Simple Example 3

Please try out simple examples (simple example 1 and simple example 2) before checking this.

Description

This is a simple example for accessing attributes.

Target XML Document (ex3_target.xml)
<address_book:document xmlns:address_book="http://address_book"> <address_book:entry email="satoshih@jp.ibm.com" name="Satoshi Hada" /> <address_book:entry email="kudo@jp.ibm.com" name="Michiharu Kudoh" /> <address_book:entry email="unknown" name="Yuki Hirayama" /> </address_book:document>

Target XML Document (ex3_target.xml)

<address_book:document xmlns:address_book="http://address_book">
  <address_book:entry email="satoshih@jp.ibm.com" name="Satoshi Hada" /> 
  <address_book:entry email="kudo@jp.ibm.com" name="Michiharu Kudoh" /> 
  <address_book:entry email="unknown" name="Yuki Hirayama" /> 
</address_book:document>

Policy Description

A set of access control policies is described as follows:

Members in the "all" group can read every element.
People not in the "all" group can read only name attributes.
Mmebers in the "admin" group can write any email attribute.

The above policies can be described in XACL language as follows:

Access Control Rules (ex3_policy.xml)
<policy xmlns:address_book="http://address_book" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.trl.ibm.com/projects/xml/xacl xacl.xsd" xmlns="http://www.trl.ibm.com/projects/xml/xacl"> <!-- =================================================== 1. The "all" group can read any field. =================================================== --> <xacl> <object href="/address_book:document"/> <rule> <acl> <subject> <group>all</group> </subject> <action name="read" permission="grant"/> </acl> </rule> </xacl> <!-- =================================================== 2. People not in the "all" group can read only name attributes. =================================================== --> <xacl> <object href="/address_book:document/address_book:entry/@name"/> <rule> <acl> <action name="read" permission="grant"/> </acl> </rule> </xacl> <!-- =================================================== 3. Anybody in the "admin" group can write any email attribute =================================================== --> <xacl> <object href="/address_book:document/address_book:entry/@email"/> <rule> <acl> <subject> <group>admin</group> </subject> <action name="write" permission="grant"> <provisional_action name="log" timing="before"/> </action> </acl> </rule> </xacl> </policy>

Access Control Rules (ex3_policy.xml)

<policy
  xmlns:address_book="http://address_book"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.trl.ibm.com/projects/xml/xacl xacl.xsd"
  xmlns="http://www.trl.ibm.com/projects/xml/xacl">
  <!-- ===================================================
  1. The "all" group can read any field.
 =================================================== -->
  <xacl>
    <object href="/address_book:document"/>
    <rule>
      <acl>
        <subject>
          <group>all</group>
        </subject>
        <action name="read" permission="grant"/>
      </acl>
    </rule>
  </xacl>
  <!-- ===================================================
  2. People not in the "all" group can read only name attributes.
 =================================================== -->
  <xacl>
    <object href="/address_book:document/address_book:entry/@name"/>
    <rule>
      <acl>
        <action name="read" permission="grant"/>
      </acl>
    </rule>
  </xacl>
  <!-- ===================================================
  3. Anybody in the "admin" group can write any email attribute
 =================================================== -->
  <xacl>
    <object href="/address_book:document/address_book:entry/@email"/>
    <rule>
      <acl>
        <subject>
          <group>admin</group>
        </subject>
        <action name="write" permission="grant">
          <provisional_action name="log" timing="before"/>
        </action>
      </acl>
    </rule>
  </xacl>
</policy>

Access Requests

Try the following access requests. The resulting access decisions in the XACL Visual Tool are described in the right-most column of the following table.

Access request file	Object	Subject (group)	Action	Access decisions
ex3_request1.xml	/address_book:document	Alice (all)	read	Alice, member of the "all" group, is allowed to read the whole document.
ex3_request2.xml	/address_book:document	Not specified	read	Anonymous user is allowed to read only name attributes.
ex3_request3.xml	/address_book:document	Bob (admin)	write	Bob, a member of admin group (a subgroup of all), is allowed to write every email attribute. However, he is not allowed to write any name attribute.
ex3_request4.xml	/address_book:document/address_book:entry[3]/@email	Bob (admin)	write	Bob, a member of the "admin" group, is allowed to write every email attribute.

Other Information

Group Membership

Group membership is defined in group.xml as follows.

Group	Member
all	Alice
admin	Bob

Binding Target XML and Policy

The binding table is defined as follows:

Binding Definition
<bind_table> <bind> <target href="ex3_target.xml"/> <policy href="ex3_policy.xml"/> <status href="ex3_status.xml"/> </bind> </bind_table>

Next Example

[ IBM | alphaWorks | XML Security Suite | Discussion about XML Security Suite ]

Last modified: March 29, 2002