Are the unexpected Permit results coming when a user is logged in, has a fedoraRole, but it is not "administrator"? Or is it that no one is logged in/the logged in user has no fedoraRole?
If the latter, the first thing I would try is adding MustBePresent="false" to your subjectAttributeDesignator. According to the spec: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf it effectively default to "true", and returns an Indeterminate result in the event of a missing attribute. Quoting from the rule evaluation spec: "If the target value is "No-match" or “Indeterminate” then the rule value SHALL be “NotApplicable” or “Indeterminate”, respectively, regardless of the value of the condition. For these cases, therefore, the condition need not be evaluated." Since you have no condition, it may be applying that rule whenever the fedoraRole attribute is missing. On 7/8/11, thio <t...@uni-koblenz.de> wrote: > Hi! > > Recently i was asked to build Policies for Fedora Objects. > > I have looked at the policy writing guide, and so far doing it like THAT > works, but i find this style kind of convoluted. > > Since i only need simple rules i thought i could as well use the > "straightforward" way, which is closer to the datamodel i get. > > To give you an example, a policy that shuts everyone out but admins: > > _*-guide:*_ > <Policy PolicyId="demo" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" > xmlns="urn:oasis:names:tc:xacml:1.0:policy" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <Resource> > <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10061</AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> > </Resource> > </Resources> > <Actions> > <AnyAction/> > </Actions> > </Target> > <Rule Effect="Deny" RuleId="1"> > <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> > <SubjectAttributeDesignator AttributeId="fedoraRole" > DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue> > </Apply> > </Apply> > </Condition> > </Rule> > <Rule Effect="Permit" RuleId="3"/> > </Policy> > _* > -mine:*_ > <Policy PolicyId="changeme:10061:DenyAllDefaultPolicy" > > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> > <Target> > <Subjects> > <AnySubject /> > </Subjects> > <Resources> > <Resource> > <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10059 > </AttributeValue> > <ResourceAttributeDesignator > > AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > > DataType="http://www.w3.org/2001/XMLSchema#string"; /> > </ResourceMatch> > </Resource> > </Resources> > <Actions> > <AnyAction /> > </Actions> > </Target> > <Rule RuleId="AdminRule" Effect="Permit"> > <Target> > <Subjects> > <Subject> > <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>administrator > </AttributeValue> > <SubjectAttributeDesignator > AttributeId="fedoraRole" > DataType="http://www.w3.org/2001/XMLSchema#string"; /> > </SubjectMatch> > </Subject> > </Subjects> > <Resources> > <AnyResource /> > </Resources> > <Actions> > <AnyAction /> > </Actions> > </Target> > </Rule> > <Rule RuleId="FinalRule" Effect="Deny"> > </Rule> > </Policy> > > As far as i understood this SHOULD constitute the same behaviour, but my > policy doesn't shut anyone out. And i have no idea why not. > > greetings and thanks for any help, > Jessi > ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
