ABCBank Authorization domain file
This page contains an authorization domain file example used in the Reverse query examples.
abcbank.yml
identity: 565faab3-639d-4e51-a3d2-9039bc1f428c
metadata: {}
policy:
mainPolicyId: >-
http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54
xacmlSpecifications:
- |
<xacml3:PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54" Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>abcbank policy regarding customer records access</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer_record</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="abcbank.documentType" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" PolicyId="http://www.axiomatics.com/automatic-unique-id/50f5b25e-dc7f-4672-a673-1a482e53f023">
<xacml3:Description>An investment banker has limited access to customer records when located remotely</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">investment_banker</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.role" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule RuleId="9602915f-69fe-4222-b63f-a859e4578f41" Effect="Permit">
<xacml3:Description>An investment banker can read their own customer records once located remotely.</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remote</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.location" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.name" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="abcbank.documentOwner" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule RuleId="f9f24f27-a727-48ec-9aea-1c4798b1b2e7" Effect="Permit">
<xacml3:Description>An investment banker can read, create, update customer records once located in office.</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">office</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.location" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" PolicyId="6e26eb0f-2568-44bf-9720-8de917eea70f">
<xacml3:Description>A group manager can access customer records</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">group_manager</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.role" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule RuleId="a326af3d-4d4c-4d26-a6de-4c1cb1a98425" Effect="Permit">
<xacml3:Description>A group manager can read, create or update customer records</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" PolicyId="db83a8ad-3192-4d1a-b083-794dacb9c0d6">
<xacml3:Description>An employee has no access at customer records.</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="abcbank.role" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule RuleId="44c46b1c-2dc9-4037-b748-edf976916eeb" Effect="Deny">
<xacml3:Description>An employee cannot read, create or update customer records</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="abcbank.action" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>
attributes:
abcbank.role:
xacmlId: abcbank.role
category: 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.location:
xacmlId: abcbank.location
category: 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.documentOwner:
xacmlId: abcbank.documentOwner
category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:resource'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.documentType:
xacmlId: abcbank.documentType
category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:resource'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.name:
xacmlId: abcbank.name
category: 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.documentId:
xacmlId: abcbank.documentId
category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:resource'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
issuer: ''
abcbank.action:
xacmlId: abcbank.action
category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:action'
datatype: 'http://www.w3.org/2001/XMLSchema#string'
attributeConnectors: {}
decisionParameters: null