Copyright © 2013 Open Geospatial Consortium 24 Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:version AttributeValue 2.0.2 AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:resulttype AttributeValue results AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0: AttributeValue http:www.isotc211.org2005gmd AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:elementsetname AttributeValue brief AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:constraintlanguage AttributeValue CQL_TEXT AttributeValue Attribute Resource Action Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:request AttributeValue GetRecords AttributeValue Attribute Attribute AttributeId = urn:oasis:names:tc:xacml:1.0:action:action-id DataType = http:www.w3.org2001XMLSchemastring AttributeValue GET AttributeValue Attribute Action Environment Attribute DataType = http:www.w3.org2001XMLSchemadate AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-date AttributeValue 2012-06-12 AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchematime AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-time AttributeValue 19:54:11Z AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemadateTime AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-dateTime AttributeValue 2012-06-12T19:54:11Z AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:protocol AttributeValue HTTP1.1 AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:hostname AttributeValue localhost AttributeValue Attribute Environment Request Table 4 — XACML request example

6.3.2 Policy snippet

Depending on the policy in place, the ADR above can result in any authorization decision. But in order to filter the CSW response, the matching policy must return Permit and the appropriate Obligation. The following policy snippet ensures that. Copyright © 2013 Open Geospatial Consortium 25 ?xml version=1.0 encoding=UTF-8? Policy PolicyId = urn:ogc:ows9:mobile_security:policy:request:RoleA RuleCombiningAlgId = urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny- overrides Description Policy for matching the REQUEST context - PEP will receive an obligation to request MRP on the RESULT context ... Description Target Actions Action ActionMatch MatchId = urn:oasis:names:tc:xacml:1.0:function:string-equal AttributeValue DataType = http:www.w3.org2001XMLSchemastring GetRecords AttributeValue ActionAttributeDesignator AttributeId = urn:SD:def:xacml:2.0:request DataType = http:www.w3.org2001XMLSchemastring ActionMatch Action Actions Target Rule RuleId = AllPermit Effect = Permit Description All service requests are permitted but are subject to Obligations Description Target Resources Resource ResourceMatch MatchId = urn:oasis:names:tc:xacml:1.0:function:string-equal AttributeValue DataType = http:www.w3.org2001XMLSchemastring urn:SD:def:xacml:2.0:request Attribu teValue ResourceAttributeDesignator AttributeId = urn:SD:def:xacml:2.0:context DataType = http:www.w3.org2001XMLSchemastring ResourceMatch Resource Resources Target Rule Obligations Obligation ObligationId = urn:SD:Obligation:Response:Filter FulfillOn = Permit AttributeAssignment AttributeId = urn:SD:def:xacml:2.0:profile:identifier DataType = http:www.w3.org2001XMLSchemastring urn:oasis:names:tc:xacml:2.0:profile: multiple:xpath-expression AttributeAssignment AttributeAssignment AttributeId = urn:oasis:names:tc:xacml:2.0:resource:scope DataType = http:www.w3.org2001XMLSchemastring XPath- expression AttributeAssignment AttributeAssignment AttributeId = urn:oasis:names:tc:xacml:1.0:resource:resource- id DataType = urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression .[local- name=OWSContext][local-name=ResourceList][local- name=Layer] AttributeAssignment Obligation Obligations Policy Table 5 — XACML policy snippet

6.3.3 AD for the CSW request