Copyright © 2013 Open Geospatial Consortium 25 ?xml version=1.0 encoding=UTF-8? Policy PolicyId = urn:ogc:ows9:mobile_security:policy:request:RoleA RuleCombiningAlgId = urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny- overrides Description Policy for matching the REQUEST context - PEP will receive an obligation to request MRP on the RESULT context ... Description Target Actions Action ActionMatch MatchId = urn:oasis:names:tc:xacml:1.0:function:string-equal AttributeValue DataType = http:www.w3.org2001XMLSchemastring GetRecords AttributeValue ActionAttributeDesignator AttributeId = urn:SD:def:xacml:2.0:request DataType = http:www.w3.org2001XMLSchemastring ActionMatch Action Actions Target Rule RuleId = AllPermit Effect = Permit Description All service requests are permitted but are subject to Obligations Description Target Resources Resource ResourceMatch MatchId = urn:oasis:names:tc:xacml:1.0:function:string-equal AttributeValue DataType = http:www.w3.org2001XMLSchemastring urn:SD:def:xacml:2.0:request Attribu teValue ResourceAttributeDesignator AttributeId = urn:SD:def:xacml:2.0:context DataType = http:www.w3.org2001XMLSchemastring ResourceMatch Resource Resources Target Rule Obligations Obligation ObligationId = urn:SD:Obligation:Response:Filter FulfillOn = Permit AttributeAssignment AttributeId = urn:SD:def:xacml:2.0:profile:identifier DataType = http:www.w3.org2001XMLSchemastring urn:oasis:names:tc:xacml:2.0:profile: multiple:xpath-expression AttributeAssignment AttributeAssignment AttributeId = urn:oasis:names:tc:xacml:2.0:resource:scope DataType = http:www.w3.org2001XMLSchemastring XPath- expression AttributeAssignment AttributeAssignment AttributeId = urn:oasis:names:tc:xacml:1.0:resource:resource- id DataType = urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression .[local- name=OWSContext][local-name=ResourceList][local- name=Layer] AttributeAssignment Obligation Obligations Policy Table 5 — XACML policy snippet

6.3.3 AD for the CSW request

The following snippet illustrates the AD derived by the PDP. Response xmlns = urn:oasis:names:tc:xacml:2.0:context:schema:os xmlns:xsi = http:www.w3.org2001XMLSchema-instance xsi:schemaLocation = urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd urn:oasis:names:tc:xacml:2.0:policy:schema:os access_control-xacml-2.0-policy-schema- os.xsd Copyright © 2013 Open Geospatial Consortium 26 xmlns:xacml = urn:oasis:names:tc:xacml:2.0:policy:schema:os xmlns:xacml-context = urn:oasis:names:tc:xacml:2.0:context:schema:os Result ResourceId = Decision Permit Decision Status StatusCode Value = urn:oasis:names:tc:xacml:1.0:status:ok Status xacml:Obligations xacml: Obligation ObligationId = urn:SD:Obligation:Response:Filter FulfillOn = Permit xacml:AttributeAssignment AttributeId = urn:SD:def:xacml:2.0:profile:identifier DataType = http:www.w3.org2001XMLSchemastring urn:oasis:names:tc:xacml:2.0:profile:multiple:xpath- expression xacml:AttributeAssignment xacml:AttributeAssignment AttributeId = urn:oasis:names:tc:xacml:2.0:resource:scope DataType = http:www.w3.org2001XMLSchemastring XPath-expression xacml:AttributeAssignment xacml:AttributeAssignment AttributeId = urn:oasis:names:tc:xacml:1.0:resource:resource-id DataType = urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression [local-name=OWSContext][local-name=ResourceList][local- name=Layer] xacml:AttributeAssignment xacml:Obligation xacml:Obligations Result Response Table 6 — XACML response example

6.3.4 ADR for the CSW response

The following snippet illustrated the example ADR for the CSW response. ?xml version=1.0 encoding=UTF-8? Request xmlns = urn:oasis:names:tc:xacml:2.0:context:schema:os xmlns:xacml-context = urn:oasis:names:tc:xacml:2.0:context:schema:os xmlns:xsi = http:www.w3.org2001XMLSchema-instance xsi:schemaLocation = urn:oasis:names:tc:xacml:2.0:context:schema:os http:docs.oasis-open.orgxacmlaccess_control-xacml-2.0-context-schema-os.xsd Subject Attribute DataType = http:www.w3.org2001XMLSchemaanyURI AttributeId = urn:oasis:names:tc:xacml:2.0:subject:role AttributeValue A AttributeValue Attribute Subject Resource ResourceContent OWSContext version = 0.2.1 id = ows-context xmlns = http:www.opengis.netows-context0.2.1 xmlns:xlink = http:www.w3.org1999xlink xmlns:xsi = http:www.w3.org2001XMLSchema-instance xmlns:sld = http:www.opengis.netsld xmlns:ogc = http:www.opengis.netows-context0.2.1 xmlns:ows = http:www.opengis.netows xmlns:param = http;www.opengis.netparam xsi:schemaLocation = http:www.opengis.netows-context0.2.1 .owsContext.xsd General Window width = 500 height = 300 ows:BoundingBox crs = EPSG:4326 ows:LowerCorner -71.1485566986829 42.2593928033786 ows:LowerCorner ows:UpperCorner -71.0016725358029 42.4399863588876 ows:UpperCorner ows:BoundingBox ows:Title OWS Context Document ows:Title Copyright © 2013 Open Geospatial Consortium 27 ows:Abstract The OpenGIS Web Services Context Document ows:Abstract ows:Keywords ows:Keyword MassGIS ows:Keyword ows:Keyword Boston ows:Keyword ows:Keyword Massachusetts ows:Keyword ows:Keywords LogoURL width = 140 height = 65 format = imagegif OnlineResource xlink:type = simple xlink:href = http:www.opengis.orgimgogc_header_top_left.gif LogoURL DescriptionURL format = texthtml OnlineResource xlink:type = simple xlink:href = http:www.opengis.orgpress?page=pressreleaseamp;view=20040525_ContextIE_PR DescriptionURL ows:ServiceProvider ows:ProviderName Environment Canada ows:ProviderName ows:ProviderSite xlink:type = simple xlink:href = http:www.ec.gc.ca ows:ServiceContact ows:IndividualName Tom Kralidis ows:IndividualName ows:PositionName Senior Systems Scientist ows:PositionName ows:ContactInfo ows:Phone ows:Voice +01-905-336-4409 ows:Voice ows:Facsimile +01-905-336-4499 ows:Facsimile ows:Phone ows:Address ows:DeliveryPoint 867 Lakeshore Road ows:DeliveryPoint ows:City Burlington ows:City ows:AdministrativeArea Ontario ows:AdministrativeArea ows:PostalCode L7R4A6 ows:PostalCode ows:Country Canada ows:Country ows:ElectronicMailAddress tom.kralidisec.gc.ca ows:ElectronicMailAddress ows:Address ows:OnlineResource xlink:type = simple xlink:href = http:www.ec.gc.ca ows:HoursOfService 0700h - 1500h EST, Monday - Friday ows:HoursOfService ows:ContactInstructions Just call or email ows:ContactInstructions ows:ContactInfo ows:Role Senior Systems Scientist ows:Role ows:ServiceContact ows:ServiceProvider General ResourceList Coverage hidden = group = Coverages id = 93278 ows:Title MOD_Grid_L2g_2d Coverage Offering ows:Title ows:Abstract MOD_Grid_L2g_2d Coverage Offering, MOD09GHK data ows:Abstract ows:Identifier MOD_Grid_L2g_2d ows:Identifier ows:OutputFormat imagetiff ows:OutputFormat ows:AvailableCRS EPSG:4326 ows:AvailableCRS ows:BoundingBox crs = EPSG:4326 ows:LowerCorner -71.1485566986829 42.2593928033786 ows:LowerCorner ows:UpperCorner -71.0016725358029 42.4399863588876 ows:UpperCorner ows:BoundingBox Server service = WCS version = 1.0.0 title = Boston Indexed Geotiff imagery OnlineResource method = GET xlink:type = simple xlink:href = http:webservices.ionicsoft.comionicwcscoverageBOSTONPOOL Server MetadataURL format = textxml OnlineResource xlink:type = simple xlink:href = http:webservices.ionicsoft.comionicwcscoverageBOSTONPOOLREQUESTgetdirD IRmetadataDATALPRBOSTONPOOLMOD_Grid_L2g_2d.xml Copyright © 2013 Open Geospatial Consortium 28 MetadataURL DimensionList Dimension name = time units = ISO8601 2003-12-01T14:55:00Z2003-12- 03T20:50:00Z Dimension DimensionList ParameterList Parameter param:kvp name = band value = band1 Parameter Parameter param:kvp name = interpolation value = nearest neighbor Parameter ParameterList Coverage FeatureType hidden = group = Features id = 92756 ows:Title Landuse ows:Title ows:Abstract Boston Landuse Polygons ows:Abstract ows:Identifier Landuse ows:Identifier ows:AvailableCRS EPSG:26986 ows:AvailableCRS ows:BoundingBox crs = EPSG:4326 ows:LowerCorner -71.1485566986829 42.2593928033786 ows:LowerCorner ows:UpperCorner -71.0016725358029 42.4399863588876 ows:UpperCorner ows:BoundingBox Server service = GML version = 2.1.2 title = Cadcorp GeognoSIS.NET Web Feature Service OnlineResource xlink:type = simple xlink:href = http:www.cadcorpdev.co.ukgmlMassGISLandUse.gml Server sld:MinScaleDenominator 5000 sld:MinScaleDenominator sld:MaxScaleDenominator 50000 sld:MaxScaleDenominator MaxFeatures 99 MaxFeatures FeatureType Layer queryable = hidden = group = Layers id = 2957 ows:Title hydro ows:Title ows:Abstract hydro ows:Abstract ows:Identifier hydro ows:Identifier ows:OutputFormat imagegif ows:OutputFormat ows:OutputFormat imagepng ows:OutputFormat ows:OutputFormat imagejpeg ows:OutputFormat ows:AvailableCRS EPSG:4326 ows:AvailableCRS ows:BoundingBox crs = EPSG:4326 ows:LowerCorner -71.1485566986829 42.2593928033786 ows:LowerCorner ows:UpperCorner -71.0016725358029 42.4399863588876 ows:UpperCorner ows:BoundingBox Server service = WMS version = 1.1.1 title = Boston on Oracle OnlineResource xlink:type = simple xlink:href = http:webservices2.ionicsoft.comionicwebwfsBOSTON_ORA Server sld:MinScaleDenominator 5000 sld:MinScaleDenominator sld:MaxScaleDenominator 50000 sld:MaxScaleDenominator StyleList Style current = 1 Name default Name Title default Title Style StyleList Layer Layer ... ResourceList OWSContext ResourceContent Attribute DataType = urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression AttributeId = urn:oasis:names:tc:xacml:1.0:resource:resource-id AttributeValue [local-name=OWSContext][local- name=ResourceList][local-name=Layer] AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:oasis:names:tc:xacml:2.0:profile:multiple:scope AttributeValue XPath-expression AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring Copyright © 2013 Open Geospatial Consortium 29 AttributeId = urn:SD:def:xacml:2.0:hostname AttributeValue localhost AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemaanyURI AttributeId = urn:SD:def:xacml:2.0:uri AttributeValue serviceCSWCompusult AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemastring AttributeId = urn:SD:def:xacml:2.0:context AttributeValue urn:SD:def:xacml:2.0:response AttributeValue Attribute Resource Action Attribute AttributeId = urn:oasis:names:tc:xacml:1.0:action:action-id DataType = http:www.w3.org2001XMLSchemastring AttributeValue Post AttributeValue Attribute Attribute AttributeId = urn:SD:def:xacml:2.0:request DataType = http:www.w3.org2001XMLSchemastring AttributeValue GetRecords AttributeValue Attribute Action Environment Attribute DataType = http:www.w3.org2001XMLSchemadate AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-date AttributeValue 2012-06-08 AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchematime AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-time AttributeValue 09:28:27Z AttributeValue Attribute Attribute DataType = http:www.w3.org2001XMLSchemadateTime AttributeId = urn:oasis:names:tc:xacml:1.0:environment:current-dateTime AttributeValue 2012-06-08T09:28:27Z AttributeValue Attribute Environment Request Table 7 — XACML MRP request example

6.3.5 AD for the CSW response ADR