Copyright © 2013 Open Geospatial Consortium 23 This is indicated to the PEP by returning an Obligation with the identifier “ urn:SD:Obligation:Response:Filter ”. This will kick off PEP processing according to the XACML 2.0 Multiple Resources Profile with the semantics that “at the end” XML elements get removed from the response, for which a Deny decision exists. The required parameters for shaping the ADR using the intercepted CSW response the OWS Context document are contained in the Obligation. In order to derive the desired authorization decisions, the Policy must “deal” with the XACML 2.0 MRP compliant ADR. The structure must be such that the AD comprises of many individual authorization decisions, according to the request. These decisions indicate to the PEP which XML elements are to e removed from the OWS Context document by Xpath expressions.

6.3.1 CSW Request example

http:ows9.secure-dimensions.orgserviceCSWCompusult? REQUEST=GetRecordsSERVICE=CSWVERSION=2.0.2CONSTRAINTLANGU AGE=CQL_TEXTTYPENAMES=csw:RecordRESULTTYPE=resultsOUTPUTSC HEMA=http:www.isotc211.org2005gmdELEMENTSETNAME=brief This example request will be transformed into the following ADR assuming a user with RoleA issued the request: ?xml version=1.0 encoding=ISO-8859-1 standalone=no ? Request xmlns = urn:oasis:names:tc:xacml:2.0:context:schema:os xmlns:xacml-context = urn:oasis:names:tc:xacml:2.0:context:schema:os xmlns:xsi = http:www.w3.org2001XMLSchema-instance xsi:schemaLocation = urn:oasis:names:tc:xacml:2.0:context:schema:os http:docs.oasis-open.orgxacmlaccess_control-xacml-2.0-context-schema-os.xsd Subject Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:oasis:names:tc:xacml:1.0:subject:subject-id AttributeValue Alice AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemaanyURI AttributeId = urn:oasis:names:tc:xacml:2.0:subject:role AttributeValue A AttributeValue Attribute Subject Resource Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:context AttributeValue urn:SD:def:xacml:2.0:request AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemaanyURI AttributeId = urn:oasis:names:tc:xacml:1.0:resource:resource-id AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemaanyURI AttributeId = urn:SD:def:xacml:2.0:uri AttributeValue serviceCSWCompusult AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:service AttributeValue CSW AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:request AttributeValue GetRecords AttributeValue Copyright © 2013 Open Geospatial Consortium 24 Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:version AttributeValue 2.0.2 AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:resulttype AttributeValue results AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0: AttributeValue http:www.isotc211.org2005gmd AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:elementsetname AttributeValue brief AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:constraintlanguage AttributeValue CQL_TEXT AttributeValue Attribute Resource Action Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:request AttributeValue GetRecords AttributeValue Attribute Attribute AttributeId = urn:oasis:names:tc:xacml:1.0:action:action-id DataType = http:www.w3.org2001XMLSchemastring AttributeValue GET AttributeValue Attribute Action Environment Attribute DataType = http:www.w3.org2001XMLSchemadate AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-date AttributeValue 2012-06-12 AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchematime AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-time AttributeValue 19:54:11Z AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemadateTime AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-dateTime AttributeValue 2012-06-12T19:54:11Z AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:protocol AttributeValue HTTP1.1 AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:hostname AttributeValue localhost AttributeValue Attribute Environment Request Table 4 — XACML request example

6.3.2 Policy snippet