IIF311Policy.xml 4.01 KB
Newer Older
1 2 3 4 5 6
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
		PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" 
		PolicySetId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIF311:policyset" 
		Version="1.0" 
7
		
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71
		MaxDelegationDepth="3">
    <Description>
        PolicySet for Conformance Test IIF311.
        Purpose: new 3.0 feature: MaxDelegationDepth on PolicySet
        There is nothing the Core functions can do with this attribute and no way to extract it to include in a Response,
        so all this test does is verify that it is accepted an attribute on the PolicySet.
        (The inclusion of the attribute is optional, but it is not clear whether the feature of being able to receive that value is mandatory or optional.)
    </Description>
    <Target/>
    
    <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIF311:policy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
        <Description>
            Policy1 for Conformance Test IIF311.
        </Description>
        <Target/>
        
        <Rule Effect="Deny" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIF311:rule1">
            <Description>
                A subject whose name is J. Hibbert may not
                read Bart Simpson's medical record.  NOTAPPLICABLE
            </Description>
            <Target>
                <AnyOf>
                    <AllOf>
                        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">J. Hibbert</AttributeValue>
                            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                        </Match>
                    </AllOf>
                </AnyOf>
            </Target>
        </Rule>
        
    </Policy>
    
    <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIF311:policy2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
        <Description>
            Policy2 for Conformance Test IIF311.
        </Description>
        <Target/>
        
        <Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIF311:rule2">
            <Description>
                A subject who is at least 5 years older than Bart
                Simpson may read Bart Simpson's medical record. PERMIT.
            </Description>
            <Condition>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal">
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                        </Apply>
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:bart-simpson-age" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                        </Apply>
                    </Apply>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">5</AttributeValue>
                </Apply>
            </Condition>
        </Rule>
        
    </Policy>
    
</PolicySet>