Child pages
  • Editing the Access Policy File

This space has moved to IU's Confluence.
It is located at https://uisapp2.iu.edu/confluence-prd/display/iulV3/

Skip to end of metadata
Go to start of metadata

Writing Policy Rules

Choose whether this will be a Permit or Deny rule.

Pick the Target of the Rule ( Subject, Action, Resource )

  • Subject
    • To match an individual use something similar to the following block:
      <Subject>
        <SubjectMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal">
          <AttributeValue 
              DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
            dmlserv@localhost
          </AttributeValue>
          <SubjectAttributeDesignator 
                DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
                AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
           />
        </SubjectMatch>
      </Subject>
      
    • To match a group use something similar to the following block:
      <Subject>
        <SubjectMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            IU/Group/Digitizers
          </AttributeValue>
          <SubjectAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:variations2:group-id"
           />
        </SubjectMatch>
      </Subject>
    • To match an IP use something similar to the following block:
      <Subject>
        <SubjectMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            192.168.0.1
          </AttributeValue>
          <SubjectAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:variations2:client-ip-address"
           />
        </SubjectMatch>
      </Subject>
  • Resource
    • To match a resource use something similar to the following block:
      <Resource>
        <ResourceMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            IU/Container/34075
          </AttributeValue>
          <ResourceAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
           />
        </ResourceMatch>
      </Resource> 
    • To match a resource type use something similar to the following block:
      <Resource>
        <ResourceMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            Container
          </AttributeValue>
          <ResourceAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:variations2:resource-type"
           />
        </ResourceMatch>
      </Resource> 
    • To match a resource repository use something similar to the following block:
      <Resource>
        <ResourceMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            IU
          </AttributeValue>
          <ResourceAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:variations2:resource-repository"
           />
        </ResourceMatch>
      </Resource> 
    • To match a resource creator use something similar to the following block:
      <Resource>
        <ResourceMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            dmluser@indiana.edu
          </AttributeValue>
          <ResourceAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:variations2:resource-creator"
           />
        </ResourceMatch>
      </Resource> 
    • To match a resource that is public domain use something similar to the following block:
      <Resource>
        <ResourceMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#boolean">
            true
          </AttributeValue>
          <ResourceAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#boolean" 
              AttributeId="urn:variations2:is-public-domain"
           />
        </ResourceMatch>
      </Resource> 
    • To match a resource holding status use something similar to the following block:
      <Resource>
        <ResourceMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            Publicly available
          </AttributeValue>
          <ResourceAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:variations2:holding-status"
           />
        </ResourceMatch>
      </Resource> 
    • To match a resource location use something similar to the following block:
      <Resource>
        <ResourceMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            Personal Collection
          </AttributeValue>
          <ResourceAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:variations2:resource-location"
           />
        </ResourceMatch>
      </Resource> 
  • Action
    • To match an action use something similar to the following block:
      <Action>
        <ActionMatch 
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
              DataType="http://www.w3.org/2001/XMLSchema#string">
            CREATE_METADATA
          </AttributeValue>
          <ActionAttributeDesignator 
              DataType="http://www.w3.org/2001/XMLSchema#string" 
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
           />
        </ActionMatch>
      </Action>

Write the condition clause

The Condition tag specifies the outermost function to apply to determine if a rule should be used. Enclosed Apply tags, with their own functions, can be nested infinitely deep inside the Condition tag. Use SubjectAttributeDesignators, ResourceAttributeDesignators, and ActionAttributeDesignators to pull values out of the request to be arguments to these functions. Look above at the example rules for more ideas.

The funtions that are most useful include:

  • Logic Functions
    • urn:oasis:names:tc:xacml:1.0:function:or
    • urn:oasis:names:tc:xacml:1.0:function:and
    • urn:oasis:names:tc:xacml:1.0:function:not
  • RFC822Name (Email address)
    • urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal
  • String Functions
    • urn:oasis:names:tc:xacml:1.0:function:string-equal
    • urn:oasis:names:tc:xacml:1.0:function:string-is-in
    • urn:oasis:names:tc:xacml:1.0:function:string-one-and-only
    • urn:oasis:names:tc:xacml:1.0:function:string-bag
    • urn:oasis:names:tc:xacml:1.0:function:regexp-string-match
  • Misc
    • urn:oasis:names:tc:xacml:1.0:function:any-of
  • No labels