAttributeValuegt element contains the value of an attribute
ltxselement name=AttributeValue type=xacml-contextAttributeValueTypegtltxscomplexType name=AttributeValueType mixed=rdquotruerdquogt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegtltxsanyAttribute namespace=any processContents=laxgt
ltxscomplexTypegt
The ltAttributeValuegt element is of AttributeValueType type
The data-type of the ltAttributeValuegt MAY be specified by using the DataType attribute of the parent ltAttributegt element
69 Element ltResponsegtThe ltResponsegt element is a top-level element in the XACML context schema The ltResponsegt element is an abstraction layer used by the policy language Any proprietary system using the XACML specification MUST transform an XACML context ltResponsegt into the form of its authorization decision
oasis--xacml-11pdf 68
136
26752676
2677
2678
2679
26802681
2682
26832684
2685
2686
26872688
2689
2690
2691
2692
26932694
2695
269626972698269927002701270227032704
2705
27062707
2708
2709271027112712
137
The ltResponsegt element encapsulates the authorization decision produced by the PDP It includes a sequence of one or more results with one ltResultgt element per requested resource Multiple results MAY be returned when the value of the ldquournoasisxacml10resourcescoperdquo resource attribute in the request context is ldquoDescendantsrdquo or ldquoChildrenrdquo Support for multiple results is OPTIONAL
ltxselement name=Response type=xacml-contextResponseTypegtltxscomplexType name=ResponseTypegt
ltxssequencegtltxselement ref=xacml-contextResult maxOccurs=unboundedgt
ltxssequencegtltxscomplexTypegt
The ltResponsegt element is of ResponseType complex type
The ltResponsegt element contains the following elements
ltResultgt [One to Many]
An authorization decision result
610 Element ltResultgtThe ltResultgt element represents an authorization decision result for the resource specified by the ResourceId attribute It MAY include a set of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource
ltxselement name=Result type=xacml-contextResultTypegtltxscomplexType name=ResultTypegt
ltxssequencegtltxselement ref=xacml-contextDecisiongtltxselement ref=xacml-contextStatusgtltxselement ref=xacmlObligations minOccurs=0gt
ltxssequencegtltxsattribute name=ResourceId type=xsstring use=optionalgt
ltxscomplexTypegt
The ltResultgt element is of ResultType complex type
The ltResultgt element contains the following attributes and elements
ResourceId [Optional]
The identifier of the requested resource If this attribute is omitted then the resource identity is specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo resource attribute in the corresponding ltRequestgt element
ltDecisiongt [Required]
The authorization decision ldquoPermitrdquo ldquoDenyrdquo ldquoIndeterminaterdquo or ldquoNotApplicablerdquo
ltStatusgt [Required]
Indicates whether errors occurred during evaluation of the decision request and optionally information about those errors
ltxacmlObligationsgt [Optional]
oasis--xacml-11pdf 69
138
27132714271527162717271827192720272127222723
2724
2725
2726
2727
2728
2729273027312732
2733273427352736273727382739274027412742
2743
2744
2745
274627472748
2749
2750
2751
27522753
2754
139
A list of obligations that MUST be fulfilled by the PEP If the PEP does not understand an obligation then it MUST act as if the PDP had denied access to the requested resource See Section 711 for a description of how the set of obligations to be returned by the PDP is determined
611 Element ltDecisiongtThe ltDecisiongt element contains the result of policy evaluation
ltxselement name=Decision type=xacml-contextDecisionTypegtltxssimpleType name=DecisionTypegt
ltxsrestriction base=xsstringgtltxsenumeration value=Permitgtltxsenumeration value=Denygtltxsenumeration value=Indeterminategtltxsenumeration value=NotApplicablegt
ltxsrestrictiongtltxssimpleTypegt
The ltDecisiongt element is of DecisionType simple type
The values of the ltDecisiongt element have the following meanings
ldquoPermitrdquo the requested access is permitted
ldquoDenyrdquo the requested access is denied
ldquoIndeterminaterdquo the PDP is unable to evaluate the requested access Reasons for such inability include missing attributes network errors while retrieving policies division by zero during policy evaluation syntax errors in the decision request or in the policy etc
ldquoNotApplicablerdquo the PDP does not have any policy that applies to this decision request
612 Element ltStatusgtThe ltStatusgt element represents the status of the authorization decision result
ltxselement name=Status type=xacml-contextStatusTypegtltxscomplexType name=StatusTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCodegtltxselement ref=xacml-contextStatusMessage minOccurs=0gtltxselement ref=xacml-contextStatusDetail minOccurs=0gt
ltxssequencegtltxscomplexTypegt
The ltStatusgt element is of StatusType complex type
The ltStatusgt element contains the following elements
ltStatusCodegt [Required]
Status code
ltStatusMessagegt [Optional]
A status message describing the status code
ltStatusDetailgt [Optional]
Additional status information
oasis--xacml-11pdf 70
140
2755275627572758
2759
2760276127622763276427652766276727682769
2770
2771
2772
2773
277427752776
2777
2778
277927802781278227832784278527862787
2788
2789
2790
2791
2792
2793
2794
2795
141
613 Element ltStatusCodegtThe ltStatusCodegt element contains a major status code value and an optional sequence of minor status codes
ltxselement name=StatusCode type=xacml-contextStatusCodeTypegtltxscomplexType name=StatusCodeTypegt
ltxssequencegtltxselement ref=xacml-contextStatusCode minOccurs=0gt
ltxssequencegtltxsattribute name=Value type=xsanyURI use=requiredgt
ltxscomplexTypegt
The ltStatusCodegt element is of StatusCodeType complex type
The ltStatusCodegt element contains the following attributes and elements
Value [Required]
See Section B9 for a list of values
ltStatusCodegt [Any Number]
Minor status code This status code qualifies its parent status code
614 Element ltStatusMessagegtThe ltStatusMessagegt element is a free-form description of the status code
ltxselement name=StatusMessage type=xsstringgt
The ltStatusMessagegt element is of xsstring type
615 Element ltStatusDetailgtThe ltStatusDetailgt element qualifies the ltStatusgt element with additional information
ltxselement name=StatusDetail type=xacml-contextStatusDetailTypegtltxscomplexType name=StatusDetailTypegt
ltxssequencegtltxsany namespace=any processContents=lax minOccurs=0
maxOccurs=unboundedgtltxssequencegt
ltxscomplexTypegt
The ltStatusDetailgt element is of StatusDetailType complex type
The ltStatusDetailgt element allows arbitrary XML content
Inclusion of a ltStatusDetailgt element is optional However if a PDP returns one of the following XACML-defined ltStatusCodegt values and includes a ltStatusDetailgt element then the following rules apply
urnoasisnamestcxacml10statusok
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquookrdquo status value
urnoasisnamestcxacml10statusmissing-attribute
A PDP MAY choose not to return any ltStatusDetailgt information or MAY choose to return a ltStatusDetailgt element containing one or more ltxacml-contextAttributegt elements If the PDP includes ltAttributeValuegt elements in the ltAttributegt element then this indicates
oasis--xacml-11pdf 71
142
2796
279727982799280028012802280328042805
2806
2807
2808
2809
2810
2811
2812
28132814
2815
2816
28172818281928202821282228232824
2825
2826
282728282829
2830
2831
2832
283328342835
143
the acceptable values for that attribute If no ltAttributeValuegt elements are included then this indicates the names of attributes that the PDP failed to resolve during its evaluation The list of attributes may be partial or complete There is no guarantee by the PDP that supplying the missing values or attributes will be sufficient to satisfy the policy
urnoasisnamestcxacml10statussyntax-error
A PDP MUST NOT return a ltStatusDetailgt element in conjunction with the ldquosyntax-errorrdquo status value A syntax error may represent either a problem with the policy being used or with the request context The PDP MAY return a ltStatusMessagegt describing the problem
urnoasisnamestcxacml10statusprocessing-error
A PDP MUST NOT return ltStatusDetailgt element in conjunction with the ldquoprocessing-errorrdquo status value This status code indicates an internal problem in the PDP For security reasons the PDP MAY choose to return no further information to the PEP In the case of a divide-by-zero error or other computational error the PDP MAY return a ltStatusMessagegt describing the nature of the error
7 Functional requirements (normative)This section specifies certain functional requirements that are not directly associated with the production or consumption of a particular XACML element
71 Policy enforcement pointThis section describes the requirements for the PEPAn application functions in the role of the PEP if it guards access to a set of resources and asks the PDP for an authorization decision The PEP MUST abide by the authorization decision in the following way
A PEP SHALL allow access to the resource only if a valid XACML response of Permit is returned by the PDP The PEP SHALL deny access to the resource in all other cases An XACML response of Permit SHALL be considered valid only if the PEP understands all of the obligations contained in the response
72 Base policyA PDP SHALL represent one policy or policy set called its base policy This base policy MAY be a ltPolicygt element containing a ltTargetgt element that matches every possible decision request or (for instance) it MAY be a ltPolicygt element containing a ltTargetgt element that matches only a specific subject In such cases the base policy SHALL form the root-node of a tree of policies connected by ltPolicyIdReferencegt and ltPolicySetIdReferencegt elements to all the rules that may be applicable to any decision request that the PDP is capable of evaluating
In the case of a PDP that retrieves policies according to the decision request that it is processing the base policy SHALL contain a ltPolicygt element containing a ltTargetgt element that matches every possible decision request and a PolicyCombiningAlgId attribute with the value ldquoOnly-one-applicable In other words the PDP SHALL return an error if it retrieves policies that do not form a single tree
oasis--xacml-11pdf 72
144
2836283728382839
2840
28412842
2843
2844
284528462847
28482849
2850
28512852
28532854285528562857
2858285928602861
2862
2863286428652866
286728682869
28702871287228732874
145
73 Target evaluationThe target value SHALL be Match if the subject resource and action specified in the target all match values in the request context The target value SHALL be No-match if one or more of the subject resource and action specified in the target do not match values in the request context The value of a ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element in which a referenced attribute value cannot be obtained depends on the value of the MustBePresent attribute of the ltAttributeDesignatorgt or ltAttributeSelectorgt element If the MustBePresent attribute is True then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be Indeterminate in this case If the MustBePresent attribute is False or missing then the result of the ltSubjectMatchgt ltResourceMatchgt or ltActionMatchgt element SHALL be No-match
74 Condition evaluationThe condition value SHALL be True if the ltConditiongt element is absent or if it evaluates to True for the attribute values supplied in the request context Its value is False if the ltConditiongt element evaluates to False for the attribute values supplied in the request context If any attribute value referenced in the condition cannot be obtained then the condition SHALL evaluate to Indeterminate
75 Rule evaluationA rule has a value that can be calculated by evaluating its contents Rule evaluation involves separate evaluation of the rules target and condition The rule truth table is shown in Table 1
Target Condition Rule Value
ldquoMatchrdquo ldquoTruerdquo Effect
ldquoMatchrdquo ldquoFalserdquo ldquoNotApplicablerdquo
ldquoMatchrdquo ldquoIndeterminaterdquo ldquoIndeterminaterdquo
ldquoNo-matchrdquo Donrsquot care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot care ldquoIndeterminaterdquo
Table 1 - Rule truth table
If the target value is No-match or ldquoIndeterminaterdquo then the rule value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the condition For these cases therefore the condition need not be evaluated in order to determine the rule value
If the target value is ldquoMatchrdquo and the condition value is ldquoTruerdquo then the effect specified in the rule SHALL determine the rule value
76 Policy evaluationThe value of a policy SHALL be determined only by its contents considered in relation to the contents of the request context A policys value SHALL be determined by evaluation of the policys target and rules according to the specified rule-combining algorithm
oasis--xacml-11pdf 73
146
2875287628772878
2879288028812882288328842885
2886
28872888
288928902891
2892
28932894
2895
2896
2897
289828992900
29012902
2903
290429052906
147
The policys target SHALL be evaluated to determine the applicability of the policy If the target evaluates to Match then the value of the policy SHALL be determined by evaluation of the policys rules according to the specified rule-combining algorithm If the target evaluates to No-match then the value of the policy SHALL be NotApplicable If the target evaluates to Indeterminate then the value of the policy SHALL be Indeterminate
The policy truth table is shown in Table 2
Target Rule values Policy Value
ldquoMatchrdquo At least one rule value is its Effect
Specified by the rule-combining algorithm
ldquoMatchrdquo All rule values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
ldquoMatchrdquo At least one rule value is ldquoIndeterminaterdquo
Specified by the rule-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
ldquoIndeterminaterdquo Donrsquot-care ldquoIndeterminaterdquo
Table 2 - Policy truth table
A rules value of At least one rule value is its Effect SHALL be used if the ltRulegt element is absent or if one or more of the rules contained in the policy is applicable to the decision request (ie returns a value of ldquoEffectrdquo see Section 75) A rules value of ldquoAll rule values are lsquoNotApplicablersquordquo SHALL be used if no rule contained in the policy is applicable to the request and if no rule contained in the policy returns a value of ldquoIndeterminaterdquo If no rule contained in the policy is applicable to the request but one or more rule returns a value of ldquoIndeterminaterdquo then rules value SHALL evaluate to At least one rule value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the rules For these cases therefore the rules need not be evaluated in order to determine the policy value
If the target value is ldquoMatchrdquo and the rules value is ldquoAt least one rule value is itrsquos Effectrdquo or ldquoAt least one rule value is lsquoIndeterminatersquordquo then the rule-combining algorithm specified in the policy SHALL determine the policy value
77 Policy Set evaluationThe value of a policy set SHALL be determined by its contents considered in relation to the contents of the request context A policy sets value SHALL be determined by evaluation of the policy sets target policies and policy sets according to the specified policy-combining algorithm
The policy sets target SHALL be evaluated to determine the applicability of the policy set If the target evaluates to Match then the value of the policy set SHALL be determined by evaluation of the policy sets policies and policy sets according to the specified policy-combining algorithm If the target evaluates to No-match then the value of the policy set shall be NotApplicable If the target evaluates to Indeterminate then the value of the policy set SHALL be Indeterminate
The policy set truth table is shown in Table 3
Target Policy values Policy Set Value
oasis--xacml-11pdf 74
148
29072908290929102911
2912
2913
2914291529162917291829192920
292129222923
292429252926
2927
2928292929302931
29322933293429352936
2937
149
Match At least one policy value is its Decision
Specified by the policy-combining algorithm
Match All policy values are ldquoNotApplicablerdquo
ldquoNotApplicablerdquo
Match At least one policy value is ldquoIndeterminaterdquo
Specified by the policy-combining algorithm
ldquoNo-matchrdquo Donrsquot-care ldquoNotApplicablerdquo
Indeterminate Donrsquot-care ldquoIndeterminaterdquo
Table 3 ndash Policy set truth table
A policies value of At least one policy value is its Decision SHALL be used if there are no contained or referenced policies or policy sets or if one or more of the policies or policy sets contained in or referenced by the policy set is applicable to the decision request (ie returns a value determined by its rule-combining algorithm see Section 76) A policies value of ldquoAll policy values are lsquoNotApplicablersquordquo SHALL be used if no policy or policy set contained in or referenced by the policy set is applicable to the request and if no policy or policy set contained in or referenced by the policy set returns a value of ldquoIndeterminaterdquo If no policy or policy set contained in or referenced by the policy set is applicable to the request but one or more policy or policy set returns a value of ldquoIndeterminaterdquo then policies SHALL evaluate to At least one policy value is lsquoIndeterminatersquo
If the target value is No-match or ldquoIndeterminaterdquo then the policy set value SHALL be ldquoNotApplicablerdquo or ldquoIndeterminaterdquo respectively regardless of the value of the policies For these cases therefore the policies need not be evaluated in order to determine the policy set value
If the target value is ldquoMatchrdquo and the policies value is ldquoAt least one policy value is itrsquos Decisionrdquo or ldquoAt least one policy value is lsquoIndeterminatersquordquo then the policy-combining algorithm specified in the policy set SHALL determine the policy set value
78 Hierarchical resourcesIt is often the case that a resource is organized as a hierarchy (eg file system XML document) Some access requesters may request access to an entire subtree of a resource specified by a node XACML allows the PEP (or context handler) to specify whether the decision request is just for a single resource or for a subtree below the specified resource The latter is equivalent to repeating a single request for each node in the entire subtree When a request context contains a resource attribute of type
urnoasisnamestcxacml10resourcescope
with a value of Immediate or if it does not contain that attribute then the decision request SHALL be interpreted to apply to just the single resource specified by the ldquournoasisnamestcxacml10resourceresource-idrdquo attribute
When the
urnoasisnamestcxacml10resourcescope
oasis--xacml-11pdf 75
150
2938
2939294029412942294329442945294629472948
294929502951
295229532954
2955
295629572958295929602961
2962
29632964
2965
2966
2967
151
attribute has the value Children the decision request SHALL be interpreted to apply to the specified resource and its immediate children resources
When the
urnoasisnamestcxacml10resourcescope
attribute has the value Descendants the decision request SHALL be interpreted to apply to both the specified resource and all its descendant resources
In the case of Children and Descendants the authorization decision MAY include multiple results for the multiple sub-nodes in the resource sub-tree
An XACML authorization response MAY contain multiple ltResultgt elements
Note that the method by which the PDP discovers whether the resource is hierarchically organized or not is outside the scope of XACML
In the case where a child or descendant resource cannot be accessed the ltResultgt element associated with the parent element SHALL contain a ltStatusCodegt Value of ldquournoasisnamestcxacml10statusprocessing-errorrdquo
79 AttributesAttributes are specified in the request context regardless of whether or not they appeared in the original decision request and are referred to in the policy by subject resource action and environment attribute designators and attribute selectors A named attribute is the term used for the criteria that the specific subject resource action and environment attribute designators and selectors use to refer to attributes in the subject resource action and environment elements of the request context respectively
791 Attribute MatchingA named attribute has specific criteria with which to match attributes in the context An attribute specifies AttributeId DataType and Issuer attributes and each named attribute also specifies AttributeId DataType and optional Issuer attributes A named attribute SHALL match an attribute if the values of their respective AttributeId DataType and optional Issuer attributes match within their particular element eg subject resource action or environment of the context The AttributeId of the named attribute MUST match by URI equality the AttributeId of the context attribute The DataType of the named attribute MUST match by URI equality the DataType of the same context attribute If Issuer is supplied in the named attribute then it MUST match by string equality the Issuer of the same context attribute If Issuer is not supplied in the named attribute then the matching of the context attribute to the named attribute SHALL be governed by AttributeId and DataType alone regardless of the presence absence or actual value of Issuer In the case of an attribute selector the matching of the attribute to the named attribute SHALL be governed by the XPath expression and DataType
792 Attribute RetrievalThe PDP SHALL request the values of attributes in the request context from the context handler The PDP SHALL reference the attributes as if they were in a physical request context document but the context handler is responsible for obtaining and supplying the requested values The context handler SHALL return the values of attributes that match the attribute designator or attribute selector and form them into a bag of values with the specified data-type If no attributes
oasis--xacml-11pdf 76
152
29682969
2970
2971
29722973
29742975
2976
29772978
297929802981
2982
298329842985298629872988
2989
29902991299229932994
29952996299729982999300030013002
3003
3004
30053006300730083009
153
from the request context match then the attribute SHALL be considered missing If the attribute is missing then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an ldquoIndeterminaterdquo result If MustBePresent is ldquoFalserdquo (default value) then a missing attribute SHALL result in an empty bag If MustBePresent is ldquoTruerdquo then a missing attribute SHALL result in ldquoIndeterminaterdquo This ldquoIndeterminaterdquo result SHALL be handled in accordance with the specification of the encompassing expressions rules policies and policy sets If the result is ldquoIndeterminaterdquo then the AttributeId DataType and Issuer of the attribute MAY be listed in the authorization decision as described in Section 710 However a PDP MAY choose not to return such information for security reasons
793 Environment AttributesEnvironment attributes are listed in Section B8 If a value for one of these attributes is supplied in the decision request then the context handler SHALL use that value Otherwise the context handler SHALL supply a value For the date and time attributes the supplied value SHALL have the semantics of date and time that apply to the decision request
710 Authorization decisionGiven a valid XACML policy or policy set a compliant XACML PDP MUST evaluate the policy as specified in Sections 5 and 42 The PDP MUST return a response context with one ltDecisiongt element of value Permit Deny Indeterminate or NotApplicable
If the PDP cannot make a decision then an Indeterminate ltDecisiongt element contents SHALL be returned The PDP MAY return a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
signifying that more information is needed In this case the ltStatusgt element MAY list the names and data-types of any attributes of the subjectsresource action or environment that are needed by the PDP to refine its decision A PEP MAY resubmit a refined request context in response to a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
by adding attribute values for the attribute names that were listed in the previous response When the PDP returns a ltDecisiongt element contents of Indeterminate with a status code of
urnoasisnamestcxacml10missing-attribute
it MUST NOT list the names and data-types of any attribute of the subjectresource action or environment for which values were supplied in the original request Note this requirement forces the PDP to eventually return an authorization decision of Permit Deny or Indeterminate with some other status code in response to successively-refined requests
711 ObligationsA policy or policy set may contain one or more obligations When such a policy or policy set is evaluated an obligation SHALL be passed up to the next level of evaluation (the enclosing or referencing policy set or authorization decision) only if the effect of the policy or policy set being evaluated matches the value of the xacmlFulfillOn attribute of the obligation
As a consequence of this procedure no obligations SHALL be returned to the PEP if the policies or policy sets from which they are drawn are not evaluated or if their evaluated result is
oasis--xacml-11pdf 77
154
301030113012301330143015
301630173018
3019
3020302130223023
3024
30253026
3027
302830293030
3031
303230333034
3035
3036
30373038
3039
3040304130423043
3044304530463047
3048304930503051
155
Indeterminate or NotApplicable or if the decision resulting from evaluating the policy or policy set does not match the decision resulting from evaluating an enclosing policy set
If the PDPs evaluation is viewed as a tree of policy sets and policies each of which returns Permit or Deny then the set of obligations returned by the PDP to the PEP will include only the obligations associated with those paths where the effect at each level of evaluation is the same as the effect being returned by the PDPA PEP that receives a valid XACML response of Permit with obligations SHALL be responsible for fulfilling all of those obligations A PEP that receives an XACML response of Deny with obligations SHALL be responsible for fulfilling all of the obligations that it understands
712 Unsupported functionalityIf the PDP attempts to evaluate a policy set or policy that contains an optional element type or feature that the PDP does not support then the PDP SHALL return a ltDecisiongt value of Indeterminate If a ltStatusCodegt element is also returned then its value SHALL be urnoasisnamestcxacml10statussyntax-error in the case of an unsupported element type and urnoasisnamestcxacml10statusprocessing-error in the case of an unsupported feature
713 Syntax and type errorsIf a policy that contains invalid syntax is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statussyntax-error
If a policy that contains invalid static data-types is evaluated by the XACML PDP at the time a decision request is received then the result of that policy SHALL be Indeterminate with a StatusCode value of urnoasisnamestcxacml10statusprocessing-error
8 XACML extensibility points (non-normative)This section describes the points within the XACML model and schema where extensions can be added
81 Extensible XML attribute typesThe following XML attributes have values that are URIs These may be extended by the creation of new URIs associated with new semantics for these attributes
AttributeId
AttributeValue
DataType
FunctionId
MatchId
ObligationId
PolicyCombiningAlgId
RuleCombiningAlgId
oasis--xacml-11pdf 78
156
3052305330543055305630573058305930603061
3062
30633064306530663067
3068
306930703071
307230733074
3075
30763077
3078
30793080
3081
3082
3083
3084
3085
3086
3087
3088
157
StatusCode
SubjectCategory
See Section 5 for definitions of these attribute types
82 Structured attributesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type Section A3 describes a number of standard techniques to identify data items within such a structured attribute Listed here are some additional techniques that require XACML extensions
1 For a given structured data-type a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types Using these new attribute identifiers the PEPs or context handlers used by that community of users can flatten instances of the structured data-type into a sequence of individual ltAttributegt elements Each such ltAttributegt element can be compared using the XACML-defined functions Using this method the structured data-type itself never appears in an ltAttributeValuegt element
2 A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value This method may only be used by PDPs that support the new function
9 Security and privacy considerations (non-normative)
This section identifies possible security and privacy compromise scenarios that should be considered when implementing an XACML-based system The section is informative only It is left to the implementer to decide whether these compromise scenarios are practical in their environment and to select appropriate safeguards
91 Threat modelWe assume here that the adversary has access to the communication channel between the XACML actors and is able to interpret insert delete and modify messages or parts of messages
Additionally an actor may use information from a former transaction maliciously in subsequent transactions It is further assumed that rules and policies are only as reliable as the actors that create and use them Thus it is incumbent on each actor to establish appropriate trust in the other actors upon which it relies Mechanisms for trust establishment are outside the scope of this specification
The messages that are transmitted between the actors in the XACML model are susceptible to attack by malicious third parties Other points of vulnerability include the PEP the PDP and the PAP While some of these entities are not strictly within the scope of this specification their compromise could lead to the compromise of access control enforced by the PEP
It should be noted that there are other components of a distributed system that may be compromised such as an operating system and the domain-name system (DNS) that are outside the scope of this discussion of threat models Compromise in these components may also lead to a policy violation
oasis--xacml-11pdf 79
158
3089
3090
3091
3092
309330943095
3096309730983099
310031013102
310331043105
3106
3107
3108310931103111
3112
31133114
31153116311731183119
3120312131223123
3124312531263127
159
The following sections detail specific compromise scenarios that may be relevant to an XACML system
911 Unauthorized disclosureXACML does not specify any inherent mechanisms for confidentiality of the messages exchanged between actors Therefore an adversary could observe the messages in transit Under certain security policies disclosure of this information is a violation Disclosure of attributes or the types of decision requests that a subject submits may be a breach of privacy policy In the commercial sector the consequences of unauthorized disclosure of personal data may range from embarrassment to the custodian to imprisonment and large fines in the case of medical or financial data
Unauthorized disclosure is addressed by confidentiality mechanisms
912 Message replayA message replay attack is one in which the adversary records and replays legitimate messages between XACML actors This attack may lead to denial of service the use of out-of-date information or impersonation
Prevention of replay attacks requires the use of message freshness mechanisms
Note that encryption of the message does not mitigate a replay attack since the message is just replayed and does not have to be understood by the adversary
913 Message insertionA message insertion attack is one in which the adversary inserts messages in the sequence of messages between XACML actors
The solution to a message insertion attack is to use mutual authentication and a message sequence integrity mechanism between the actors It should be noted that just using SSL mutual authentication is not sufficient This only proves that the other party is the one identified by the subject of the X509 certificate In order to be effective it is necessary to confirm that the certificate subject is authorized to send the message
914 Message deletionA message deletion attack is one in which the adversary deletes messages in the sequence of messages between XACML actors Message deletion may lead to denial of service However a properly designed XACML system should not render an incorrect authorization decision as a result of a message deletion attack
The solution to a message deletion attack is to use a message integrity mechanism between the actors
915 Message modificationIf an adversary can intercept a message and change its contents then they may be able to alter an authorization decision Message integrity mechanisms can prevent a successful message modification attack
oasis--xacml-11pdf 80
160
31283129
3130
3131313231333134313531363137
3138
3139
314031413142
3143
31443145
3146
31473148
31493150315131523153
3154
3155315631573158
31593160
3161316231633164
161
916 NotApplicable resultsA result of NotApplicable means that the PDP did not have a policy whose target matched the information in the decision request In general we highly recommend using a default-deny policy so that when a PDP would have returned NotApplicable a result of Deny is returned instead
In some security models however such as is common in many Web Servers a result of NotApplicable is treated as equivalent to Permit There are particular security considerations that must be taken into account for this to be safe These are explained in the following paragraphs
If NotApplicable is to be treated as Permit it is vital that the matching algorithms used by the policy to match elements in the decision request are closely aligned with the data syntax used by the applications that will be submitting the decision request A failure to match will be treated as Permit so an unintended failure to match may allow unintended access
A common example of this is a Web Server Commercial http responders allow a variety of syntaxes to be treated equivalently The can be used to represent characters by hex value The URL path provides multiple ways of specifying the same value Multiple character sets may be permitted and in some cases the same printed character can be represented by different binary values Unless the matching algorithm used by the policy is sophisticated enough to catch these variations unintended access may be permitted
It is safe to treat NotApplicable as Permit only in a closed environment where all applications that formulate a decision request can be guaranteed to use the exact syntax expected by the policies used by the PDP In a more open environment where decision requests may be received from applications that may use any legal syntax it is strongly recommended that NotApplicable NOT be treated as Permit unless matching rules have been very carefully designed to match all possible applicable inputs regardless of syntax or type variations
917 Negative rulesA negative rule is one that is based on a predicate not being True If not used with care negative rules can lead to policy violation therefore some authorities recommend that they not be used However negative rules can be extremely efficient in certain cases so XACML has chosen to include them Nevertheless it is recommended that they be used with care and avoided if possible
A common use for negative rules is to deny access to an individual or subgroup when their membership in a larger group would otherwise permit them access For example we might want to write a rule that allows all Vice Presidents to see the unpublished financial data except for Joe who is only a Ceremonial Vice President and can be indiscreet in his communications If we have complete control of the administration of subject attributes a superior approach would be to define ldquoVice Presidentrdquo and ldquoCeremonial Vice Presidentrdquo as distinct groups and then define rules accordingly However in some environments this approach may not be feasible (It is worth noting in passing that generally speaking referring to individuals in rules does not scale well Generally shared attributes are preferred)
If not used with care negative rules can lead to policy violation in two common cases They are when attributes are suppressed and when the base group changes An example of suppressed attributes would be if we have a policy that access should be permitted unless the subject is a credit risk If it is possible that the attribute of being a credit risk may be unknown to the PDP for some reason then unauthorized access may be permitted In some environments the subject may be able to suppress the publication of attributes by the application of privacy controls or the server or repository that contains the information may be unavailable for accidental or intentional reasons
oasis--xacml-11pdf 81
162
3165
3166316731683169
3170317131723173
3174317531763177
317831793180318131823183
318431853186318731883189
3190
31913192319331943195
319631973198319932003201320232033204
32053206320732083209321032113212
163
An example of a changing base group would be if there is a policy that everyone in the engineering department may change software source code except for secretaries Suppose now that the department was to merge with another engineering department and the intent is to maintain the same policy However the new department also includes individuals identified as administrative assistants who ought to be treated in the same way as secretaries Unless the policy is altered they will unintentionally be permitted to change software source code Problems of this type are easy to avoid when one individual administers all policies but when administration is distributed as XACML allows this type of situation must be explicitly guarded against
92 Safeguards
921 Authentication Authentication provides the means for one party in a transaction to determine the identity of the other party in the transaction Authentication may be in one direction or it may be bilateral
Given the sensitive nature of access control systems it is important for a PEP to authenticate the identity of the PDP to which it sends decision requests Otherwise there is a risk that an adversary could provide false or invalid authorization decisions leading to a policy violation
It is equally important for a PDP to authenticate the identity of the PEP and assess the level of trust to determine what if any sensitive data should be passed One should keep in mind that even simple Permit or Deny responses could be exploited if an adversary were allowed to make unlimited requests to a PDP
Many different techniques may be used to provide authentication such as co-located code a private network a VPN or digital signatures Authentication may also be performed as part of the communication protocol used to exchange the contexts In this case authentication may be performed at the message level or at the session level
922 Policy administrationIf the contents of policies are exposed outside of the access control system potential subjects may use this information to determine how to gain unauthorized access
To prevent this threat the repository used for the storage of policies may itself require access control In addition the ltStatusgt element should be used to return values of missing attributes only when exposure of the identities of those attributes will not compromise security
923 Confidentiality Confidentiality mechanisms ensure that the contents of a message can be read only by the desired recipients and not by anyone else who encounters the message while it is in transit There are two areas in which confidentiality should be considered one is confidentiality during transmission the other is confidentiality within a ltPolicygt element
9231 Communication confidentiality
In some environments it is deemed good practice to treat all data within an access control system as confidential In other environments policies may be made freely available for distribution inspection and audit The idea behind keeping policy information secret is to make it more difficult for an adversary to know what steps might be sufficient to obtain unauthorized access Regardless of the approach chosen the security of the access control system should not depend on the secrecy of the policy
oasis--xacml-11pdf 82
164
32133214321532163217321832193220
3221
3222
32233224
322532263227
3228322932303231
3232323332343235
3236
32373238
323932403241
3242
324332443245
3246
3247
324832493250325132523253
165
Any security concerns or requirements related to transmitting or exchanging XACML ltPolicygt elements are outside the scope of the XACML standard While it is often important to ensure that the integrity and confidentiality of ltPolicygt elements is maintained when they are exchanged between two parties it is left to the implementers to determine the appropriate mechanisms for their environment
Communications confidentiality can be provided by a confidentiality mechanism such as SSL Using a point-to-point scheme like SSL may lead to other vulnerabilities when one of the end-points is compromised
9232 Statement level confidentiality
In some cases an implementation may want to encrypt only parts of an XACML ltPolicygt element
The XML Encryption Syntax and Processing Candidate Recommendation from W3C can be used to encrypt all or parts of an XML document This specification is recommended for use with XACML
It should go without saying that if a repository is used to facilitate the communication of cleartext (ie unencrypted) policy between the PAP and PDP then a secure repository should be used to store this sensitive data
924 Policy integrityThe XACML policy used by the PDP to evaluate the request context is the heart of the system Therefore maintaining its integrity is essential There are two aspects to maintaining the integrity of the policy One is to ensure that ltPolicygt elements have not been altered since they were originally created by the PAP The other is to ensure that ltPolicygt elements have not been inserted or deleted from the set of policies
In many cases both aspects can be achieved by ensuring the integrity of the actors and implementing session-level mechanisms to secure the communication between actors The selection of the appropriate mechanisms is left to the implementers However when policy is distributed between organizations to be acted on at a later time or when the policy travels with the protected resource it would be useful to sign the policy In these cases the XML Signature Syntax and Processing standard from W3C is recommended to be used with XACML
Digital signatures should only be used to ensure the integrity of the statements Digital signatures should not be used as a method of selecting or evaluating policy That is the PDP should not request a policy based on who signed it or whether or not it has been signed (as such a basis for selection would itself be a matter of policy) However the PDP must verify that the key used to sign the policy is one controlled by the purported issuer of the policy The means to do this are dependent on the specific signature technology chosen and are outside the scope of this document
925 Policy identifiersSince policies can be referenced by their identifiers it is the responsibility of the PAP to ensure that these are unique Confusion between identifiers could lead to misidentification of the applicable policy This specification is silent on whether a PAP must generate a new identifier when a policy is modified or may use the same identifier in the modified policy This is a matter of administrative practice However care must be taken in either case If the identifier is reused there is a danger that other policies or policy sets that reference it may be adversely affected Conversely if a new identifier is used these other policies may continue to use the prior policy unless it is deleted In either case the results may not be what the policy administrator intends
oasis--xacml-11pdf 83
166
32543255
325632573258
325932603261
3262
32633264
326532663267
326832693270
3271
32723273
327432753276
327732783279328032813282
328332843285328632873288
3289
32903291329232933294329532963297
167
926 Trust modelDiscussions of authentication integrity and confidentiality mechanisms necessarily assume an underlying trust model how can one actor come to believe that a given key is uniquely associated with a specific identified actor so that the key can be used to encrypt data for that actor or verify signatures (or other integrity structures) from that actor Many different types of trust model exist including strict hierarchies distributed authorities the Web the bridge and so on
It is worth considering the relationships between the various actors of the access control system in terms of the interdependencies that do and do not exist
None of the entities of the authorization system are dependent on the PEP They may collect data from it for example authentication but are responsible for verifying it
The correct operation of the system depends on the ability of the PEP to actually enforce policy decisions
The PEP depends on the PDP to correctly evaluate policies This in turn implies that the PDP is supplied with the correct inputs Other than that the PDP does not depend on the PEP
The PDP depends on the PAP to supply appropriate policies The PAP is not dependent on other components
927 PrivacyIt is important to be aware that any transactions that occur with respect to access control may reveal private information about the actors For example if an XACML policy states that certain data may only be read by subjects with ldquoGold Card Memberrdquo status then any transaction in which a subject is permitted access to that data leaks information to an adversary about the subjects status Privacy considerations may therefore lead to encryption andor to access control policies surrounding the enforcement of XACML policy instances themselves confidentiality-protected channels for the requestresponse protocol messages protection of subject attributes in storage and in transit and so on
Selection and use of privacy mechanisms appropriate to a given environment are outside the scope of XACML The decision regarding whether how and when to deploy such mechanisms is left to the implementers associated with the environment
10 Conformance (normative)
101 IntroductionThe XACML specification addresses the following aspect of conformance
The XACML specification defines a number of functions etc that have somewhat specialist application therefore they are not required to be implemented in an implementation that claims to conform with the OASIS standard
102Conformance tablesThis section lists those portions of the specification that MUST be included in an implementation of a PDP that claims to conform with XACML v10 A set of test cases has been created to assist in this process These test cases are hosted by Sun Microsystems and can be located from the
oasis--xacml-11pdf 84
168
3298
32993300330133023303
33043305
33063307
33083309
331033113312
33133314
3315
33163317331833193320332133223323
332433253326
3327
3328
3329
333033313332
3333
333433353336
169
XACML Web page The site hosting the test cases contains a full description of the test cases and how to execute them
Note M means mandatory-to-implement O means optional
1021 Schema elementsThe implementation MUST support those schema elements that are marked ldquoMrdquoElement name MOxacml-contextAction Mxacml-contextAttribute Mxacml-contextAttributeValue Mxacml-contextDecision Mxacml-contextEnvironment Mxacml-contextObligations Oxacml-contextRequest Mxacml-contextResource Mxacml-contextResourceContent Oxacml-contextResponse Mxacml-contextResult Mxacml-contextStatus Mxacml-contextStatusCode Mxacml-contextStatusDetail Oxacml-contextStatusMessage Oxacml-contextSubject MxacmlAction MxacmlActionAttributeDesignator MxacmlActionMatch MxacmlActions MxacmlAnyAction MxacmlAnyResource MxacmlAnySubject MxacmlApply MxacmlAttributeAssignment OxacmlAttributeSelector OxacmlAttributeValue MxacmlCondition MxacmlDescription MxacmlEnvironmentAttributeDesignator MxacmlFunction MxacmlObligation OxacmlObligations OxacmlPolicy MxacmlPolicyDefaults OxacmlPolicyIdReference MxacmlPolicySet MxacmlPolicySetDefaults OxacmlPolicySetIdReference MxacmlResource MxacmlResourceAttributeDesignator MxacmlResourceMatch MxacmlResources MxacmlRule MxacmlSubject MxacmlSubjectMatch MxacmlSubjects M
oasis--xacml-11pdf 85
170
33373338
3339
3340
3341
171
xacmlTarget MxacmlXPathVersion O
1022 Identifier PrefixesThe following identifier prefixes are reserved by XACML
Identifierurnoasisnamestcxacml10urnoasisnamestcxacml10conformance-testurnoasisnamestcxacml10contexturnoasisnamestcxacml10exampleurnoasisnamestcxacml10functionurnoasisnamestcxacml10policyurnoasisnamestcxacml10subjecturnoasisnamestcxacml10resourceurnoasisnamestcxacml10action
1023 AlgorithmsThe implementation MUST include the rule- and policy-combining algorithms associated with the following identifiers that are marked M
Algorithm MOurnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
M
urnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
M
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
M
urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-deny-overridesurnoasisnamestcxacml11rule-combining-algorithmordered-permit-overridesurnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
1024 Status CodesImplementation support for the urnoasisnamestcxacml10contextstatus element is optional but if the element is supported then the following status codes must be supported and must be used in the way XACML has specified
Identifier MOurnoasisnamestcxacml10statusmissing-attribute Murnoasisnamestcxacml10statusok Murnoasisnamestcxacml10statusprocessing-error M
oasis--xacml-11pdf 86
172
3342
3343
3344
33453346
3347
334833493350
173
urnoasisnamestcxacml10statussyntax-error M
1025 AttributesThe implementation MUST support the attributes associated with the following attribute identifiers as specified by XACML If values for these attributes are not present in the decision request then their values MUST be supplied by the PDP So unlike most other attributes their semantics are not transparent to the PDP
Identifier MOurnoasisnamestcxacml10environmentcurrent-time Murnoasisnamestcxacml10environmentcurrent-date Murnoasisnamestcxacml10environmentcurrent-dateTime M
1026 IdentifiersThe implementation MUST use the attributes associated with the following identifiers in the way XACML has defined This requirement pertains primarily to implementations of a PAP or PEP that use XACML since the semantics of the attributes are transparent to the PDP
Identifier MOurnoasisnamestcxacml10subjectauthn-localitydns-name Ournoasisnamestcxacml10subjectauthn-localityip-address Ournoasisnamestcxacml10subjectauthentication-method Ournoasisnamestcxacml10subjectauthentication-time Ournoasisnamestcxacml10subjectkey-info Ournoasisnamestcxacml10subjectrequest-time Ournoasisnamestcxacml10subjectsession-start-time Ournoasisnamestcxacml10subjectsubject-id Ournoasisnamestcxacml10subjectsubject-id-qualifier Ournoasisnamestcxacml10subject-categoryaccess-subject Murnoasisnamestcxacml10subject-categorycodebase Ournoasisnamestcxacml10subject-categoryintermediary-subject Ournoasisnamestcxacml10subject-categoryrecipient-subject Ournoasisnamestcxacml10subject-categoryrequesting-machine Ournoasisnamestcxacml10resourceresource-location Ournoasisnamestcxacml10resourceresource-id Murnoasisnamestcxacml10resourcescope Ournoasisnamestcxacml10resourcesimple-file-name Ournoasisnamestcxacml10actionaction-id Murnoasisnamestcxacml10actionimplied-action M
1027 Data-typesThe implementation MUST support the data-types associated with the following identifiers marked M
Data-type MOhttpwwww3org2001XMLSchemastring Mhttpwwww3org2001XMLSchemaboolean Mhttpwwww3org2001XMLSchemainteger Mhttpwwww3org2001XMLSchemadouble Mhttpwwww3org2001XMLSchematime Mhttpwwww3org2001XMLSchemadate Mhttpwwww3org2001XMLSchemadateTime Mhttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
M
oasis--xacml-11pdf 87
174
3351
3352335333543355
3356
335733583359
3360
33613362
175
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
M
httpwwww3org2001XMLSchemaanyURI Mhttpwwww3org2001XMLSchemahexBinary Mhttpwwww3org2001XMLSchemabase64Binary Murnoasisnamestcxacml10data-typerfc822Name Murnoasisnamestcxacml10data-typex500Name M
1028 FunctionsThe implementation MUST properly process those functions associated with the identifiers marked with an M
Function MOurnoasisnamestcxacml10functionstring-equal Murnoasisnamestcxacml10functionboolean-equal Murnoasisnamestcxacml10functioninteger-equal Murnoasisnamestcxacml10functiondouble-equal Murnoasisnamestcxacml10functiondate-equal Murnoasisnamestcxacml10functiontime-equal Murnoasisnamestcxacml10functiondateTime-equal Murnoasisnamestcxacml10functiondayTimeDuration-equal Murnoasisnamestcxacml10functionyearMonthDuration-equal Murnoasisnamestcxacml10functionanyURI-equal Murnoasisnamestcxacml10functionx500Name-equal Murnoasisnamestcxacml10functionrfc822Name-equal Murnoasisnamestcxacml10functionhexBinary-equal Murnoasisnamestcxacml10functionbase64Binary-equal Murnoasisnamestcxacml10functioninteger-add Murnoasisnamestcxacml10functiondouble-add Murnoasisnamestcxacml10functioninteger-subtract Murnoasisnamestcxacml10functiondouble-subtract Murnoasisnamestcxacml10functioninteger-multiply Murnoasisnamestcxacml10functiondouble-multiply Murnoasisnamestcxacml10functioninteger-divide Murnoasisnamestcxacml10functiondouble-divide Murnoasisnamestcxacml10functioninteger-mod Murnoasisnamestcxacml10functioninteger-abs Murnoasisnamestcxacml10functiondouble-abs Murnoasisnamestcxacml10functionround Murnoasisnamestcxacml10functionfloor Murnoasisnamestcxacml10functionstring-normalize-space Murnoasisnamestcxacml10functionstring-normalize-to-lower-case Murnoasisnamestcxacml10functiondouble-to-integer Murnoasisnamestcxacml10functioninteger-to-double Murnoasisnamestcxacml10functionor Murnoasisnamestcxacml10functionand Murnoasisnamestcxacml10functionn-of Murnoasisnamestcxacml10functionnot Murnoasisnamestcxacml10functionpresent Murnoasisnamestcxacml10functioninteger-greater-than Murnoasisnamestcxacml10functioninteger-greater-than-or-equal Murnoasisnamestcxacml10functioninteger-less-than Murnoasisnamestcxacml10functioninteger-less-than-or-equal Murnoasisnamestcxacml10functiondouble-greater-than Murnoasisnamestcxacml10functiondouble-greater-than-or-equal Murnoasisnamestcxacml10functiondouble-less-than M
oasis--xacml-11pdf 88
176
3363
33643365
177
urnoasisnamestcxacml10functiondouble-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-add-dayTimeDuration Murnoasisnamestcxacml10functiondateTime-add-yearMonthDuration Murnoasisnamestcxacml10functiondateTime-subtract-dayTimeDuration
M
urnoasisnamestcxacml10functiondateTime-subtract-yearMonthDuration
M
urnoasisnamestcxacml10functiondate-add-yearMonthDuration Murnoasisnamestcxacml10functiondate-subtract-yearMonthDuration Murnoasisnamestcxacml10functionstring-greater-than Murnoasisnamestcxacml10functionstring-greater-than-or-equal Murnoasisnamestcxacml10functionstring-less-than Murnoasisnamestcxacml10functionstring-less-than-or-equal Murnoasisnamestcxacml10functiontime-greater-than Murnoasisnamestcxacml10functiontime-greater-than-or-equal Murnoasisnamestcxacml10functiontime-less-than Murnoasisnamestcxacml10functiontime-less-than-or-equal Murnoasisnamestcxacml10functiondateTime-greater-than Murnoasisnamestcxacml10functiondateTime-greater-than-or-equal Murnoasisnamestcxacml10functiondateTime-less-than Murnoasisnamestcxacml10functiondateTime-less-than-or-equal Murnoasisnamestcxacml10functiondate-greater-than Murnoasisnamestcxacml10functiondate-greater-than-or-equal Murnoasisnamestcxacml10functiondate-less-than Murnoasisnamestcxacml10functiondate-less-than-or-equal Murnoasisnamestcxacml10functionstring-one-and-only Murnoasisnamestcxacml10functionstring-bag-size Murnoasisnamestcxacml10functionstring-is-in Murnoasisnamestcxacml10functionstring-bag Murnoasisnamestcxacml10functionboolean-one-and-only Murnoasisnamestcxacml10functionboolean-bag-size Murnoasisnamestcxacml10functionboolean-is-in Murnoasisnamestcxacml10functionboolean-bag Murnoasisnamestcxacml10functioninteger-one-and-only Murnoasisnamestcxacml10functioninteger-bag-size Murnoasisnamestcxacml10functioninteger-is-in Murnoasisnamestcxacml10functioninteger-bag Murnoasisnamestcxacml10functiondouble-one-and-only Murnoasisnamestcxacml10functiondouble-bag-size Murnoasisnamestcxacml10functiondouble-is-in Murnoasisnamestcxacml10functiondouble-bag Murnoasisnamestcxacml10functiontime-one-and-only Murnoasisnamestcxacml10functiontime-bag-size Murnoasisnamestcxacml10functiontime-is-in Murnoasisnamestcxacml10functiontime-bag Murnoasisnamestcxacml10functiondate-one-and-only Murnoasisnamestcxacml10functiondate-bag-size Murnoasisnamestcxacml10functiondate-is-in Murnoasisnamestcxacml10functiondate-bag Murnoasisnamestcxacml10functiondateTime-one-and-only Murnoasisnamestcxacml10functiondateTime-bag-size Murnoasisnamestcxacml10functiondateTime-is-in Murnoasisnamestcxacml10functiondateTime-bag Murnoasisnamestcxacml10functionanyURI-one-and-only Murnoasisnamestcxacml10functionanyURI-bag-size Murnoasisnamestcxacml10functionanyURI-is-in Murnoasisnamestcxacml10functionanyURI-bag M
oasis--xacml-11pdf 89
178
179
urnoasisnamestcxacml10functionhexBinary-one-and-only Murnoasisnamestcxacml10functionhexBinary-bag-size Murnoasisnamestcxacml10functionhexBinary-is-in Murnoasisnamestcxacml10functionhexBinary-bag Murnoasisnamestcxacml10functionbase64Binary-one-and-only Murnoasisnamestcxacml10functionbase64Binary-bag-size Murnoasisnamestcxacml10functionbase64Binary-is-in Murnoasisnamestcxacml10functionbase64Binary-bag Murnoasisnamestcxacml10functiondayTimeDuration-one-and-only Murnoasisnamestcxacml10functiondayTimeDuration-bag-size Murnoasisnamestcxacml10functiondayTimeDuration-is-in Murnoasisnamestcxacml10functiondayTimeDuration-bag Murnoasisnamestcxacml10functionyearMonthDuration-one-and-only Murnoasisnamestcxacml10functionyearMonthDuration-bag-size Murnoasisnamestcxacml10functionyearMonthDuration-is-in Murnoasisnamestcxacml10functionyearMonthDuration-bag Murnoasisnamestcxacml10functionx500Name-one-and-only Murnoasisnamestcxacml10functionx500Name-bag-size Murnoasisnamestcxacml10functionx500Name-is-in Murnoasisnamestcxacml10functionx500Name-bag Murnoasisnamestcxacml10functionrfc822Name-one-and-only Murnoasisnamestcxacml10functionrfc822Name-bag-size Murnoasisnamestcxacml10functionrfc822Name-is-in Murnoasisnamestcxacml10functionrfc822Name-bag Murnoasisnamestcxacml10functionany-of Murnoasisnamestcxacml10functionall-of Murnoasisnamestcxacml10functionany-of-any Murnoasisnamestcxacml10functionall-of-any Murnoasisnamestcxacml10functionany-of-all Murnoasisnamestcxacml10functionall-of-all Murnoasisnamestcxacml10functionmap Murnoasisnamestcxacml10functionx500Name-match Murnoasisnamestcxacml10functionrfc822Name-match Murnoasisnamestcxacml10functionregexp-string-match Murnoasisnamestcxacml10functionxpath-node-count Ournoasisnamestcxacml10functionxpath-node-equal Ournoasisnamestcxacml10functionxpath-node-match Ournoasisnamestcxacml10functionstring-intersection Murnoasisnamestcxacml10functionstring-at-least-one-member-of Murnoasisnamestcxacml10functionstring-union Murnoasisnamestcxacml10functionstring-subset Murnoasisnamestcxacml10functionstring-set-equals Murnoasisnamestcxacml10functionboolean-intersection Murnoasisnamestcxacml10functionboolean-at-least-one-member-of Murnoasisnamestcxacml10functionboolean-union Murnoasisnamestcxacml10functionboolean-subset Murnoasisnamestcxacml10functionboolean-set-equals Murnoasisnamestcxacml10functioninteger-intersection Murnoasisnamestcxacml10functioninteger-at-least-one-member-of Murnoasisnamestcxacml10functioninteger-union Murnoasisnamestcxacml10functioninteger-subset Murnoasisnamestcxacml10functioninteger-set-equals Murnoasisnamestcxacml10functiondouble-intersection Murnoasisnamestcxacml10functiondouble-at-least-one-member-of Murnoasisnamestcxacml10functiondouble-union Murnoasisnamestcxacml10functiondouble-subset Murnoasisnamestcxacml10functiondouble-set-equals M
oasis--xacml-11pdf 90
180
181
urnoasisnamestcxacml10functiontime-intersection Murnoasisnamestcxacml10functiontime-at-least-one-member-of Murnoasisnamestcxacml10functiontime-union Murnoasisnamestcxacml10functiontime-subset Murnoasisnamestcxacml10functiontime-set-equals Murnoasisnamestcxacml10functiondate-intersection Murnoasisnamestcxacml10functiondate-at-least-one-member-of Murnoasisnamestcxacml10functiondate-union Murnoasisnamestcxacml10functiondate-subset Murnoasisnamestcxacml10functiondate-set-equals Murnoasisnamestcxacml10functiondateTime-intersection Murnoasisnamestcxacml10functiondateTime-at-least-one-member-of Murnoasisnamestcxacml10functiondateTime-union Murnoasisnamestcxacml10functiondateTime-subset Murnoasisnamestcxacml10functiondateTime-set-equals Murnoasisnamestcxacml10functionanyURI-intersection Murnoasisnamestcxacml10functionanyURI-at-least-one-member-of Murnoasisnamestcxacml10functionanyURI-union Murnoasisnamestcxacml10functionanyURI-subset Murnoasisnamestcxacml10functionanyURI-set-equals Murnoasisnamestcxacml10functionhexBinary-intersection Murnoasisnamestcxacml10functionhexBinary-at-least-one-member-of Murnoasisnamestcxacml10functionhexBinary-union Murnoasisnamestcxacml10functionhexBinary-subset Murnoasisnamestcxacml10functionhexBinary-set-equals Murnoasisnamestcxacml10functionbase64Binary-intersection Murnoasisnamestcxacml10functionbase64Binary-at-least-one-member-of
M
urnoasisnamestcxacml10functionbase64Binary-union Murnoasisnamestcxacml10functionbase64Binary-subset Murnoasisnamestcxacml10functionbase64Binary-set-equals Murnoasisnamestcxacml10functiondayTimeDuration-intersection Murnoasisnamestcxacml10functiondayTimeDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functiondayTimeDuration-union Murnoasisnamestcxacml10functiondayTimeDuration-subset Murnoasisnamestcxacml10functiondayTimeDuration-set-equals Murnoasisnamestcxacml10functionyearMonthDuration-intersection Murnoasisnamestcxacml10functionyearMonthDuration-at-least-one-member-of
M
urnoasisnamestcxacml10functionyearMonthDuration-union Murnoasisnamestcxacml10functionyearMonthDuration-subset Murnoasisnamestcxacml10functionyearMonthDuration-set-equals Murnoasisnamestcxacml10functionx500Name-intersection Murnoasisnamestcxacml10functionx500Name-at-least-one-member-of Murnoasisnamestcxacml10functionx500Name-union Murnoasisnamestcxacml10functionx500Name-subset Murnoasisnamestcxacml10functionx500Name-set-equals Murnoasisnamestcxacml10functionrfc822Name-intersection Murnoasisnamestcxacml10functionrfc822Name-at-least-one-member-of
M
urnoasisnamestcxacml10functionrfc822Name-union Murnoasisnamestcxacml10functionrfc822Name-subset Murnoasisnamestcxacml10functionrfc822Name-set-equals M
oasis--xacml-11pdf 91
182
3366
183
11 References[DS] D Eastlake et al XML-Signature Syntax and Processing
httpwwww3orgTRxmldsig-core World Wide Web Consortium[Hancock] Hancock Polymorphic Type Checking in Simon L Peyton Jones
Implementation of Functional Programming Languages Section 8 Prentice-Hall International 1987
[Haskell] Haskell a purely functional language Available at httpwwwhaskellorg
[Hinton94] Hinton H M Lee E S The Compatibility of Policies Proceedings 2nd ACM Conference on Computer and Communications Security Nov 1994 Fairfax Virginia USA
[IEEE754] IEEE Standard for Binary Floating-Point Arithmetic 1985 ISBN 1-5593-7653-8 IEEE Product No SH10116-TBR
[Kudo00] Kudo M and Hada S XML document security based on provisional authorization Proceedings of the Seventh ACM Conference on Computer and Communications Security Nov 2000 Athens Greece pp 87-96
[LDAP-1] RFC2256 A summary of the X500(96) User Schema for use with LDAPv3 Section 5 M Wahl December 1997 httpwwwietforgrfcrfc2798txt
[LDAP-2] RFC2798 Definition of the inetOrgPerson M Smith April 2000 httpwwwietforgrfcrfc2798txt
[MathML] Mathematical Markup Language (MathML) Version 20 W3C Recommendation 21 February 2001 Available at httpwwww3orgTRMathML2
[Perritt93] Perritt H Knowbots Permissions Headers and Contract Law Conference on Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment April 1993 Available at httpwwwiflaorgdocumentsinfopolcopyrightperh2txt
[RBAC] Role-Based Access Controls David Ferraiolo and Richard Kuhn 15th National Computer Security Conference 1992 Available at httpcsrcnistgovrbac
[RegEx] XML Schema Part 0 Primer W3C Recommendation 2 May 2001 Appendix D Available at httpwwww3orgTRxmlschema-0
[RFC2119] S Bradner Key words for use in RFCs to Indicate Requirement Levels httpwwwietforgrfcrfc2119txt IETF RFC 2119 March 1997
[SAML] Security Assertion Markup Language available from httpwwwoasis-openorgcommitteessecuritydocuments
[Sloman94] Sloman M Policy Driven Management for Distributed Systems Journal of Network and Systems Management Volume 2 part 4 Plenum Press 1994
[XF] XQuery 10 and XPath 20 Functions and Operators W3C Working Draft 16 August 2002 Available at httpwwww3orgTR2002WD-xquery-operators-20020816
[XS] XML Schema parts 1 and 2 Available at httpwwww3orgTRxmlschema-1 and httpwwww3orgTRxmlschema-2
[XPath] XML Path Language (XPath) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxpath
oasis--xacml-11pdf 92
184
336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396
33973398
3399340034013402340334043405
340634073408
34093410341134123413
185
[XSLT] XSL Transformations (XSLT) Version 10 W3C Recommendation 16 November 1999 Available at httpwwww3orgTRxslt
oasis--xacml-11pdf 93
186
341434153416
187
Appendix A Standard data-types functions and their semantics (normative)
A1 IntroductionThis section contains a specification of the data-types and functions used in XACML to create predicates for a rulersquos condition and target matches
This specification combines the various standards set forth by IEEE and ANSI for string representation of numeric values as well as the evaluation of arithmetic functions
This section describes the primitive data-types bags and construction of expressions using XACML constructs Finally each standard function is named and its operational semantics are described
A2 Primitive typesAlthough XML instances represent all data-types as strings an XACML PDP must reason about types of data that while they have string representations are not just strings Types such as boolean integer and double MUST be converted from their XML string representations to values that can be compared with values in their domain of discourse such as numbers The following primitive data-types are specified for use with XACML and have explicit data representations
httpwwww3org2001XMLSchemastring
httpwwww3org2001XMLSchemaboolean
httpwwww3org2001XMLSchemainteger
httpwwww3org2001XMLSchemadouble
httpwwww3org2001XMLSchematime
httpwwww3org2001XMLSchemadate
httpwwww3org2001XMLSchemadateTime
httpwwww3org2001XMLSchemaanyURI
httpwwww3org2001XMLSchemahexBinary
httpwwww3org2001XMLSchemabase64Binary
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration
httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
urnoasisnamestcxacml10data-typex500Name
urnoasisnamestcxacml10data-typerfc822Name
oasis--xacml-11pdf 94
188
3417
3418
3419
34203421
34223423
342434253426
3427
34283429343034313432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
189
A3 Structured typesAn XACML ltAttributeValuegt element MAY contain an instance of a structured XML data-type for example ltdsKeyInfogt XACML 10 supports several ways for comparing such ltAttributeValuegt elements
1 In some cases such an ltAttributeValuegt element MAY be compared using one of the XACML string functions such as ldquoregexp-string-matchrdquo described below This requires that the structured data ltAttributeValuegt be given the DataType=httpwwww3org2001XMLSchemastring For example a structured data-type that is actually a dsKeyInfoKeyName would appear in the Context as
ltAttributeValue DataType=httpwwww3org2001XMLSchemastringgtampltdsKeyNameampgtjhibbert-keyampltdsKeyNameampgt
ltAttributeValuegt
In general this method will not be adequate unless the structured data-type is quite simple
2 An ltAttributeSelectorgt element MAY be used to select the value of a leaf sub-element of the structured data-type by means of an XPath expression That value MAY then be compared using one of the supported XACML functions appropriate for its primitive data-type This method requires support by the PDP for the optional XPath expressions feature
3 An ltAttributeSelectorgt element MAY be used to select the value of any node in the structured data-type by means of an XPath expression This node MAY then be compared using one of the XPath-based functions described in Section A1413 This method requires support by the PDP for the optional XPath expressions and XPath functions features
A4 RepresentationsAn XACML PDP SHALL be capable of converting string representations into various primitive data-types For integers and doubles XACML SHALL use the conversions described in [IEEE754]
This document combines the various standards set forth by IEEE and ANSI for string representation of numeric values
XACML defines two additional data-types these are ldquournoasisnamestcxacml10data-typex500Namerdquo and ldquournoasisnamestcxacml10data-typerfc822Namerdquo These types represent identifiers for subjects and appear in several standard applications such as TLSSSL and electronic mail
The ldquournoasisnamestcxacml10data-typex500Namerdquo primitive type represents an X500 Distinguished Name The string representation of an X500 distinguished name is specified in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names1
The ldquournoasisnamestcxacml10data-typerfc822Namerdquo primitive type represents electronic mail addresses and its string representation is specified by RFC 822
1 An earlier RFC RFC 1779 A String Representation of Distinguished Names is less restrictive so urnoasisnamestcxacml10data-typex500Name uses the syntax in RFC 2253 for better interoperability
oasis--xacml-11pdf 95
190
3447
344834493450
34513452
345334543455345634573458
3459
34603461346234633464
3465346634673468
3469
34703471
34723473
3474347534763477
3478347934803481
34823483
191192193
194
An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive2
A5 BagsXACML defines implicit collections of its primitive types XACML refers to a collection of values that are of a single primitive type as a bag Bags of primitive types are needed because selections of nodes from an XML resource or XACML request context may return more than one value
The ltAttributeSelectorgt element uses an XPath expression to specify the selection of data from an XML resource The result of an XPath expression is termed a node-set which contains all the leaf nodes from the XML resource that match the predicate in the XPath expression Based on the various indexing functions provided in the XPath specification it SHALL be implied that a resultant node-set is the collection of the matching nodes XACML also defines the ltAttributeDesignatorgt element to have the same matching methodology for attributes in the XACML request context
The values in a bag are not ordered and some of the values may be duplicates There SHALL be no notion of a bag containing bags or a bag containing values of differing types Ie a bag in XACML SHALL contain only values that are of the same primitive type
A6 ExpressionsXACML specifies expressions in terms of the following elements of which the ltApplygt and ltConditiongt elements recursively compose greater expressions Valid expressions shall be type correct which means that the types of each of the elements contained within ltApplygt and ltConditiongt elements shall agree with the respective argument types of the function that is named by the FunctionId attribute The resultant type of the ltApplygt or ltConditiongt element shall be the resultant type of the function which may be narrowed to a primitive data-type or a bag of a primitive data-type by type-unification XACML defines an evaluation result of Indeterminate which is said to be the result of an invalid expression or an operational error occurring during the evaluation of the expression
XACML defines the following elements to be legal XACML expressions
ltAttributeValuegt
ltSubjectAttributeDesignatorgt
ltSubjectAttributeSelectorgt
ltResourceAttributeDesignatorgt
ltActionAttributeDesignatorgt
ltEnvironmentAttributeDesignatorgt
ltAttributeSelectorgt
ltApplygt
2 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part However many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This is considered an error by mail-system designers and is not encouraged
oasis--xacml-11pdf 96
195
348434853486
3487
348834893490
34913492349334943495
34963497
349834993500
3501
350235033504350535063507350835093510
3511
3512
3513
3514
3515
3516
3517
3518
3519
196197198
199
ltConditiongt
ltFunctiongt
A7 Element ltAttributeValuegt The ltAttributeValuegt element SHALL represent an explicit value of a primitive type For example
ltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt123ltAttributeValuegtltApplygt
A8 Elements ltAttributeDesignatorgt and ltAttributeSelectorgt
The ltAttributeDesignatorgt and ltAttributeSelectorgt elements SHALL evaluate to a bag of a specific primitive type The type SHALL be inferred from the function in which it appears Each element SHALL contain a URI or XPath expression respectively to identify the required attribute values If an operational error were to occur while finding the values the value of the element SHALL be set to Indeterminate If the required attribute cannot be located then the value of the element SHALL be set to an empty bag of the inferred primitive type
A9 Element ltApplygt XACML function calls are represented by the ltApplygt element The function to be applied is named in the FunctionId attribute of this element The value of the ltApplygt element SHALL be set to either a primitive data-type or a bag of a primitive type whose data-type SHALL be inferred from the FunctionId The arguments of a function SHALL be the values of the XACML expressions that are contained as ordered elements in an ltApplygt element The legal number of arguments within an ltApplygt element SHALL depend upon the functionId
A10Element ltConditiongt The ltConditiongt element MAY appear in the ltRulegt element as the premise for emitting the corresponding effect of the rule The ltConditiongt element has the same structure as the ltApplygt element with the restriction that its result SHALL be of data-type ldquohttpwwww3org2001XMLSchemabooleanrdquo The evaluation of the ltConditiongt element SHALL follow the same evaluation semantics as those of the ltApplygt element
oasis--xacml-11pdf 97
200
3520
3521
3522
35233524352535263527352835293530
3531
3532
353335343535353635373538
3539
354035413542
354335443545
3546
35473548354935503551
201
A11Element ltFunctiongt The ltFunctiongt element names a standard XACML function or an extension function in its FunctionId attribute The ltFunctiongt element MAY be used as an argument in functions that take a function as an argument
A12Matching elementsMatching elements appear in the ltTargetgt element of rules policies and policy sets They are the following
ltSubjectMatchgt
ltResourceMatchgt
ltActionMatchgt
These elements represent boolean expressions over attributes of the subject resource and action respectively A matching element contains a MatchId attribute that specifies the function to be used in performing the match evaluation an attribute value and an ltAttributeDesignatorgt or ltAttributeSelectorgt element that specifies the attribute in the context that is to be matched against the specified value
The MatchId attribute SHALL specify a function that compares two arguments returning a result type of httpwwww3org2001XMLSchemaboolean The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument An element of the bag returned by the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL be supplied to the MatchId function as its second argument The data-type of the attribute value SHALL match the data-type of the first argument expected by the MatchId function The data-type of the ltAttributeDesignatorgt or ltAttributeSelectorgt element SHALL match the data-type of the second argument expected by the MatchId function
The XACML standard functions that meet the requirements for use as a MatchId attribute value are
urnoasisnamestcxacml10function-type-equal
urnoasisnamestcxacml10function-type-greater-than
urnoasisnamestcxacml10function-type-greater-than-or-equal
urnoasisnamestcxacml10function-type-less-than
urnoasisnamestcxacml10function-type-less-than-or-equal
urnoasisnamestcxacml10function-type-match
In addition functions that are strictly within an extension to XACML MAY appear as a value for the MatchId attribute and those functions MAY use data-types that are also extensions so long as the extension function returns a boolean result and takes an attribute value as its first argument and an ltAttributeDesignatorgt or ltAttributeSelectorgt as its second argument The function used as the value for the MatchId attribute SHOULD be easily indexable Use of non-indexable or complex functions may prevent efficient evaluation of decision requests
The evaluation semantics for a matching element is as follows If an operational error were to occur while evaluating the ltAttributeDesignatorgt or ltAttributeSelectorgt element then
oasis--xacml-11pdf 98
202
3552
355335543555
3556
35573558
3559
3560
3561
35623563356435653566
35673568
356935703571357235733574
35753576
3577
3578
3579
3580
3581
3582
358335843585
358635873588
35893590
203
the result of the entire expression SHALL be Indeterminate If the ltAttributeDesignatorgt or ltAttributeSelectorgt element were to evaluate to an empty bag then the result of the expression SHALL be False Otherwise the MatchId function SHALL be applied between the explicit attribute value and each element of the bag returned from the ltAttributeDesignatorgt or ltAttributeSelectorgt element If at least one of those function applications were to evaluate to True then the result of the entire expression SHALL be True Otherwise if at least one of the function applications results in Indeterminate then the result SHALL be Indeterminate Finally only if all function applications evaluate to False the result of the entire expression SHALL be False
It is possible to express the semantics of a target matching element in a condition For instance the target match expression that compares a ldquosubject-namerdquo starting with the name ldquoJohnrdquo can be expressed as follows
ltSubjectMatch MatchId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegtltSubjectMatchgt
Alternatively the same match semantics can be expressed as an ltApplygt element in a condition by using the ldquournoasisnamestcxacml10functionany-ofrdquo function as follows
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt ltFunctionFunctionId=rdquournoasisnamestcxacml10functionregexp-string-matchrdquogt ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt ltSubjectAttributeDesignator AttributeId=rdquournoasisnamestcxacml10subjectsubject-idrdquo DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtltApplygt
This expression of the semantics is NOT normative
A13Arithmetic evaluationIEEE 754 [IEEE 754] specifies how to evaluate arithmetic functions in a context which specifies defaults for precision rounding etc XACML SHALL use this specification for the evaluation of all integer and double functions relying on the Extended Default Context enhanced with double precision
flags - all set to 0
trap-enablers - all set to 0 (IEEE 854 sect7) with the exception of the ldquodivision-by-zerordquo trap enabler which SHALL be set to 1
precision - is set to the designated double precision
rounding - is set to round-half-even (IEEE 854 sect41)
oasis--xacml-11pdf 99
204
359135923593359435953596359735983599
36003601360236033604360536063607360836093610
36113612361336143615361636173618361936203621
3622
3623
3624
3625362636273628
3629
36303631
3632
3633
205
A14XACML standard functionsXACML specifies the following functions that are prefixed with the ldquournoasisnamestcxacml10functionrdquo relative name space identifier
A141Equality predicatesThe following functions are the equality functions for the various primitive types Each function for a particular data-type follows a specified standard convention for that data-type If an argument of one of these functions were to evaluate to Indeterminate then the function SHALL be set to Indeterminate
string-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if and only if the value of both of its arguments are of equal length and each string is determined to be equal byte-by-byte according to the function ldquointeger-equalrdquo
boolean-equal
This function SHALL take two arguments of ldquohttpwwww3org2001XMLSchemabooleanrdquo and SHALL return True if and only if both values are equal
integer-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on integers according to IEEE 754 [IEEE 754]
double-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation on doubles according to IEEE 754 [IEEE 754]
date-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdate-equalrdquo function [XF Section 8311]
time-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquooptime-equalrdquo function [XF Section 8314]
dateTime-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopdateTime-equalrdquo function [XF Section 838]
oasis--xacml-11pdf 100
206
3634
36353636
3637
3638363936403641
3642
3643364436453646
3647
364836493650
3651
3652365336543655
3656
3657365836593660
3661
3662366336643665
3666
3667366836693670
3671
3672367336743675
207
dayTimeDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opdayTimeDuration-equal function [XF Section 835] Note that the lexical representation of each argument MUST be converted to a value expressed in fractional seconds [XF Section 822]
yearMonthDuration-equalThis function SHALL take two arguments of data-type httpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration and SHALL return an httpwwww3org2001XMLSchemaboolean This function shall perform its evaluation according to the opyearMonthDuration-equal function [XF Section 832] Note that the lexical representation of each argument MUST be converted to a value expressed in integer months [XF Section 821]
anyURI-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemaanyURIrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL perform its evaluation according to the ldquoopanyURI-equalrdquo function [XF Section 1021]
x500Name-equal
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if each Relative Distinguished Name (RDN) in the two arguments matches Two RDNs shall be said to match if and only if the result of the following operations is ldquoTruerdquo3
1 Normalize the two arguments according to IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
2 If any RDN contains multiple attributeTypeAndValue pairs re-order the Attribute ValuePairs in that RDN in ascending order when compared as octet strings (described in ITU-T Rec X690 (1997 E) Section 116 Set-of components)
3 Compare RDNs using the rules in IETF RFC 3280 Internet X509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Section 4124 Issuer
rfc822Name-equal
This function SHALL take two arguments of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL determine whether two ldquournoasisnamestcxacml10data-typerfc822Namerdquo arguments are equal An RFC822 name consists of a local-part followed by followed by a domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS host name) is not case-sensitive Perform the following operations
1 Normalize the domain-part of each argument to lower case
2 Compare the expressions by applying the function ldquournoasisnamestcxacml10functionstring-equalrdquo to the normalized arguments
3 ITU-T Rec X520 contains rules for matching X500 names but these are very complex and require knowledge of the syntax of various AttributeTypes IETF RFC 3280 contains simplified matching rules that the XACML x500Name-equal function uses
oasis--xacml-11pdf 101
208
367636773678367936803681368236833684368536863687368836893690
3691369236933694
3695
36963697369836993700
37013702
370337043705
370637073708
3709
3710371137123713371437153716
3717
37183719
209210211
212
hexBinary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemahexBinaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8215]
base64Binary-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemabase64Binaryrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL return True if the octet sequences represented by the value of both arguments have equal length and are equal in a conjunctive point-wise comparison using the ldquournoasisnamestcxacml10functioninteger-equalrdquo The conversion from the string representation to an octet sequence SHALL be as specified in [XS Section 8216]
A142Arithmetic functionsAll of the following functions SHALL take two arguments of the specified data-type integer or double and SHALL return an element of integer or double data-type respectively However the ldquoaddrdquo functions MAY take more than two arguments Each function evaluation SHALL proceed as specified by their logical counterparts in IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate In the case of the divide functions if the divisor is zero then the function SHALL evaluate to ldquoIndeterminaterdquo
integer-add
This function MAY have two or more arguments
double-add
This function MAY have two or more arguments
integer-subtract
double-subtract
integer-multiply
double-multiply
integer-divide
double-divide
integer-mod
The following functions SHALL take a single argument of the specified data-type The round and floor functions SHALL take a single argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and return data-type ldquohttpwwww3org2001XMLSchemadoublerdquo In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-abs
oasis--xacml-11pdf 102
213
3720
3721372237233724372537263727
3728
3729373037313732373337343735
3736
3737373837393740374137423743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
375537563757375837593760
3761
214
double-abs
round
floor
A143String conversion functionsThe following functions convert between values of the XACML ldquohttpwwww3org2001XMLSchemastringrdquo primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-normalize-space
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by stripping off all leading and trailing whitespace characters
string-normalize-to-lower-case
This function SHALL take one argument of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL normalize the value by converting each upper case character to its lower case equivalent
A144Numeric data-type conversion functionsThe following functions convert between the XACML ldquohttpwwww3org2001XMLSchemaintegerrdquo andrdquo httpwwww3org2001XMLSchemadoublerdquo primitive types In any expression in which the functions defined below are applied if any argument while being evaluated results in Indeterminate the expression SHALL return Indeterminate
double-to-integer
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo and SHALL truncate its numeric value to a whole number and return an element of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo
integer-to-double
This function SHALL take one argument of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo and SHALL promote its value to an element of data-type ldquohttpwwww3org2001XMLSchemadoublerdquo of the same numeric value
A145Logical functionsThis section contains the specification for logical functions that operate on arguments of the ldquohttpwwww3org2001XMLSchemabooleanrdquo data-type
or
This function SHALL return False if it has no arguments and SHALL return True if one of its arguments evaluates to True The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of True if any argument evaluates to True leaving the rest of the arguments unevaluated In an expression that contains any of these
oasis--xacml-11pdf 103
215
3762
3763
3764
3765
3766376737683769
3770
377137723773
3774
377537763777
3778
3779378037813782
3783
3784378537863787
3788
378937903791
3792
37933794
3795
3796
3797379837993800
216
functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
and
This function SHALL return True if it has no arguments and SHALL return False if one of its arguments evaluates to False The order of evaluation SHALL be from first argument to last The evaluation SHALL stop with a result of False if any argument evaluates to False leaving the rest of the arguments unevaluated In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
n-of
The first argument to this function SHALL be of data-type ldquohttpwwww3org2001XMLSchemaintegerrdquo specifying the number of the remaining arguments that MUST evaluate to True for the expression to be considered True If the first argument is 0 the result SHALL be True If the number of arguments after the first one is less than the value of the first argument then the expression SHALL result in Indeterminate The order of evaluation SHALL be first evaluate the integer value then evaluate each subsequent argument The evaluation SHALL stop and return True if the specified number of arguments evaluate to True The evaluation of arguments SHALL stop if it is determined that evaluating the remaining arguments will not satisfy the requirement In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
not
This function SHALL take one logical argument If the argument evaluates to True then the result of the expression SHALL be False If the argument evaluates to False then the result of the expression SHALL be True In an expression that contains any of these functions if ANY argument to this function evaluates to Indeterminate then the expression SHALL evaluate to Indeterminate
Note For an expression that is an application of AND OR or N-OF it MAY NOT be necessary to attempt a full evaluation of each boolean argument to a truth value in order to determine whether the evaluation of the argument would result in Indeterminate Analysis of the argument regarding its necessary attributes or other analysis regarding errors such as divide-by-zero may render the argument error free Such arguments occurring in the expression in a position after the evaluation is stated to stop need not be processed
A146Arithmetic comparison functionsThese functions form a minimal set for comparing two numbers yielding a boolean result They SHALL comply with the rules governed by IEEE 754 [IEEE 754] In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
integer-greater-than
integer-greater-than-or-equal
integer-less-than
integer-less-than-or-equal
double-greater-than
oasis--xacml-11pdf 104
217
38013802
3803
380438053806380738083809
3810
381138123813381438153816381738183819382038213822
3823
38243825382638273828
382938303831383238333834
3835
3836383738383839
3840
3841
3842
3843
3844
218
double-greater-than-or-equal
double-less-than
double-less-than-or-equal
A147Date and time arithmetic functionsThese functions perform arithmetic operations with the date and time In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
dateTime-add-dayTimeDuration
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is of data-type ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date and time [XS Appendix E]
dateTime-subtract-dayTimeDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-dayTimeDurationrdquo had been applied to the corresponding positive duration
dateTime-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadateTimerdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadateTimerdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondateTime-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
date-add-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It
oasis--xacml-11pdf 105
219
3845
3846
3847
3848
384938503851
3852
385338543855385638573858
3859
386038613862386338643865
3866
386738683869387038713872387338743875
3876
387738783879388038813882388338843885
3886
388738883889
220
return a result of ldquohttpwwww3org2001XMLSchemadaterdquo This function SHALL return the value by adding the second argument to the first argument according to the specification of adding durations to date [XS Appendix E]
date-subtract-yearMonthDuration
This function SHALL take two arguments the first is a ldquohttpwwww3org2001XMLSchemadaterdquo and the second is a ldquohttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDurationrdquo It SHALL return a result of ldquohttpwwww3org2001XMLSchemadaterdquo If the second argument is a positive duration then this function SHALL return the value by adding the corresponding negative duration as per the specification [XS Appendix E] If the second argument is a negative duration then the result SHALL be as if the function ldquournoasisnamestcxacml10functiondate-add-yearMonthDurationrdquo had been applied to the corresponding positive duration
A148Non-numeric comparison functionsThese functions perform comparison operations on two arguments of non-numerical types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
string-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments that are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is greater than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-equalrdquo
string-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated with the logical function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-greater-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
string-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if and only if the arguments are compared byte by byte and after an initial prefix of corresponding bytes from both arguments are considered equal by ldquournoasisnamestcxacml10functioninteger-equalrdquo the next byte by byte comparison is such that the byte from the first argument is less than the byte from the second argument by the use of the function ldquournoasisnamestcxacml10functioninteger-less-thanrdquo
string-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return a result as if evaluated
oasis--xacml-11pdf 106
221
389038913892
3893
389438953896389738983899390039013902
3903
390439053906
3907
39083909391039113912391339143915
3916
391739183919392039213922
3923
39243925392639273928392939303931
3932
393339343935
222
with the function ldquournoasisnamestcxacml10functionorrdquo with two arguments containing the functions ldquournoasisnamestcxacml10functionstring-less-thanrdquo and ldquournoasisnamestcxacml10functionstring-equalrdquo containing the original arguments
time-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
time-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchematimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchematimerdquo [XS Section 328]
dateTime-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
dateTime-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
oasis--xacml-11pdf 107
223
393639373938
3939
39403941394239433944
3945
39463947394839493950
3951
39523953395439553956
3957
39583959396039613962
3963
39643965396639673968
3969
39703971397239733974
3975
39763977397839793980
224
dateTime-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchema dateTimerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadateTimerdquo [XS Section 327]
date-greater-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-greater-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is greater than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
date-less-than-or-equal
This function SHALL take two arguments of data-type ldquohttpwwww3org2001XMLSchemadaterdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo It SHALL return True if the first argument is less than or equal to the second argument according to the order relation specified for ldquohttpwwww3org2001XMLSchemadaterdquo [XS Section 329]
A149Bag functionsThese functions operate on a bag of type values where data-type is one of the primitive types In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate Some additional conditions defined for each function below SHALL cause the expression to evaluate to Indeterminate
type-one-and-only
This function SHALL take an argument of a bag of type values and SHALL return a value of data-type It SHALL return the only value in the bag If the bag does not have one and only one value then the expression SHALL evaluate to Indeterminate
type-bag-size
This function SHALL take a bag of type values as an argument and SHALL return an ldquohttpwwww3org2001XMLSchemaintegerrdquo indicating the number of values in the bag
oasis--xacml-11pdf 108
225
3981
3982
39833984398539863987
3988
39893990399139923993
3994
39953996399739983999
4000
40014002400340044005
4006
40074008400940104011
4012
4013401440154016
4017
401840194020
4021
40224023
226
type-is-in
This function SHALL take an argument of data-type type as the first argument and a bag of type values as the second argument The expression SHALL evaluate to True if the first argument matches by the urnoasisnamestcxacml10functiontype-equal to any value in the bag
type-bag
This function SHALL take any number of arguments of a single data-type and return a bag of type values containing the values of the arguments An application of this function to zero arguments SHALL produce an empty bag of the specified data-type
A1410 Set functionsThese functions operate on bags mimicking sets by eliminating duplicate elements from a bag In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
type-intersection
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type values such that it contains only elements that are common between the two bags which is determined by urnoasisnamestcxacml10functiontype-equal No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-at-least-one-member-of
This function SHALL take two arguments that are both a bag of type values The expression SHALL evaluate to True if at least one element of the first argument is contained in the second argument as determined by urnoasisnamestcxacml10functiontype-is-in
type-union
This function SHALL take two arguments that are both a bag of type values The expression SHALL return a bag of type such that it contains all elements of both bags No duplicates as determined by urnoasisnamestcxacml10functiontype-equal SHALL exist in the result
type-subset
This function SHALL take two arguments that are both a bag of type values It SHALL return True if the first argument is a subset of the second argument Each argument is considered to have its duplicates removed as determined by urnoasisnamestcxacml10functiontype-equal before subset calculation
type-set-equals
This function SHALL take two arguments that are both a bag of type values and SHALL return the result of applying urnoasisnamestcxacml10functionand to the application of urnoasisnamestcxacml10functiontype-subset to the first and second arguments and the application of urnoasisnamestcxacml10functiontype-subset to the second and first arguments
oasis--xacml-11pdf 109
227
4024
4025
4026
4027402840294030
4031
403240334034
4035
403640374038
4039
40404041404240434044
4045
4046404740484049
4050
4051405240534054
4055
4056405740584059
4060
40614062406340644065
228
A1411 Higher-order bag functionsThis section describes functions in XACML that perform operations on bags such that functions may be applied to the bags in general
In this section a general-purpose functional language called Haskell [Haskell] is used to formally specify the semantics of these functions Although the English description is adequate a formal specification of the semantics is helpful
For a quick summary in the following Haskell notation a function definition takes the form of clauses that are applied to patterns of structures namely lists The symbol ldquo[]rdquo denotes the empty list whereas the expression ldquo(xxs)rdquo matches against an argument of a non-empty list of which ldquoxrdquo represents the first element of the list and ldquoxsrdquo is the rest of the list which may be an empty list We use the Haskell notion of a list which is an ordered collection of elements to model the XACML bags of values
A simple Haskell definition of a familiar function ldquournoasisnamestcxacml10functionandrdquo that takes a list of booleans is defined as follows
and [Bool] -gt Bool
and [] = True
and (xxs) = x ampamp (and xs)
The first definition line denoted by a ldquordquo formally describes the data-type of the function which takes a list of booleans denoted by ldquo[Bool]rdquo and returns a boolean denoted by ldquoBoolrdquo The second definition line is a clause that states that the function ldquoandrdquo applied to the empty list is True The second definition line is a clause that states that for a non-empty list such that the first element is ldquoxrdquo which is a value of data-type Bool the function ldquoandrdquo applied to x SHALL be combined with using the logical conjunction function which is denoted by the infix symbol ldquoampamprdquo the result of recursively applying the function ldquoandrdquo to the rest of the list Of course an application of the ldquoandrdquo function is True if and only if the list to which it is applied is empty or every element of the list is True For example the evaluation of the following Haskell expressions
(and []) (and [True]) (and [TrueTrue]) (and [TrueTrueFalse])
evaluate to True True True and False respectively
In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
any-of
This function applies a boolean function between a specific primitive value and a bag of values and SHALL return True if and only if the predicate is True for at least one element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element is applied to the second argument and each element of the third argument (the bag) and the results are combined with ldquournoasisnamestcxacml10functionorrdquo
In Haskell the semantics of this operation are as follows
oasis--xacml-11pdf 110
229
4066
40674068
406940704071
407240734074407540764077
40784079
4080
4081
4082
408340844085408640874088408940904091
4092
4093
40944095
4096
409740984099
4100410141024103
410441054106
4107
230
any_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolany_of f a [] = Falseany_of f a (xxs) = (f a x) || (any_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL return TrueltApply FunctionId=rdquournoasisnamestcxacml10functionany-ofrdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is equal to at least one of the elements of the bag
all-of
This function applies a boolean function between a specific primitive value and a bag of values and returns True if and only if the predicate is True for every element of the bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a value of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to the second argument and each element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo
In Haskell the semantics of this operation are as follows
all_of ( a -gt b -gt Bool ) -gt a -gt [b] -gt Boolall_of f a [] = Falseall_of f a (xxs) = (f a x) ampamp (all_of f a xs)
In the above notation ldquofrdquo is the function name to be applied ldquoardquo is the primitive value and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 111
231
410841094110
41114112
4113411441154116411741184119412041214122412341244125412641274128
41294130
4131
41324133
4134413541364137
413841394140
4141
414241434144
41454146
4147
232
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-ofrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt9ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltApplygtltApplygt
This expression is True because the first argument is greater than all of the elements of the bag
any-of-any
This function applies a boolean function between each element of a bag of values and each element of another bag of values and returns True if and only if the predicate is True for at least one comparison
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any comparison of elements from the two bags
In Haskell taking advantage of the ldquoany_ofrdquo function defined above the semantics of the ldquoany_of_anyrdquo function are as follows
any_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_any f [] ys = Falseany_of_any f (xxs) ys = (any_of f x ys) || (any_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 112
233
4148414941504151415241534154415541564157415841594160416141624163
41644165
4166
416741684169
4170417141724173
41744175417641774178
41794180
418141824183
41844185
4186
234
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-equalrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtMaryltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtJohnltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtPaulltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtGeorgeltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtRingoltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one of the elements of the first bag namely ldquoRingordquo is equal to at least one of the string values of the second bag
all-of-any
This function applies a boolean function between the elements of two bags The expression is True if and only if the predicate is True between each and all of the elements of the first bag collectively against at least one element of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for each element of the first bag and any element of the second bag
In Haskell taking advantage of the ldquoany_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_anyrdquo function are as follows
all_of_any ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_any f [] ys = Falseall_of_any f (xxs) ys = (any_of f x ys) ampamp (all_of_any f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 113
235
4187418841894190419141924193419441954196419741984199420042014202420342044205
42064207
4208
420942104211
4212421342144215
42164217421842194220
42214222
422342244225
42264227
4228
236
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-anyrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt10ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt20ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt21ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all of the elements of the first bag each ldquo10rdquo and ldquo20rdquo are greater than at least one of the integer values ldquo1rdquo rdquo3rdquo rdquo5rdquo rdquo21rdquo of the second bag
any-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between at least one of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionorrdquo The semantics are that the result of the expression SHALL be True if and only if the applied predicate is True for any element of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoany_of_allrdquo function are as follows
any_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolany_of_all f [] ys = Falseany_of_all f (xxs) ys = (all_of f x ys) || ( any_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 114
237
42294230423142324233423442354236423742384239424042414242424342444245424642474248
42494250
4251
425242534254
4255425642574258
42594260426142624263
42644265
426642674268
42694270
4271
238
ltApply FunctionId=rdquournoasisnamestcxacml10functionany-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because at least one element of the first bag namely ldquo5rdquo is greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
all-of-all
This function applies a boolean function between the elements of two bags The expression SHALL be True if and only if the predicate is True between each and all of the elements of the first bag collectively against all the elements of the second bag
This function SHALL take three arguments The first argument SHALL be a ltFunctiongt element that names a boolean function that takes two arguments of primitive types The second argument SHALL be a bag of a primitive data-type The third argument SHALL be a bag of a primitive data-type The expression is evaluated as if the function named in the ltFunctiongt element were applied between every element in the second argument and every element of the third argument (the bag) and the results were combined using ldquournoasisnamestcxacml10functionandrdquo The semantics are that the result of the expression is True if and only if the applied predicate is True for all elements of the first bag compared to all the elements of the second bag
In Haskell taking advantage of the ldquoall_ofrdquo function defined in Haskell above the semantics of the ldquoall_of_allrdquo function is as follows
all_of_all ( a -gt b -gt Bool ) -gt [a ]-gt [b] -gt Boolall_of_all f [] ys = Falseall_of_all f (xxs) ys = (all_of f x ys) ampamp (all_of_all f xs ys)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expression SHALL evaluate to True
oasis--xacml-11pdf 115
239
42724273427442754276427742784279428042814282428342844285428642874288428942904291
42924293
4294
429542964297
4298429943004301
43024303430443054306
43074308
430943104311
43124313
4314
240
ltApply FunctionId=rdquournoasisnamestcxacml10functionall-of-allrdquogtltFunction FunctionId=rdquournoasisnamestcxacml10functioninteger-
greaterrdquogtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt6ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt5ltAttributeValuegt
ltApplygtltApply FunctionId=rdquournoasisnamestcxacml10functioninteger-bagrdquogt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt1ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt2ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt3ltAttributeValuegt
ltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemaintegerrdquogt4ltAttributeValuegt
ltApplygtltApplygt
This expression is True because all elements of the first bag ldquo5rdquo and ldquo6rdquo are each greater than all of the integer values ldquo1rdquo rdquo2rdquo rdquo3rdquo rdquo4rdquo of the second bag
map
This function converts a bag of values to another bag of values
This function SHALL take two arguments The first function SHALL be a ltFunctiongt element naming a function that takes a single argument of a primitive data-type and returns a value of a primitive data-type The second argument SHALL be a bag of a primitive data-type The expression SHALL be evaluated as if the function named in the ltFunctiongt element were applied to each element in the bag resulting in a bag of the converted value The result SHALL be a bag of the primitive data-type that is the same data-type that is returned by the function named in the ltFunctiongt element
In Haskell this function is defined as follows
map (a -gt b) -gt [a] -gt [b]
map f [] = []
map f (xxs) = (f x) (map f xs)
In the above notation ldquofrdquo is the function name to be applied and ldquo(xxs)rdquo represents the first element of the list as ldquoxrdquo and the rest of the list as ldquoxsrdquo
For example the following expressionltApply FunctionId=rdquournoasisnamestcxacml10functionmaprdquogt
ltFunction FunctionId=rdquournoasisnamestcxacml10functionstring-normalize-to-lower-caserdquogt
ltApply FunctionId=rdquournoasisnamestcxacml10functionstring-bagrdquogtltAttributeValue
DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtHelloltAttributeValuegtltAttributeValue DataType=rdquohttpwwww3org2001XMLSchemastringrdquogtWorld
ltAttributeValuegtltApplygt
ltApplygt
evaluates to a bag containing ldquohellordquo and ldquoworldrdquo
oasis--xacml-11pdf 116
241
43154316431743184319432043214322432343244325432643274328432943304331433243334334
43354336
4337
4338
433943404341
434243434344
4345
4346
4347
4348
4349
43504351
43524353435443554356435743584359436043614362
4363
242
A1412 Special match functionsThese functions operate on various types and evaluate to ldquohttpwwww3org2001XMLSchemabooleanrdquo based on the specified standard matching algorithm In an expression that contains any of these functions if any argument is Indeterminate then the expression SHALL evaluate to Indeterminate
regexp-string-match
This function decides a regular expression match It SHALL take two arguments of ldquohttpwwww3org2001XMLSchemastringrdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The first argument SHALL be a regular expression and the second argument SHALL be a general string The function specification SHALL be that of the ldquoxfmatchesrdquo function with the arguments reversed [XF Section 6315]
x500Name-match
This function shall take two arguments of urnoasisnamestcxacml10data-typex500Name and shall return an httpwwww3org2001XMLSchemaboolean It shall return ldquoTruerdquo if and only if the first argument matches some terminal sequence of RDNs from the second argument when compared using x500Name-equal
rfc822Name-match
This function SHALL take two arguments the first is of data-type ldquohttpwwww3org2001XMLSchemastringrdquo and the second is of data-type ldquournoasisnamestcxacml10data-typerfc822Namerdquo and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if the first argument matches the second argument according to the following specification
An RFC822 name consists of a local-part followed by followed by domain-part The local-part is case-sensitive while the domain-part (which is usually a DNS name) is not case-sensitive4
The second argument contains a complete rfc822Name The first argument is a complete or partial rfc822Name used to select appropriate values in the second argument as follows
In order to match a particular mailbox in the second argument the first argument must specify the complete mail address to be matched For example if the first argument is ldquoAndersonsuncomrdquo this matches a value in the second argument of ldquoAndersonsuncomrdquo and ldquoAndersonSUNCOMrdquo but not ldquoAnneAndersonsuncomrdquo ldquoandersonsuncomrdquo or ldquoAndersoneastsuncomrdquo
In order to match any mail address at a particular domain in the second argument the first argument must specify only a domain name (usually a DNS name) For example if the first argument is ldquosuncomrdquo this matches a value in the first argument of ldquoAndersonsuncomrdquo or ldquoBaxterSUNCOMrdquo but not ldquoAndersoneastsuncomrdquo
In order to match any mail address in a particular domain in the second argument the first argument must specify the desired domain-part with a leading For example if the first argument is ldquoeastsuncomrdquo this matches a value in the second argument of Andersoneastsuncom and anneandersonISRGEASTSUNCOM but not Andersonsuncom
4 According to IETF RFC822 and its successor specifications [RFC2821] case is significant in the local-part Many mail systems as well as the IETF PKIX specification treat the local-part as case-insensitive This anomaly is considered an error by mail-system designers and is not encouraged For this reason rfc822Name-match treats local-part as case sensitive
oasis--xacml-11pdf 117
243
4364
4365436643674368
4369
437043714372437343744375
4376
4377437843794380
4381
43824383438443854386
438743884389
43904391
43924393439443954396
4397439843994400
44014402440344044405
244245246247
248
A1413 XPath-based functionsThis section specifies functions that take XPath expressions for arguments An XPath expression evaluates to a node-set which is a set of XML nodes that match the expression A node or node-set is not in the formal data-type system of XACML All comparison or other operations on node-sets are performed in the isolation of the particular function specified The XPath expressions in these functions are restricted to the XACML request context The ltxacml-contextRequestgt element is a context node for every XPath expression The following functions are defined
xpath-node-count
This function SHALL take an ldquohttpwwww3org2001XMLSchemastringrdquo as an argument which SHALL be interpreted as an XPath expression and evaluates to an ldquohttpwwww3org2001XMLSchemaintegerrdquo The value returned from the function SHALL be the count of the nodes within the node-set that matches the given XPath expression
xpath-node-equal
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo The function SHALL return True if any XML node from the node-set matched by the first argument equals according to the ldquoopnode-equalrdquo function [XF Section 1316] any XML node from the node-set matched by the second argument
xpath-node-match
This function SHALL take two ldquohttpwwww3org2001XMLSchemastringrdquo arguments which SHALL be interpreted as XPath expressions and SHALL return an ldquohttpwwww3org2001XMLSchemabooleanrdquo This function SHALL evaluate to True if either of the following two conditions is satisfied (1) Any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument (2) Any attribute and element node below any XML node from the node-set matched by the first argument is equal according to opnode-equal [XF Section 1316] to any XML node from the node-set matched by the second argument
NOTE The first condition is equivalent to xpath-node-equal and guarantees that xpath-node-equal is a special case of xpath-node-match
A1414 Extension functions and primitive typesFunctions and primitive types are specified by string identifiers allowing for the introduction of functions in addition to those specified by XACML This approach allows one to extend the XACML module with special functions and special primitive data-types
In order to preserve some integrity to the XACML evaluation strategy the result of all function applications SHALL depend only on the values of its arguments Global and hidden parameters SHALL NOT affect the evaluation of an expression Functions SHALL NOT have side effects as evaluation order cannot be guaranteed in a standard way
oasis--xacml-11pdf 118
249
4406
4407440844094410
44114412
4413
44144415441644174418
4419
442044214422442344244425
4426
442744284429443044314432443344344435
44364437
4438
443944404441
4442444344444445
250
Appendix B XACML identifiers (normative)This section defines standard identifiers for commonly used entities All XACML-defined identifiers have the common base
urnoasisnamestcxacml10
B1 XACML namespacesThere are currently two defined XACML namespaces
Policies are defined using this identifierurnoasisnamestcxacml10policy
Request and response contexts are defined using this identifierurnoasisnamestcxacml10context
B2 Access subject categoriesThis identifier indicates the system entity that initiated the access request That is the initial entity in a request chain If subject category is not specified this is the default value
urnoasisnamestcxacml10subject-categoryaccess-subject
This identifier indicates the system entity that will receive the results of the request Used when it is distinct from the access-subject
urnoasisnamestcxacml10subject-categoryrecipient-subject
This identifier indicates a system entity through which the access request was passed There may be more than one No means is provided to specify the order in which they passed the message
urnoasisnamestcxacml10subject-categoryintermediary-subject
This identifier indicates a system entity associated with a local or remote codebase that generated the request Corresponding subject attributes might include the URL from which it was loaded andor the identity of the code-signer There may be more than one No means is provided to specify the order they processed the request
urnoasisnamestcxacml10subject-categorycodebase
This identifier indicates a system entity associated with the computer that initiated the access request An example would be an IPsec identity
urnoasisnamestcxacml10subject-categoryrequesting-machine
B3 XACML functionsThis identifier is the base for all the identifiers in the table of functions See Section A1
urnoasisnamestcxacml10function
B4 Data-typesThe following identifiers indicate useful data-types
X500 distinguished name
oasis--xacml-11pdf 119
251
4446
44474448
4449
4450
4451
44524453
44544455
4456
44574458
4459
44604461
4462
44634464
4465
4466446744684469
4470
44714472
4473
4474
44754476
4477
4478
4479
252
urnoasisnamestcxacml10data-typex500Name
An x500Name contains an ITU-T Rec X520 Distinguished Name The valid syntax for such a name is described in IETF RFC 2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names
RFC822 Nameurnoasisnamestcxacml10data-typerfc822Name
An rfc822Name contains an e-mail name The valid syntax for such a name is described in IETF RFC 2821 Section 412 Command Argument Syntax under the term Mailbox
The following data-type identifiers are defined by XML Schemahttpwwww3org2001XMLSchemastringhttpwwww3org2001XMLSchemabooleanhttpwwww3org2001XMLSchemaintegerhttpwwww3org2001XMLSchemadoublehttpwwww3org2001XMLSchematimehttpwwww3org2001XMLSchemadatehttpwwww3org2001XMLSchemadateTimehttpwwww3org2001XMLSchemaanyURIhttpwwww3org2001XMLSchemahexBinaryhttpwwww3org2001XMLSchemabase64Binary
The following data-type identifiers correspond to the dayTimeDuration and yearMonthDuration data-types defined in [XF Sections 822 and 821 respectively]
httpwwww3orgTR2002WD-xquery-operators-20020816dayTimeDurationhttpwwww3orgTR2002WD-xquery-operators-20020816yearMonthDuration
B5 Subject attributesThese identifiers indicate attributes of a subject When used they SHALL appear within a ltSubjectgt element of the request context They SHALL be accessed via a ltSubjectAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into a ltSubjectgt element of the request context
At most one of each of these attributes is associated with each subject Each attribute associated with authentication included within a single ltSubjectgt element relates to the same authentication event
This identifier indicates the name of the subject The default format is httpwwww3org2001XMLSchemastring To indicate other formats use DataType attributes listed in B4
urnoasisnamestcxacml10subjectsubject-id
This identifier indicates the subject category ldquoaccess-subjectrdquo is the defaulturnoasisnamestcxacml10subject-category
This identifier indicates the security domain of the subject It identifies the administrator and policy that manages the name-space in which the subject id is administered
urnoasisnamestcxacml10subjectsubject-id-qualifier
This identifier indicates a public key used to confirm the subjectrsquos identityurnoasisnamestcxacml10subjectkey-info
This identifier indicates the time at which the subject was authenticatedurnoasisnamestcxacml10subjectauthentication-time
This identifier indicates the method used to authenticate the subjecturnoasisnamestcxacml10subjectauthentication-method
oasis--xacml-11pdf 120
253
4480
448144824483
44844485
44864487
44884489449044914492449344944495449644974498
44994500
45014502
4503
4504450545064507
450845094510
451145124513
4514
45154516
45174518
4519
45204521
45224523
45244525
254
This identifier indicates the time at which the subject initiated the access request according to the PEP
urnoasisnamestcxacml10subjectrequest-time
This identifier indicates the time at which the subjectrsquos current session began according to the PEP
urnoasisnamestcxacml10subjectsession-start-time
The following identifiers indicate the location where authentication credentials were activated They are intended to support the corresponding entities from the SAML authentication statement
This identifier indicates that the location is expressed as an IP addressurnoasisnamestcxacml10subjectauthn-localityip-address
This identifier indicates that the location is expressed as a DNS nameurnoasisnamestcxacml10subjectauthn-localitydns-name
Where a suitable attribute is already defined in LDAP [LDAP-1 LDAP-2] the XACML identifier SHALL be formed by adding the attribute name to the URI of the LDAP specification For example the attribute name for the userPassword defined in the rfc2256 SHALL be
httpwwwietforgrfcrfc2256txtuserPassword
B6 Resource attributesThese identifiers indicate attributes of the resource When used they SHALL appear within the ltResourcegt element of the request context They SHALL be accessed via a ltResourceAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltResourcegt element of the request context
This identifier indicates the entire URI of the resourceurnoasisnamestcxacml10resourceresource-id
A resource attribute used to indicate values extracted from the resourceurnoasisnamestcxacml10resourceresource-content
This identifier indicates the last (rightmost) component of the file name For example if the URI is ldquofilehomemystatuspointerrdquo the simple-file-name is status
urnoasisnamestcxacml10resourcesimple-file-name
This identifier indicates that the resource is specified by an XPath expressionurnoasisnamestcxacml10resourcexpath
This identifier indicates a UNIX file-system pathurnoasisnamestcxacml10resourceufs-path
This identifier indicates the scope of the resource as described in Section 78urnoasisnamestcxacml10resourcescope
The allowed value for this attribute is of data-type httpwwww3org2001XMLSchemastring and is either Immediate Children or Descendants
B7 Action attributesThese identifiers indicate attributes of the action being requested When used they SHALL appear within the ltActiongt element of the request context They SHALL be accessed via an ltActionAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltActiongt element of the request context
oasis--xacml-11pdf 121
255
45264527
4528
45294530
4531
45324533
45344535
45364537
453845394540
4541
4542
4543454445454546
45474548
45494550
45514552
4553
45544555
45564557
45584559
45604561
4562
4563456445654566
256
urnoasisnamestcxacml10actionaction-id
Action namespaceurnoasisnamestcxacml10actionaction-namespace
Implied action This is the value for action-id attribute when action is impliedurnoasisnamestcxacml10actionimplied-action
B8 Environment attributesThese identifiers indicate attributes of the environment within which the decision request is to be evaluated When used in the decision request they SHALL appear in the ltEnvironmentgt element of the request context They SHALL be accessed via an ltEnvironmentAttributeDesignatorgt or an ltAttributeSelectorgt element pointing into the ltEnvironmentgt element of the request context
This identifier indicates the current time at the PDP In practice it is the time at which the request context was created
urnoasisnamestcxacml10environmentcurrent-timeurnoasisnamestcxacml10environmentcurrent-dateurnoasisnamestcxacml10environmentcurrent-dateTime
B9 Status codesThe following status code identifiers are defined
This identifier indicates successurnoasisnamestcxacml10statusok
This identifier indicates that attributes necessary to make a policy decision were not availableurnoasisnamestcxacml10statusmissing-attribute
This identifier indicates that some attribute value contained a syntax error such as a letter in a numeric field
urnoasisnamestcxacml10statussyntax-error
This identifier indicates that an error occurred during policy evaluation An example would be division by zero
urnoasisnamestcxacml10statusprocessing-error
B10Combining algorithmsThe deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId
urnoasisnamestcxacml10rule-combining-algorithmdeny-overrides
The deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmdeny-overrides
The permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmpermit-overrides
The permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmpermit-overrides
oasis--xacml-11pdf 122
257
4567
45684569
45704571
4572
457345744575
45764577
45784579
458045814582
4583
4584
45854586
45874588
45894590
4591
45924593
4594
4595
45964597
45984599
4600
46014602
46034604
4605
258
The first-applicable rule-combining algorithm has the following value for ruleCombiningAlgIdurnoasisnamestcxacml10rule-combining-algorithmfirst-applicable
The first-applicable policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmfirst-applicable
The only-one-applicable-policy policy-combining algorithm has the following value for policyCombiningAlgId
urnoasisnamestcxacml10policy-combining-algorithmonly-one-applicable
The ordered-deny-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-deny-overrides
The ordered-deny-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-deny-overrides
The ordered-permit-overrides rule-combining algorithm has the following value for ruleCombiningAlgId urnoasisnamestcxacml11rule-combining-algorithmordered-permit-overrides
The ordered-permit-overrides policy-combining algorithm has the following value for policyCombiningAlgId urnoasisnamestcxacml11policy-combining-algorithmordered-permit-overrides
oasis--xacml-11pdf 123
259
46064607
46084609
4610
46114612
4613
46144615461646174618
4619462046214622
4623462446254626
46274628
260
Appendix C Combining algorithms (normative)This section contains a description of the rule-combining and policy-combining algorithms specified by XACML
C1 Deny-overridesThe following specification defines the ldquoDeny-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Deny then the result of the rule combination SHALL be Deny If any rule evaluates to Permit and all other rules evaluate to NotApplicable then the result of the rule combination SHALL be Permit In other words Deny takes precedence regardless of the result of evaluating any of the other rules in the combination If all rules are found to be NotApplicable to the decision request then the rule combination SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect value of Deny then the evaluation SHALL continue to evaluate subsequent rules looking for a result of Deny If no other rule evaluates to Deny then the combination SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Permit all other rules that do not have evaluation errors evaluate to Permit or NotApplicable and all rules that do have evaluation errors contain effects of Permit then the result of the combination SHALL be Permit
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision denyOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialDeny = falseBoolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(rules) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Deny)
potentialDeny = truecontinue
oasis--xacml-11pdf 124
261
4629
46304631
4632
4633
463446354636463746384639
4640464146424643
464446454646
4647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677
262
if (potentialDeny)
return Indeterminateif (atLeastOnePermit)
return Permitif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoDeny-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Deny then the result of the policy combination SHALL be Deny In other words Deny takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision denyOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOnePermit = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
return Denyif (decision == Permit)
atLeastOnePermit = truecontinue
if (decision == NotApplicable)
continueif (decision == Indeterminate)
return Deny
if (atLeastOnePermit)
return Permitreturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
oasis--xacml-11pdf 125
263
4678467946804681468246834684468546864687468846894690469146924693
46944695
46964697469846994700
470147024703
4704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734
4735
264
C2 Ordered-deny-overrides (non-normative)The following specification defines the Ordered-deny-overridesrdquo rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Deny-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-deny-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Deny-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C3 Permit-overridesThe following specification defines the ldquoPermit-overridesrdquo rule-combining algorithm of a policy
In the entire set of rules in the policy if any rule evaluates to Permit then the result of the rule combination SHALL be Permit If any rule evaluates to Deny and all other rules evaluate to NotApplicable then the policy SHALL evaluate to Deny In other words Permit takes precedence regardless of the result of evaluating any of the other rules in the policy If all rules are found to be NotApplicable to the decision request then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule that contains an effect of Permit then the evaluation SHALL continue looking for a result of Permit If no other rule evaluates to Permit then the policy SHALL evaluate to Indeterminate with the appropriate error status
If at least one rule evaluates to Deny all other rules that do not have evaluation errors evaluate to Deny or NotApplicable and all rules that do have evaluation errors contain an effect value of Deny then the policy SHALL evaluate to Deny
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision permitOverridesRuleCombiningAlgorithm(Rule rule[])
Boolean atLeastOneError = falseBoolean potentialPermit = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(rule) i++ )
Decision decision = evaluate(rule[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 126
265
4736
47374738
473947404741
47424743
474447454746
4747
4748
474947504751475247534754
4755475647574758
475947604761
476247634764476547664767476847694770477147724773477447754776477747784779478047814782
266
if (decision == Indeterminate)
atLeastOneError = true
if (effect(rule[i]) == Permit)
potentialPermit = truecontinue
if (potentialPermit)
return Indeterminateif (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
The following specification defines the ldquoPermit-overridesrdquo policy-combining algorithm of a policy set
In the entire set of policies in the policy set if any policy evaluates to Permit then the result of the policy combination SHALL be Permit In other words Permit takes precedence regardless of the result of evaluating any of the other policies in the policy set If all policies are found to be NotApplicable to the decision request then the policy set SHALL evaluate to NotApplicable
If an error occurs while evaluating the target of a policy a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status provided no other policies evaluate to Permit or Deny
The following pseudo-code represents the evaluation strategy of this policy-combining algorithmDecision permitOverridesPolicyCombiningAlgorithm(Policy policy[])
Boolean atLeastOneError = falseBoolean atLeastOneDeny = falsefor( i=0 i lt lengthOf(policy) i++ )
Decision decision = evaluate(policy[i])if (decision == Deny)
atLeastOneDeny = truecontinue
if (decision == Permit)
return Permitif (decision == NotApplicable)
continue
oasis--xacml-11pdf 127
267
47834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808
48094810
48114812481348144815
4816481748184819
482048214822482348244825482648274828482948304831483248334834483548364837483848394840
268
if (decision == Indeterminate)
atLeastOneError = truecontinue
if (atLeastOneDeny)
return Denyif (atLeastOneError)
return Indeterminatereturn NotApplicable
Obligations of the individual policies shall be combined as described in Section 711
C4 Ordered-permit-overrides (non-normative)The following specification defines the Ordered-permit-overrides rule-combining algorithm of a policy
The behavior of this algorithm is identical to that of the Permit-overrides rule-combining algorithm with one exception The order in which the collection of rules is evaluated SHALL match the order as listed in the policy
The following specification defines the Ordered-permit-overrides policy-combining algorithm of a policy set
The behavior of this algorithm is identical to that of the Permit-overrides policy-combining algorithm with one exception The order in which the collection of policies is evaluated SHALL match the order as listed in the policy set
C5 First-applicable The following specification defines the First-Applicable rule-combining algorithm of a policy
Each rule SHALL be evaluated in the order in which it is listed in the policy For a particular rule if the target matches and the condition evaluates to True then the evaluation of the policy SHALL halt and the corresponding effect of the rule SHALL be the result of the evaluation of the policy (ie Permit or Deny) For a particular rule selected in the evaluation if the target evaluates to False or the condition evaluates to False then the next rule in the order SHALL be evaluated If no further rule in the order exists then the policy SHALL evaluate to NotApplicable
If an error occurs while evaluating the target or condition of a rule then the evaluation SHALL halt and the policy shall evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this rule-combining algorithmDecision firstApplicableEffectRuleCombiningAlgorithm(Rule rule[])
for( i = 0 i lt lengthOf(rule) i++ )
oasis--xacml-11pdf 128
269
4841484248434844484548464847484848494850485148524853485448554856
4857
4858
48594860
486148624863
48644865
486648674868
4869
4870
4871487248734874487548764877
487848794880
48814882488348844885
270
Decision decision = evaluate(rule[i])if (decision == Deny)
return Denyif (decision == Permit)
return Permitif (decision == NotApplicable)
continueif (decision == Indeterminate)
return Indeterminate
return NotApplicable
The following specification defines the ldquoFirst-applicablerdquo policy-combining algorithm of a policy set
Each policy is evaluated in the order that it appears in the policy set For a particular policy if the target evaluates to True and the policy evaluates to a determinate value of Permit or Deny then the evaluation SHALL halt and the policy set SHALL evaluate to the effect value of that policy For a particular policy if the target evaluate to False or the policy evaluates to NotApplicable then the next policy in the order SHALL be evaluated If no further policy exists in the order then the policy set SHALL evaluate to NotApplicable
If an error were to occur when evaluating the target or when evaluating a specific policy the reference to the policy is considered invalid or the policy itself evaluates to Indeterminate then the evaluation of the policy-combining algorithm shall halt and the policy set shall evaluate to Indeterminate with an appropriate error status
The following pseudo-code represents the evaluation strategy of this policy-combination algorithm
Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policy[]) for( i = 0 i lt lengthOf(policy) i++ ) Decision decision = evaluate(policy[i]) if(decision == Deny) return Deny if(decision == Permit) return Permit if (decision == NotApplicable) continue if (decision == Indeterminate) return Indeterminate return NotApplicable
oasis--xacml-11pdf 129
271
48864887488848894890489148924893489448954896489748984899490049014902490349044905
49064907
4908490949104911491249134914
4915491649174918
4919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943
272
Obligations of the individual policies shall be combined as described in Section 711
C6 Only-one-applicableThe following specification defines the ldquoOnly-one-applicable policy-combining algorithm of a policy set
In the entire set of policies in the policy set if no policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be NotApplicable If more than one policy is considered applicable by virtue of their targets then the result of the policy combination algorithm SHALL be Indeterminate
If only one policy is considered applicable by evaluation of the policy targets then the result of the policy-combining algorithm SHALL be the result of evaluating the policy
If an error occurs while evaluating the target of a policy or a reference to a policy is considered invalid or the policy evaluation results in Indeterminate then the policy set SHALL evaluate to Indeterminate with the appropriate error status
The following pseudo-code represents the evaluation strategy of this policy combining algorithmDecision onlyOneApplicablePolicyPolicyCombiningAlogrithm(Policy policy[]) Boolean atLeastOne = false Policy selectedPolicy = null ApplicableResult appResult
for ( i = 0 i lt lengthOf(policy) i++ ) appResult = isApplicable(policy[I])
if ( appResult == Indeterminate ) return Indeterminate if( appResult == Applicable ) if ( atLeastOne ) return Indeterminate else atLeastOne = true selectedPolicy = policy[i] if ( appResult == NotApplicable ) continue if ( atLeastOne ) return evaluate(selectedPolicy) else return NotApplicable
oasis--xacml-11pdf 130
273
4944
4945
4946
49474948
4949495049514952
49534954
495549564957
495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996
274
oasis--xacml-11pdf 131
275
49974998
4999
276
Appendix D AcknowledgmentsThe following individuals contributed to the development of the specification
Anne AndersonBill ParducciCarlisle AdamsDaniel EngovatovDon FlinnErnesto DamianiGerald BroseHal LockhartJames MacLeanJohn MerrellsKen YagenKonstantin BeznosovMichiharu KudoPierangela SamaratiPirasenna Velandai ThiyagarajanPolar HumennSatoshi HadaSekhar VajjhalaSeth ProctorSimon GodikSteve AndersonSteve CrockerSuresh DamodaranTim Moses
oasis--xacml-11pdf 132
277
5000
5001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025
5026
278
Appendix E Revision historyRev Date By whom What
OS V10 18 Feb 2003 XACML Technical Committee
OASIS Standard
oasis--xacml-11pdf 133
279
5027
5028
280
Appendix F NoticesOASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available neither does it represent that it has made any effort to identify any such rights Information on OASISs procedures with respect to rights in OASIS specifications can be found at the OASIS website Copies of claims of rights made available for publication and any assurances of licenses to be made available or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the OASIS Executive Director
OASIS has been notified of intellectual property rights claimed in regard to some or all of the contents of this specification For more information consult the online list of claimed rights
OASIS invites any interested party to bring to its attention any copyrights patents or patent applications or other proprietary rights which may cover technology that may be required to implement this specification Please address the information to the OASIS Executive Director
Copyright (C) OASIS Open 2003 All Rights Reserved
This document and translations of it may be copied and furnished to others and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared copied published and distributed in whole or in part without restriction of any kind provided that the above copyright notice and this paragraph are included on all such copies and derivative works However this document itself may not be modified in any way such as by removing the copyright notice or references to OASIS except as needed for the purpose of developing OASIS specifications in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed or as required to translate it into languages other than English
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns
This document and the information contained herein is provided on an ldquoAS ISrdquo basis and OASIS DISCLAIMS ALL WARRANTIES EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
oasis--xacml-11pdf 134
281
5029
503050315032503350345035503650375038
50395040
504150425043
5044
50455046504750485049505050515052
50535054
50555056505750585059
282