[Attempto] ACE for XACML?

Brad Cox bradjcox at gmail.com
Mon Nov 15 12:57:04 CET 2010

Previous message: [Attempto] ACE for XACML?
Next message: [Attempto] ACE for XACML?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks ever so much Kaarel. That got me on the right road and right
into the next pile of issues. Hope you can help.

Here is my first crack at parsing XACML policy into ACE. Its not
correct yet, shown mainly to show the kind of issues I'm facing.

First question is whether ACE has anything that works like parentheses
in Java for disambiguating all those embedded ands and ors. If not,
how should I handle this? My prior version handled this with
parentheses, temporarily removed to get closer to valid ACE.

/*Rule View5thFleetHomePage*/
if the  url is "@urlprefix@/demo/Fifth-Fleet" then
if  the countryofcitizenship  is "US"  and  the organizationid  is in
 {"USN" , "USMC" }  and  the dutyoccupationalcode  is in   {"2101" ,
"2201" , "2207" , "2206" , "2803" , "2301" , "2302" , "2303" , "0302"
, "0326" , "0342" , "0319" , "0345" , "2801" , "1494" , "2821" ,
"5974" }  and  not ( the paygrade  is in   {"E1" , "E2" , "E3" , "E4"
, "E5" , "E6" } )  and  the personnelcategorycode  is in   {"A" , "C"
}  and "Country Yellow"  is in  the geographicsubregion  or "Fifth
Fleet"  is in  the geographicsubregion  and "CTF 153"  is in  the
extendedgroup  or "Fifth Fleet"  is in  the extendedgroup  or "Second
Fleet"  is in  the extendedgroup  or "Third Fleet"  is in  the
extendedgroup  or "Fourth Fleet"  is in  the extendedgroup  or "Sixth
Fleet"  is in  the extendedgroup  or "Seventh Fleet"  is in  the
extendedgroup  or "CSG1"  is in  the extendedgroup  or "CSG2"  is in
the extendedgroup
then the response's decision is Permit.

Next question isn't clear in this example (because I stripped most of
it to get this far). XACML uses about a hundred functions for doing
standard operations on strings, integers, bags, sets, etc. Is there a
way to call a Java function from ACE? If not, I'd need to find a way
to spell out each function's internals in ACE which would really hurt
readability. As one example, the one-and-only function surrounds most
of the attribute references in this example; i.e. the above should
really read one-and-only(countryofcitizenship) and so forth for every
instance. Even rephrasing one-and-only as "sole", that gets pretty
unwieldy; i.e. "if the sole countryofcitizenship is "US"..., and
doesn't address what to do with the other 99 xacml functions.

Also do C-style comments work as shown above? Guesswork...

On Sun, Nov 14, 2010 at 6:36 PM, Kaarel Kaljurand <kaljurand at gmail.com> wrote:
> I don't know much about XACML, but people have used OWL before
> to work with XACML so maybe this is the way to go and the ACE->OWL
> mapping can be used.

Previous message: [Attempto] ACE for XACML?
Next message: [Attempto] ACE for XACML?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the attempto mailing list