Policy Template Profile Examples

Note: this area supports the collaborative building of a Policy Template Profile. This profile is sponsored by http://www.tscp.org

Without using policy template

  1. TAA-1.1 (identifier: "urn:curtiss:ba:taa:taa-1.1")
    • Access rule in pseudo-English: `Subjects from organization {Curtiss | Packard} who are {US | GB} nationals and who work on {DetailedDesign | Simulation} are permitted {any} access to documents which topics covers "NavigationSystem"

    • Corresponding XACML policy
    •  <Policy PolicyId="urn:curtiss:ba:taa:taa-1.1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
        <Description>Policy for Business Authorization category TAA-1.1</Description>
        <Target>
          <AnyOf>
            <AllOf>
              <Match
               MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NavigationSystem</AttributeValue>
                <AttributeDesignator
                 MustBePresent="true"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 AttributeId="urn:curtiss:names:tc:xacml:1.0:resource:Topics"
                 DataType="http://www.w3.org/2001/XMLSchema#string"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
        <Rule Effect="Permit">
          <Description />
          <Target>
            <Actions>
              <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <ActionAttributeDesignator 
                    AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                    DataType="http://www.w3.org/2001/XMLSchema#string" />
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Any</AttributeValue>
                </ActionMatch>
              </Action>
            </Actions>
          </Target>
          <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curtiss</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Packard</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">US</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GB</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Nationality" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DetailedDesign</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Simulation</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Work-Effort" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and" />
          </Condition>
        </Rule>
      </Policy>
       
  2. TAA-1.2 (identifier: "urn:curtiss:ba:taa:taa-1.2")
    • Access rule in pseudo-English: `Subjects from organization {Curtiss | Spad} who are {US | FR} nationals and who work on {Integration | Simulation} are permitted {any} access to documents which topics covers "Avionics"
    • Corresponding XACML policy
    • <Policy PolicyId="urn:curtiss:ba:taa:taa-1.2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
        <Description>Policy for Business Authorization category TAA-1.2</Description>
        <Target>
          <AnyOf>
            <AllOf>
              <Match
               MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Avionics</AttributeValue>
                <AttributeDesignator
                 MustBePresent="true"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 AttributeId="urn:curtiss:names:tc:xacml:1.0:resource:Topics"
                 DataType="http://www.w3.org/2001/XMLSchema#string"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
        <Rule Effect="Permit">
          <Description />
          <Target>
            <Actions>
              <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <ActionAttributeDesignator 
                    AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                    DataType="http://www.w3.org/2001/XMLSchema#string" />
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Any</AttributeValue>
                </ActionMatch>
              </Action>
            </Actions>
          </Target>
          <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curtiss</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Packard</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">US</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GB</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Nationality" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Integration</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Simulation</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Work-Effort" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and" />
          </Condition>
        </Rule>
      </Policy> 

Using policy template

  1. Generic TAA Policy Template (identifier: "urn:us:ddtc:itar:taa")
    • Access rule in pseudo-English: Subjects from organization {param=organizations} who are {param=nationals} nationals and who work on {param=workEfforts} are permitted {any} access to resources

    • Corresponding Policy Template
    • <Policy xmlns:pt="urn:policy-template-namespace" pt:type="template" pt:version="1.0" PolicyId="urn:us:ddtc:itar:taa" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
        <Description>Policy for generic ITAR TAA</Description>
        <Target>
          <AnyOf>
            <AllOf>
              <Match
               MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue ParameterId="Topics" DataType="http://www.w3.org/2001/XMLSchema#string"/>
                <AttributeDesignator
                 MustBePresent="true"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 AttributeId="urn:curtiss:names:tc:xacml:1.0:resource:Topics"
                 DataType="http://www.w3.org/2001/XMLSchema#string"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
        <Rule Effect="Permit">
          <Description />
          <Target>
            <Actions>
              <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <ActionAttributeDesignator 
                    AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                    DataType="http://www.w3.org/2001/XMLSchema#string" />
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Any</AttributeValue>
                </ActionMatch>
              </Action>
            </Actions>
          </Target>
          <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue ParameterId="organizations" DataType=http://www.w3.org/2001/XMLSchema#string/>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue ParameterId="nationals" DataType=http://www.w3.org/2001/XMLSchema#string/>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Nationality" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue ParameterId="workEfforts" DataType=http://www.w3.org/2001/XMLSchema#string/>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Work-Effort" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and" />
          </Condition>
        </Rule>
      </Policy>
  2. Policy Template Data TAA-1.1 (identifier: "urn:curtiss:ba:taa:taa-1.1")
    • The policy TAA-1.1 provides the parameter data which, together with the referred policy-template, produces the rule: `Subjects from organization {Curtiss | Packard} who are {US | GB} nationals and who work on {DetailedDesign | Simulation} are permitted {any} access to documents which topics covers "NavigationSystem"

    • Corresponding Policy Template Data representation:
    • <Policy xmlns:pt="urn:policy-template-namespace" pt:type="data" pt:TemplateId="urn:us:ddtc:itar:taa" PolicyId="urn:curtiss:ba:taa:taa-1.1"  >
        <Description>Policy instance TAA-1.1, that refers to ITAR-TAA policy-template</Description>
        <Parameters>
          <Parameter ParameterId="Topics">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NavigationSystem</AttributeValue>
          </Parameter>
          <Parameter ParameterId="organizations">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curtiss</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Packard</AttributeValue>
          </Parameter>
          <Parameter ParameterId="nationals">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">US</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GB</AttributeValue>
          </Parameter>
          <Parameter ParameterId="workEfforts">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DetailedDesign</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Simulation</AttributeValue>
          </Parameter>
        </Parameters>
      </Policy>
  3. The above policy template rewritten as a regular XACML policy using attribute designators. (Note, I did this by hand, so it's not syntactically correct, but the intent should be clear.)
    • <PolicySet xmlns:pt="urn:policy-template-namespace" pt:type="template" pt:version="1.0" PolicyId="urn:us:ddtc:itar:taa" PolicyCombiningAlgorithm="on-permit-apply-second">
        <Description>Policy for generic ITAR TAA</Description>
        <Policy>
          <Rule Effect="Permit">
            <Condition>
              <Apply FunctionId="string-is-in">
                <Apply FunctionId="string-one-and-only"><AttributeDesignator AttributeId="Topics"/></Apply>
                <AttributeDesignator
                 MustBePresent="true"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 AttributeId="urn:curtiss:names:tc:xacml:1.0:resource:Topics"
                 DataType="http://www.w3.org/2001/XMLSchema#string"/>
              </Apply>
            </Condition>
          </Rule>
        </Policy>
      
        <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
        <Rule Effect="Permit">
          <Description />
          <Target>
            <Actions>
              <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <ActionAttributeDesignator 
                    AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                    DataType="http://www.w3.org/2001/XMLSchema#string" />
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Any</AttributeValue>
                </ActionMatch>
              </Action>
            </Actions>
          </Target>
          <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue ParameterId="organizations" DataType=http://www.w3.org/2001/XMLSchema#string/>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue ParameterId="nationals" DataType=http://www.w3.org/2001/XMLSchema#string/>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Nationality" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue ParameterId="workEfforts" DataType=http://www.w3.org/2001/XMLSchema#string/>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Work-Effort" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and" />
          </Condition>
        </Rule>
        </Policy>
      </PolicySet>
  4. Policy Template Data TAA-1.2 (identifier: "urn:curtiss:ba:taa:taa-1.2")
    • The policy TAA-1.2 provides the parameter data which, together with the referred policy-template, produces the rule: Subjects from organization {Curtiss | Spad} who are {US | FR} nationals and who work on {Integration | Simulation} are permitted {any} access to documents which topics covers  "Avionics"

    • Corresponding Policy Template Data representation:
    • <Policy xmlns:pt="urn:policy-template-namespace" pt:type="data" pt:TemplateId="urn:us:ddtc:itar:taa" PolicyId="urn:curtiss:ba:taa:taa-1.2" >
        <Description>Policy instance TAA-1.2, that refers to ITAR-TAA policy-template</Description>
        <Parameters>
          <Parameter ParameterId="Topics">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Avionics</AttributeValue>
          </Parameter>
          <Parameter ParameterId="organizations">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curtiss</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Spad</AttributeValue>
          </Parameter>
          <Parameter ParameterId="nationals">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">US</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">FR</AttributeValue>
          </Parameter>
          <Parameter ParameterId="workEfforts">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Integration</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Simulation</AttributeValue>
          </Parameter>
        </Parameters>
      </Policy>
  5. TAA-1.1 (identifier: "urn:curtiss:ba:taa:taa-1.1"), resulting from reduction of (templateId: "urn:curtiss:ba:taa:taa", version: "1.0") with data (identifier: "urn:curtiss:ba:taa:taa-1.2")
    • Access rule in pseudo-English: Subjects from organization {Curtiss | Packard} who are {US | GB} nationals and who work on {DetailedDesign | Simulation} are permitted {any} access to documents which topics covers  "NavigationSystem"

    • Corresponding policy template instance
    •  <Policy xmlns:pt="urn:policy-template-namespace" pt:type="instance" pt:TemplateId="urn:us:ddtc:itar:taa" pt:version="1.0" PolicyId="urn:curtiss:ba:taa:taa-1.1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
        <Description>Policy for Business Authorization category TAA-1.1</Description>
        <Target>
          <AnyOf>
            <AllOf>
              <Match
               MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NavigationSystem</AttributeValue>
                <AttributeDesignator
                 MustBePresent="true"
                 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                 AttributeId="urn:curtiss:names:tc:xacml:1.0:resource:Topics"
                 DataType="http://www.w3.org/2001/XMLSchema#string"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
        <Rule Effect="Permit">
          <Description />
          <Target>
            <Actions>
              <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <ActionAttributeDesignator 
                    AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                    DataType="http://www.w3.org/2001/XMLSchema#string" />
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Any</AttributeValue>
                </ActionMatch>
              </Action>
            </Actions>
          </Target>
          <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curtiss</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Packard</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">US</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GB</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Nationality" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
              <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DetailedDesign</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Simulation</AttributeValue>
              </Apply>
              <AttributeDesignator AttributeId="http://schemas.tscp.org/2012-03/claims/Work-Effort" DataType="http://www.w3.org/2001/XMLSchema#string" />
            </Apply>
            <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and" />
          </Condition>
        </Rule>
      </Policy>
       

Policy Template Profile Examples (last edited 2012-10-17 08:01:41 by jean-paul.buu-sao.tscp)