Sample Application - Policy Management

Please try out simple examples (e.g. simple example 1) before checking this.

Application Description

One advantage of using the XML format for specifying access control policies is that the XACL language can easily implement the policy management authorization rules. In other words, authorization rules on the authorization policy itself can be defined by meta-rules also described in XACL. Here we take the access control policy of the second example as a target XML document.

Target XML Document (ex2_policy.xml)
<policy> <!-- =================================================== 1. The "all" group can read name field. =================================================== --> <xacl> <object href="/personnel_info/entry/name"/> <rule> <acl> <subject> <group>all</group> </subject> <action name="read" permission="grant"/> </acl> </rule> </xacl> <!-- =================================================== 2. People in the personnel group can read any elements that are categorized as private. =================================================== --> <xacl> <object href="/personnel_info/entry/*[@category='private']"/> <rule> <acl> <subject> <group>personnel</group> </subject> <action name="read" permission="grant"/> </acl> <!-- =================================================== 3. Manager in the personnel group can write any elements that are categorized as private, provided the access is logged. =================================================== --> <acl> <subject> <role>Manager</role> <group>personnel</group> </subject> <action name="write" permission="grant"> <provisional_action timing="before" name="log"/> </action> </acl> </rule> </xacl> </policy>

Target XML Document (ex2_policy.xml)

<policy>
<!-- ===================================================
  1. The "all" group can read name field.
 =================================================== -->
  <xacl>
    <object href="/personnel_info/entry/name"/>
    <rule>
      <acl>
        <subject>
          <group>all</group>
        </subject>
        <action name="read" permission="grant"/>
      </acl>
    </rule>
  </xacl>
<!-- ===================================================
  2. People in the personnel group can read any
     elements that are categorized as private.
 =================================================== -->
  <xacl>
    <object href="/personnel_info/entry/*[@category='private']"/>
    <rule>
      <acl>
        <subject>
          <group>personnel</group>
        </subject>
        <action name="read" permission="grant"/>
      </acl>
<!-- ===================================================
  3. Manager in the personnel group can write any
     elements that are categorized as private, provided
     the access is logged.
 =================================================== -->
      <acl>
        <subject>
          <role>Manager</role>
          <group>personnel</group>
        </subject>
        <action name="write" permission="grant">
          <provisional_action timing="before" name="log"/>
        </action>
      </acl>
    </rule>
  </xacl>
</policy>

Policy Document

A set of access control policies for the above policy document may be described as follows:

The admin can read, write, and create any elements under the <policy> element.
People in the personnel group can read any access control policies.
The admin can delete any group element.

The above policies can be described in XACL language as follows:

Policy Management Rules written in XACL language (management_policy.xml)
<policy> <!-- ================================================== 1. The admin can read, write, and create any elements under the policy element. =================================================== --> <xacl> <object href='/[local-name()="policy"] [namespace-uri()="http://www.trl.ibm.com/projects/xml/xacl"]'/> <rule> <acl> <subject> <group>admin</group> </subject> <action name="read" permission="grant"/> <action name="write" permission="grant"/> <action name="create" permission="grant"/> </acl> </rule> <!-- ================================================== 2. People in the personnel group can read any access control policies. =================================================== --> <rule> <acl> <subject> <group>personnel</group> </subject> <action name="read" permission="grant"/> </acl> </rule> </xacl> <!-- ================================================== 3. The admin can delete any group element. =================================================== --> <xacl> <object href='//[local-name()="group"] [namespace-uri()="http://www.trl.ibm.com/projects/xml/xacl"]'/> <rule> <acl> <subject> <group>admin</group> </subject> <action name="delete" permission="grant"/> </acl> </rule> </xacl> </policy>

Policy Management Rules written in XACL language (management_policy.xml)

<policy>
<!-- ==================================================
  1. The admin can read, write, and create any elements
     under the policy element.
 =================================================== -->
  <xacl>
    <object href='/*[local-name()="policy"]
      [namespace-uri()="http://www.trl.ibm.com/projects/xml/xacl"]'/>
    <rule>
      <acl>
        <subject>
          <group>admin</group>
        </subject>
        <action name="read" permission="grant"/>
        <action name="write" permission="grant"/>
        <action name="create" permission="grant"/>
      </acl>
    </rule>
<!-- ==================================================
  2. People in the personnel group can read 
     any access control policies.
 =================================================== -->
    <rule>
      <acl>
        <subject>
          <group>personnel</group>
        </subject>
        <action name="read" permission="grant"/>
      </acl>
    </rule>
  </xacl>
<!-- ==================================================
  3. The admin can delete any group element.
 =================================================== -->
  <xacl>
    <object href='//*[local-name()="group"]
      [namespace-uri()="http://www.trl.ibm.com/projects/xml/xacl"]'/>
    <rule>
      <acl>
        <subject>
          <group>admin</group>
        </subject>
        <action name="delete" permission="grant"/>
      </acl>
    </rule>
  </xacl>
</policy>

Access Requests

Try the following access requests. You can see the access decisions on XACL Visual Tool as described in the right most column.

access request file	object	subject (group)	action	brief description of access decisions
management_request1.xml	/policy	Andrew (admin)	read	The admin Andrew is allowed to read any elements below the <policy> element.
management_request2.xml	/policy	Bob (personnel)	read	Bob in the personnel group is allowed to read any elements below the <policy> element.
management_request3.xml	/policy	Andrew (admin)	write	Andrew is allowed to write any elements below the <policy> element.
management_request4.xml	/policy	Andrew (admin)	create	Andrew is allowed to create new access control policy under the <policy> element.
management_request5.xml	/policy	Andrew (admin)	delete	Andrew is allowed to delete any group element.

Other Information

Group Membership

Group membership is defined in group.xml as follows.

group	member
admin	Andrew
personnel	Bob

Binding Target XML and Policy

The binding table is defined as follows:

Binding Definition
<bind_table> <bind> <target href="policy.dtd"/> <policy href="management_policy.xml"/> <status href="management_status.xml"/> </bind> </bind_table>

Next Example

[ IBM | alphaWorks | XML Security Suite | Discussion about XML Security Suite ]

Last modified: August 18, 2001