How to include root resource values in XACML Response when using Multiple decision Hierarchical resource profile?

Question

I am working with XACML 3.0. When I am using the XACML v3.0 Hierarchical Resource Profile, how can I include root resource values in the XACML Response?

Ex:

Customer
    |-->Name
          |-->FirstName,LastName

Here,Customer is the Top root Resource .FirstName and LastName are the children of Name.

Here in my XACML Request I will send the top resource name Customer.By using Hierarchical resource feature of XACML3.0 ,Resource finder will evaluate the child resources.

How can i get root values Customer and Name in XACML Response? Here the XACML Request,

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:root-resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:resource:scope" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Descendants</AttributeValue>
</Attribute>
</Attributes>
</Request>

As one can see from the request, it contains 4 action categories, 1 subject category and 1 resource category. The latter uses the hierarchical resource profile. The repetition of the action category follows the Multiple Decision Profile of XACML. Essentially, it means that I am asking: "Can admin update...? Can admin read...? Can admin write...? Can admin delete...?"

Can you send your sample XACML request? What does your policy look like? You could use advice and obligations to return the information you need. Also, why would you return customer and name? Surely your PEP already knows this information. — David Brossard, Feb 17 '14 at 09:02
Hi,i am so sorry for the late reply.Now i posted XACML Request ,please check it. — Nadendla, Feb 24 '14 at 09:42

How to include root resource values in XACML Response when using Multiple decision Hierarchical resource profile?

0 Answers0