Databases Reference
In-Depth Information
<policy xmlns="http://www.trl.ibm.com/projects/xml/xacl">
<xacl id="R3-1">
<object href="
/review summary/entry
"/>
<rule><acl>
<subject><group>
reviewer
</group></subject>
<action name="
read
" permission="
grant
"/>
<condition operation="
and
">
<predicate name="
compareStr
">
<parameter value="
eq
"/>
<parameter><function name="
getValue
">
<parameter value="
./review/reviewerName/text()
"/></function>
</parameter>
<parameter><function name="
getUid
"/></parameter>
</predicate>
</condition>
</acl></rule>
</xacl>
<xacl id="R3-2">
<object href="
/review summary/entry/authorName
"/>
<rule><acl>
<subject><group>
reviewer
</group></subject>
<action name="
read
" permission="
deny
"/>
</rule></acl>
</xacl>
</policy>
Fig. 3.
XACL Policy
association at the schema definition (e.g. DTD) level and the other is the
association at the level of each specific document. In the DTD-level approach,
a set of policies is bound to all documents valid according to the specified
DTD. Therefore, one needs to maintain the mapping between a particular
DTD and the associated policy. In the document-level approach, a policy is
bound to each specific document. In this case, an associated policy, which is
encoded as a
policy
element, may be an element contained within the target
document.
Basic Matching Algorithm
The access control system basically takes an authorization request as input
and outputs an authorization decision including
provisional actions
. The ac-
cess control enforcement may consist of the basic matching algorithm and the
policy evaluation algorithm.
Input
: An authorization request which contains a requested object, a subject
for the requester, and the action.
Output
: A decision list, which may contain multiple decisions.
Step 1. Object-Check:
Search the associated policy for each
xacl
el-
ement whose
object
element contains a node specified in the autho-
rization request.
