IID312Policy.xml 8.16 KB
Newer Older
1 2 3 4 5 6
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
		PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:policy" 
		RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides" 
		Version="1.0" 
7
		>
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137
    <Description>
        Policy for Conformance Test IID312.
        Purpose: Case: Permit: RuleCombiningAlgorithm Ordered PermitOverrides
        This test in conjunction with IID311 demonstrates that the ordered-permit-overrides at the Rule level takes the first rule that matches.
    </Description>
    <Target/>
    <Rule Effect="Deny" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID009:rule1">
        <Description>
            A subject whose name is J. Hibbert may not
            read Bart Simpson's medical record.  NOTAPPLICABLE
        </Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">J. Hibbert</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
    </Rule>
    
   	<!--  Order (position in this file) of this policy is different than in IID312 - this one comes first, so its Obligations should be seen in Response -->
    <Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:rule5">
        <Description>
            A subject who is at least 5 years older than Bart
            Simpson may read Bart Simpson's medical record. PERMIT.
        </Description>
        <Condition>
		  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                </Apply>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:bart-simpson-age" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                </Apply>
            </Apply>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">5</AttributeValue>
		  </Apply>
        </Condition>
    	<ObligationExpressions>
	        <ObligationExpression FulfillOn="Permit" ObligationId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:obligation-2">
	            <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:assignment2">
	                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment2</AttributeValue>
	            </AttributeAssignmentExpression>
	        </ObligationExpression>
        </ObligationExpressions>
        <AdviceExpressions>
	        <AdviceExpression AppliesTo="Permit" AdviceId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:Advice-2">
	            <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:assignment2">
	                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue>
	            </AttributeAssignmentExpression>
	        </AdviceExpression>
	    </AdviceExpressions>
    </Rule> 
    
    
    
    
    
    <Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:rule2">
        <Description>
            A subject who is at least 5 years older than Bart
            Simpson may read Bart Simpson's medical record. PERMIT.
        </Description>
        <Condition>
		  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                </Apply>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:bart-simpson-age" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                </Apply>
            </Apply>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">5</AttributeValue>
		  </Apply>
        </Condition>
    	<ObligationExpressions>
	        <ObligationExpression FulfillOn="Permit" ObligationId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:obligation-1">
	            <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:assignment1">
	                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue>
	            </AttributeAssignmentExpression>
	        </ObligationExpression>
        </ObligationExpressions>
        <AdviceExpressions>
	        <AdviceExpression AppliesTo="Permit" AdviceId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:Advice-1">
	            <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:assignment1">
	                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue>
	            </AttributeAssignmentExpression>
	        </AdviceExpression>
	    </AdviceExpressions>
    </Rule>
    
    <Rule Effect="Deny" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:rule3">
        <Description>
            A subject whose "bogus" attribute is "Zaphod Beedlebrox" may not
            read Bart Simpson's medical record.  INDETERMINATE.
        </Description>
        <Condition>
		  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:bogus" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
            </Apply>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Zaphod Beedlebrox</AttributeValue>
		  </Apply>
        </Condition>
    </Rule>
    
    <Rule Effect="Deny" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:rule4">
        <Description>
            A subject whose name is Julius Hibbert
            may not read Bart Simpson's medical record. DENY.
        </Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
    </Rule>
    
    
</Policy>