[jboss-cvs] JBossAS SVN: r86177 - in projects/security/security-xacml/trunk/jboss-sunxacml: src/main/java/org/jboss/security/xacml/sunxacml/cond and 6 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Sun Mar 22 00:12:01 EDT 2009


Author: anil.saldhana at jboss.com
Date: 2009-03-22 00:12:01 -0400 (Sun, 22 Mar 2009)
New Revision: 86177

Added:
   projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/
   projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java
   projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/
   projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/
   projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/bag-size/
   projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/bag-size/bag-size-policy.xml
Modified:
   projects/security/security-xacml/trunk/jboss-sunxacml/.classpath
   projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/FunctionBase.java
Log:
SECURITY-394: FunctionBase: IllegalArgEx

Modified: projects/security/security-xacml/trunk/jboss-sunxacml/.classpath
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/.classpath	2009-03-21 21:48:43 UTC (rev 86176)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/.classpath	2009-03-22 04:12:01 UTC (rev 86177)
@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <classpath>
 	<classpathentry kind="src" path="src/main/java"/>
+	<classpathentry kind="src" path="src/test/resources"/>
 	<classpathentry kind="src" path="src/main/resources"/>
 	<classpathentry kind="src" path="src/test/java"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>

Modified: projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/FunctionBase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/FunctionBase.java	2009-03-21 21:48:43 UTC (rev 86176)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/FunctionBase.java	2009-03-22 04:12:01 UTC (rev 86177)
@@ -393,8 +393,8 @@
             while (it.hasNext()) {
                 Evaluatable eval = (Evaluatable)(it.next());
 
-                if ((! eval.getType().toString().equals(paramType)) ||
-                    (eval.returnsBag() != paramIsBag))
+                if ((! eval.getType().toString().equals(paramType)) /*||
+                    (eval.returnsBag() != paramIsBag)*/)
                     throw new IllegalArgumentException("illegal parameter");
             }
         } else {

Added: projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java	2009-03-22 04:12:01 UTC (rev 86177)
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors. 
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.sunxacml.policy;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.xacml.sunxacml.support.SimplePDP;
+
+/**
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 21, 2009
+ */
+public class PolicyReadUnitTestCase extends TestCase
+{ 
+   /**
+    * SECURITY-394: bag-size throws IllegalArgumentException in FunctionBase
+    * @throws Exception
+    */
+   public void testBagSize() throws Exception 
+   {
+      String fileName = "src/test/resources/policies/bag-size/bag-size-policy.xml";
+      String[] policies = new String[] {fileName};
+      SimplePDP pdp = new SimplePDP(policies);
+      assertNotNull(pdp);
+   }
+}
\ No newline at end of file

Added: projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/bag-size/bag-size-policy.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/bag-size/bag-size-policy.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/bag-size/bag-size-policy.xml	2009-03-22 04:12:01 UTC (rev 86177)
@@ -0,0 +1,496 @@
+<?xml version="1.0" encoding="utf-8"?>
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+           xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd" 
+           PolicySetId="urn:oasis:names:tc:xspa:1.0" 
+           PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+  <Target />
+  <PolicySet PolicySetId="urn:oasis:names:tc:xspa:1.0:org" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+    <Description>Contains all organizational policies which are evaluated on all requests.</Description>
+    <Target />    
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:allowed:organizations" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        The organization denies the request if the subject is attempting to access 
+        a resource and is not a member of the allowed organizations.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:allowed:organizations:deny" Effect="Deny">
+        <Description>Evaluates the allowed-organizations (if available) against the subject's locality.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+                <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              </Apply>              
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+    </Policy>
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:hoursofoperations" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        The organization denies the request if the subject is attempting to access
+        the resource outside of the alloted time.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:hoursofoperation:deny" Effect="Deny">
+        <Description>Evaluates the environment time against the hours of operation start and end.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+                  <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" />
+                </Apply>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time" />
+                </Apply>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+                  <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" />
+                </Apply>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time" />
+                </Apply>
+              </Apply>
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+    </Policy>
+
+    <!-- SUBJECT.STRUCTURED-ROLE NOT IN ORG.REQUIRED-ROLES -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:required:roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        The organization denies the request if the subject is attempting to access 
+        a resource and they are not a member of the required role(s).
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:required:roles:deny" Effect="Deny">
+        <Description>Evaluates the organization roles (if available) against the subject's role.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">                
+                <!-- MAY NEED TO SWITCH ~~ Is this a one to many relationship?  Are all roles required or does the subject just need to be included? -->
+                <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:role" DataType="http://www.w3.org/2001/XMLSchema#string" />                
+              </Apply>
+            </Apply>            
+          </Apply>
+        </Condition>
+      </Rule>
+    </Policy>
+
+    <!-- SUBJECT.PERMISSIONS NOT IN ORG.RESOURCE.PERMISSIONS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org.resource.permissions" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        The organization denies the request if the subject does not have adequate
+        permissions to access the resource.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:resource.permissions:deny" Effect="Deny">
+        <Description>Evaluates the required permissions (if available) against the subject's permissions.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:required-permissions" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:required-permissions" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              </Apply>                
+            </Apply>             
+          </Apply>
+        </Condition>
+      </Rule>
+    </Policy>
+  </PolicySet>
+
+  <PolicySet PolicySetId="urn:oasis:names:tc:xspa:1.0:patient" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+    <Description>These policies are patient consent directives and are invoked on medical-record requests.</Description>
+    <Target />
+    
+    <!-- SUBJECT.LOCALITY NOT IN PATIENT.ALLOWED-ORGANIZATIONS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:patient:allowed:organizations" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request from the subject if their locality is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:patient:allowed:organizations:deny" Effect="Deny">
+        <Description>Evaluates the allowed-organizations (if available) against the subject's locality.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:patient:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+                <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:patient:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              </Apply>
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+    </Policy>
+
+    <!-- SUBJECT.ROLE IN PATIENT.DISSENTING-ROLES -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting:role" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request from the subject if their role is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:patient:dissenting:roles:deny" Effect="Deny">
+        <Description>Evaluates the dissenting-role (if available) against the subject's role.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">                        
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>            
+          </Apply>
+        </Condition>
+      </Rule>
+    </Policy>
+
+    <!-- SUBJECT.ID IN PATIENT.DISSENTING-ID -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids:deny" Effect="Deny">
+        <Description>Evaluates the dissenting-subject-id (if available) against the subject's NPI.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+    </Policy>
+
+    <!-- (RESOURCE.RESOURCETYPE IN PATIENT.MASKEDOBJECT) AND (SUBJECT.ROLE IN PATIENT.MA.DISSENTING-ROLES) -->
+    <!-- PROBLEMS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request for problems from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-roles:permit" Effect="Permit">
+        <Description>Evaluates the dissenting-roles for problems (if available) against the subject's role.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+      <Obligations>
+        <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role" FulfillOn="Permit"></Obligation>
+      </Obligations>
+    </Policy>
+    <!-- MEDICATIONS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request for medications from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-roles:permit" Effect="Permit">
+        <Description>Evaluates the dissenting-roles for medications (if available) against the subject's role.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+      <Obligations>
+        <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role" FulfillOn="Permit"></Obligation>
+      </Obligations>
+    </Policy>
+    <!-- ALERTS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request alerts from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-roles:permit" Effect="Permit">
+        <Description>Evaluates the dissenting-roles for alerts (if available) against the subject's role.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+      <Obligations>
+        <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role" FulfillOn="Permit"></Obligation>
+      </Obligations>
+    </Policy>
+    
+    <!-- IMMUNIZATIONS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request for immunizations from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-roles:permit" Effect="Permit">
+        <Description>Evaluates the dissenting-roles for immunizations (if available) against the subject's role.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+      <Obligations>
+        <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role" FulfillOn="Permit"></Obligation>
+      </Obligations>
+    </Policy>
+
+    <!-- (RESOURCE.RESOURCETYPE IN PATIENT.MASKEDOBJECT) AND (SUBJECT.ROLE IN PATIENT.MA.DISSENTING-ROLES) -->
+    <!-- PROBLEMS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request for problems from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids:permit" Effect="Permit">
+        <Description>Evaluates the dissenting-subject-id's for problems (if available) against the subject's NPI.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+      <Obligations>
+        <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id" FulfillOn="Permit"></Obligation>
+      </Obligations>
+    </Policy>
+    <!-- MEDICATIONS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request for medications from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-subject-ids:permit" Effect="Permit">
+        <Description>Evaluates the dissenting-subject-id's for medications (if available) against the subject's NPI.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+      <Obligations>
+        <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id" FulfillOn="Permit"></Obligation>
+      </Obligations>
+    </Policy>
+    <!-- ALERTS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request for alerts from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-subject-ids:permit" Effect="Permit">
+        <Description>Evaluates the dissenting-subject-id's for alerts (if available) against the subject's NPI.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+      <Obligations>
+        <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id" FulfillOn="Permit"></Obligation>
+      </Obligations>
+    </Policy>
+    <!-- IMMUNIZATIONS -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request for immunizations from the subject if the NPI is not permitted by the patient.
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-subject-ids:permit" Effect="Permit">
+        <Description>Evaluates the dissenting-subject-id's for immunizations (if available) against the subject's NPI.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+      <Obligations>
+        <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id" FulfillOn="Permit"></Obligation>
+      </Obligations>
+    </Policy>
+
+    <!-- CONFIDENTIALITY -->
+    <Policy PolicyId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-codes" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+      <Description>
+        Denies the request from the subject if the confidentiality code is set to "Sensitive".  This policy
+        is acting as the "Catch-All".
+      </Description>
+      <Target />
+      <Rule RuleId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code:deny" Effect="Deny">
+        <Description>Evaluates the HL7 confidentiality-code.</Description>
+        <Target />
+        <Condition>
+          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code" DataType="http://www.w3.org/2001/XMLSchema#string" />
+                </Apply>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+              </Apply>
+            </Apply>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+              <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code" DataType="http://www.w3.org/2001/XMLSchema#string" />
+              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">S</AttributeValue>
+            </Apply>
+          </Apply>
+        </Condition>
+      </Rule>
+    </Policy>
+  </PolicySet>
+</PolicySet>
\ No newline at end of file




More information about the jboss-cvs-commits mailing list